Re: AP and sniffer together

From: David L. Sifry (
Date: 2002-04-05 06:30:01 UTC

On Thu, 2002-04-04 at 21:36, Jouni Malinen wrote:
> On Tue, Mar 19, 2002 at 02:36:40PM +0800, LH wrote:
> > I find that there are 2 sniff programs provided by the HostAP package. But
> > is it possible to run AP and sniffer simultaneously in one machine using
> > only one wireless LAN card??
> With current driver version that is not possible, but it may be
> doable, depending on which frames you want to capture.
> > What I want to get is the raw 802.11 frame received by the AP while the AP
> > is still working.
> If it is enough to get most frames with 802.11 headers to user space,
> then it should be possible to set the card in promiscuous mode, but
> _not_ in monitor mode, and then pass the frames to user space. It
> would be possible to, e.g., create a new netdevice and set it use
> ARPHRD_IEEE80211. Then the driver could send send all frames to this
> new device with 802.11 header and additionally handle rest of the
> frames like in Host AP mode (i.e., handle management frames in the
> driver and pass non-bridged data frames to this AP to wlan0 without
> 802.11 headers). Let me know, if there would be use for this and I'll
> add it to my todo list.

If I understand this correctly, it would be interesting because you could listen for beacons from other APs at the same time as you're associated with clients, right?

> On Thu, Apr 04, 2002 at 10:51:28PM -0800, Pedro Estrela wrote:
> > from what i've seen, the sniffing happens because the chipset is put in a
> > very special test state, trough a CMDCODE_TEST to the command register.
> > In this mode, the chipset will only receive packets and stop transmiting;
> > this means that pings and the AP function are stopped.
> The driver sets the card to monitor mode, but this does no stop (all)
> TX. However, currently the driver also changes the mode automatically
> to pseudo IBSS to prevent beacon frames from being sent (usually
> sniffing device is wanted to be passive). The driver can still send
> frames and if the port is left in Host AP mode, firmware will continue
> sending beacon frames in monitor mode. However, monitor mode is
> certainly not meant for "normal use". Some of the essentinal
> operations are disabled. For example, firmware does not acknowledge
> received packets anymore.
> On Thu, Apr 04, 2002 at 04:09:28PM -0600, Jim Thompson wrote:
> > Er, can't you just run one of the 'ports' in AP mode and another in
> > 'monitor' mode?
> Apparently not, at least not with only station firmware. Monitor mode
> setting is "global" for the card. Whenever it is used, all received
> frames seem to come from macport 7 (reserved for monitor mode). I have
> never been able to use more than one macport at a time. Documentation
> on this is a bit unclear (i.e., whether station firmware supports one
> or two ports at a time). I haven't tested this with AP firmware (which
> should support more ports than station firmware; mainly for WDS, which
> is apparently broken anyway).
> --
> Jouni Malinen PGP id EFC895FA

David L. Sifry
GPG Key:
Key Fingerprint: 7E60 4EDE EB5F AA2D 2F25  8CD3 FE17 C4F8 BDE8 D1B0

This archive was generated by hypermail 2.1.4.