[Snort-devel] Error with attempt to monitor RF Monitor port mon0 /wifi

Edward Borgoyn eborgoyn at ...402...
Mon Sep 30 17:29:25 EDT 2013


Hello David,
  Thank you for reporting this limitation of Snort.  The current Snort
implementation does NOT provide a packet decoder for the
DLT_IEEE802_11_RADIO (127) class of captured packets.  There is limited
legacy support for the DLT_IEEE802_11 (105) class of packets.

  Can you provide a pcap file that would allow us to recreate the
limitation?  I could file a bug report for possible future implementation.

  I would STRONGLY encourage you to investigate implementing the missing
packet decoder.

    Best Regards,
    Ed



On Thu, Sep 26, 2013 at 1:00 PM, David Saint Ruby
<davidsaintruby at ...2499...>wrote:

> Hello all… have a use case to monitor a wifi channel (open AP).
>
>
>
> Am opening up a virtual RF Monitor interface with airmon-ng.
>
>
>
> version 2.9.5.5.
>
>
>
> Compiled from source with   --enable-non-ether-decoders
>
>
>
> Message:
>
> pcap DAQ configured to passive.
>
> The DAQ version does not support reload.
>
> Acquiring network traffic from "mon0".
>
> Reload thread starting...
>
> Reload thread started, thread 0xa777db70 (15787)
>
> ERROR: Cannot decode data link type 127
>
> Fatal Error, Quitting..
>
>
>
> Has anyone seen this before?  Is monitoring an interface showing the full
> 802.11 frames even possible?
>
>
>
> Wireshark is fine with it.  I do not care about rules around the radio
> management fields or packets.
>
>
>
>
>
> Thanks
>
>
> David Saint Ruby
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130930/456bbe4d/attachment.html>


More information about the Snort-devel mailing list