[Snort-users] Fwd: Error with attempt to monitor RF Monitor port mon0 /wifi

David Saint Ruby davidsaintruby at ...11827...
Fri Sep 27 19:08:52 EDT 2013


Hello all… have a use case to monitor a wifi channel (open AP).

 Am opening up a virtual RF Monitor interface with airmon-ng.

 version 2.9.5.5.

 Compiled from source with   --enable-non-ether-decoders

Message:

pcap DAQ configured to passive.

The DAQ version does not support reload.

Acquiring network traffic from "mon0".

Reload thread starting...

Reload thread started, thread 0xa777db70 (15787)

ERROR: Cannot decode data link type 127

Fatal Error, Quitting..



Has anyone seen or tried this before?  Is monitoring an interface showing
the full 802.11 frames even possible with snort?

Looking way back at older versions of snort, there used to be a -w option
to look at some 802.11 that is deprecated.



       -w     Show management frames if running on an 802.11  (wireless)
net-
              work.





 Wireshark is fine with it.  I do not care about rules around the radio
management fields or frames.   I suspect that the RF Monitor mode may have
some additional "RF tap" headers that is tripping up the decode?









Thanks


David Saint Ruby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130927/47d0532d/attachment.html>


More information about the Snort-users mailing list