<div dir="ltr"><div class="gmail_quote"><span style="font-family:Calibri;font-size:16pt">Hello
all… have a use case to monitor a wifi channel (open AP).  </span><div dir="ltr">

<p><span style="font-family:Calibri;font-size:16pt"> </span><span style="font-family:Calibri;font-size:16pt">Am
opening up a virtual RF Monitor interface with airmon-ng. </span></p>

<p><span style="font-family:Calibri;font-size:16pt"> </span><span style="font-family:Calibri;font-size:16pt">version
2.9.5.5.</span></p>

<p><span style="font-family:Calibri;font-size:16pt"> </span><span style="font-family:Calibri;font-size:16pt">Compiled
from source with </span><span style="color:rgb(52,52,52);font-family:Calibri;font-size:16pt">  --enable-non-ether-decoders</span><span style="color:rgb(52,52,52);font-family:Calibri;font-size:16pt"> </span></p>

<p><span style="color:rgb(52,52,52);font-family:Calibri;font-size:16pt">Message:</span></p>

<p><span style="font-family:"Times New Roman";font-size:16pt">pcap
DAQ configured to passive.</span></p>

<p><span style="font-family:"Times New Roman";font-size:16pt">The
DAQ version does not support reload.</span><span style="color:rgb(52,52,52);font-family:Calibri;font-size:16pt"></span></p>

<p><span style="font-family:Calibri;font-size:16pt">Acquiring network traffic from
"mon0".</span></p>

<p><span style="font-family:Calibri;font-size:16pt">Reload thread starting...</span></p>

<p><span style="font-family:Calibri;font-size:16pt">Reload thread started, thread
0xa777db70 (15787)</span></p>

<p><span style="font-family:Calibri;font-size:16pt">ERROR: Cannot decode data link type 127</span></p>

<p><span style="font-family:Calibri;font-size:16pt">Fatal Error, Quitting..</span></p>

<p><span style="font-family:Calibri;font-size:16pt"> </span></p>

<p><span style="font-family:Calibri;font-size:16pt">Has anyone seen or tried this before?  Is monitoring an interface showing the full
802.11 frames even possible with snort?</span></p><p><span style="font-family:Calibri;font-size:16pt">Looking way back at older versions of snort, there used to be a -w option to look at some 802.11 that is deprecated.</span></p>
<p><span style="font-family:Calibri;font-size:16pt"></span> </p><p></p><span style="font-family:Calibri;font-size:16pt"><p>       -w     Show management frames if running on an 802.11  (wireless)  net-<br>              work.<br>
</p></span><p> </p><p><span style="font-family:Calibri;font-size:16pt"></span> </p>

<p><span style="font-family:Calibri;font-size:16pt"> </span><span style="font-family:Calibri;font-size:16pt">Wireshark is fine with it.  I do not care about rules around the radio
management fields or frames.   I suspect that the RF Monitor mode may have some additional "RF tap" headers that is tripping up the decode?</span></p><p><span style="font-family:Calibri;font-size:16pt"></span> </p>
<p><span style="font-family:Calibri;font-size:16pt"></span> </p><p><span style="font-family:Calibri;font-size:16pt"></span> </p>

<p><span style="font-family:Calibri;font-size:16pt"> </span></p>

<p><span style="font-family:Calibri;font-size:16pt"></span></p>

<p><span style="font-family:Calibri;font-size:16pt">Thanks</span></p><span><font color="#888888"><p><span style="font-family:Calibri;font-size:16pt"><br></span></p><p><font face="Calibri"><span style="font-size:21px">David Saint Ruby</span></font></p>

<p><font face="Calibri"><span style="font-size:21px"><br></span></font></p>

</font></span></div>
</div><br></div>