Menu
What's new
By:
Filters Better Search

how to tcpdump on RT-ac87u / EA8500 /other MU-MIMO router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

U

Uri

Occasional Visitor
I wish to to run tcpdump on an RT-AC87U or on Linksys EA8500 in order to capture management, control, beacon & data packets sent to/from MU-MIMO clients. (I can also buy/use any other MU-MIMO Router if it will be simpler)

Running tcpdump on the clients side (I have 15 Rivet 505A/525A/1535 NICs) crashes almost immediately on Ubuntu because the drivers doesn't support promiscuous mode well (as far as I could figure), and just making the NICs work was extremely hard. On Windows I get only data packets.

I have never truly messed up with a router - but I am willing to get my hands dirty if that is possible.
As I see it, I can either run tcpdump on the router or on every client (which I was unable to do).

@RMerlin - I saw your post here: http://www.snbforums.com/threads/rt-ac87u-tcpdump.21538/ but it's a year old, and going to optware-ng didn't taught me much. Is this still the way to go? or do you recommend doing something else?

@sfx2000 this expands over our discussion (http://www.snbforums.com/threads/802-11ac-beamforming-report-makes-no-sense.29164/#post-224720) as no single machine will be able to capture the MU-MIMO from the air, except for the AP.

Anyones advice will be much appreciated!
Uri
 
Doing some research, looks like Ubuntu 14.04LTS with the 3.19 vivid HWE kernel supports the Intel 7260 ABGN+Ac cards in Monitor mode, so that might be an option to do some packet captures, as we know that Apple's BCM43xx isn't reliable here (spitting out unreliable data).

Haven't had a chance yet to reconfig a machine to try...

11ac caps are getting to be a real pain...
 
sfx2000 said:
Doing some research, looks like Ubuntu 14.04LTS with the 3.19 vivid HWE kernel supports the Intel 7260 ABGN+Ac cards in Monitor mode, so that might be an option to do some packet captures, as we know that Apple's BCM43xx isn't reliable here (spitting out unreliable data).
Click to expand...

The thing is that in order to capture the traffic that a MU-MIMO NIC receives, I must either use promiscuous mode or capture from the router, and the Intel 7260 is not a MU-MIMO card (funny story, I actually spoke with Rivet Networks CEO in order to get these cards, no MU-MIMO NICs can be bought at this point, only buying laptops/cellphones which have the QCA6174 or QCA9377).
Even monitor mode won't do the trick (as far as I understand)...

sfx2000 said:
11ac caps are getting to be a real pain...
Click to expand...

I agree...
 
Uri said:
Even monitor mode won't do the trick (as far as I understand)...
Click to expand...

Monitor mode won't capture the MU data traffic frames as it's not part of the MU-MIMO set... (raises interesting question WRT group keys vs. device keys, hmmm hadn't considered that if used WAP2 Personal/Enterprise, because there, each client needs it's own)

Anyways - can still capture the signalling as MU need to work on the same control frames as SU, so there, with regards to sounding, across both SU and MU beamformees, there is good info to be had... and that's all in the clear...

Keep in mind, that Macs aren't MU capable, yet, and I don't expect the current crop to be either...
 
On my RT-N66U, I had occasional tcpdump crashes until I disabled HW acceleration, I dunno if ARM devices have the same prob though. I also had better luck with tcpdump by building AsusWRT-Merlin myself and enabling the native tcpdump rather than using entware's tcpdump (but I was way beyond my comfort zone so almost every success I had was luck...).
 
sfx2000 said:
Anyways - can still capture the signalling as MU need to work on the same control frames as SU, so there, with regards to sounding, across both SU and MU beamformees, there is good info to be had... and that's all in the clear...
Click to expand...

I agree that with regard to capturing the Sounding frames, this should be straight forward. Trouble is, I am studying how the routers schedule the frames they transmit (a.k.a. User selection, how to group the clients together according to their SNR/V-matrix).
That means I need to listen both to the sounding procedure AND to understand who receives which frame and when.

This takes me back to my original options: Either tcpdump on all clients (crash on Ubuntu / Fail to do so on Windows), or tcpdump on AP (any MU-MIMO AP will be good for me).

In the meanwhile I'm trying to make the windows option work, but to no avail. you got any idea @sfx2000 ?
thanks
 
@Nullity That sounds promising - Do you know if AsusWRT-Merlin will support the usage of the MU-MIMO functionality of the RT-AC87u?
 
Uri said:
The thing is that in order to capture the traffic that a MU-MIMO NIC receives, I must either use promiscuous mode or capture from the router, and the Intel 7260 is not a MU-MIMO card (funny story, I actually spoke with Rivet Networks CEO in order to get these cards, no MU-MIMO NICs can be bought at this point, only buying laptops/cellphones which have the QCA6174 or QCA9377).
Even monitor mode won't do the trick (as far as I understand)...



I agree...
Click to expand...
I tried Intel7260 and it cannot sniff VHT frame in linux, you can see HT40 frames fine but no VHT. I use MacbookPro and it is working fine to sniff VTH80. For intel7260, somebody complained to Intel about not able to capture VHT but no intelligent reply from Intel, they said to seek help in open source community :cool:
 
zerodegrekelvin said:
I tried Intel7260 and it cannot sniff VHT frame in linux, you can see HT40 frames fine but no VHT. I use MacbookPro and it is working fine to sniff VTH80. For intel7260, somebody complained to Intel about not able to capture VHT but no intelligent reply from Intel, they said to seek help in open source community :cool:
Click to expand...

Thanks for the information! :)
 
zerodegrekelvin said:
I tried Intel7260 and it cannot sniff VHT frame in linux, you can see HT40 frames fine but no VHT. I use MacbookPro and it is working fine to sniff VTH80. For intel7260, somebody complained to Intel about not able to capture VHT but no intelligent reply from Intel, they said to seek help in open source community
Click to expand...

The whole VHT capture thing has been a total mess... even with adapters that support some level (broadcom 4360 for example), the output is unreliable...
 
You must log in or register to reply here.

Similar threads

elrengo
AC31000 - MU-MIMO and other config
Replies
5
Views
747
elrengo
elrengo
R
How to setup WAN VLAN for Nokia Optical modem on RT-AC87U?
Replies
12
Views
945
Richard Cooke
R
D
Unable to see most UDP in tcpdump output on GS-AX3000
Replies
6
Views
1K
dwp
D
B
Battery drain on my Pixel 6 only when connected to RT-AX55 router
Replies
3
Views
694
drabisan
D
mmseng
Disabling "Access Intranet" on RT-AX86U guest network causes IoT devices on primary network to repeatedly disconnect
2
Replies
32
Views
4K
mmseng
mmseng

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 613 (members: 27, guests: 586)
Top