Hi folks -
Attached is a small tool called "packetspammer" I just made from ripping
bits out of penumbrad, it sends 256-byte broadcast packets using the
management interface at a rate you define. It only depends on
libpcap-devel to compile.
# packetspammer <wlan0-type-interface> <delay between packets in us>
eg
# packetspammer wlan0 0
packetspammer brings up the management interface and determines which
one it is using /sys, the paths in there might need meddling with if the
very recent /sys clearout patch stuff is in your kernel, but it is
working with Linville's FC7 #3 2961 kernel which is what I am using
here. Then it loops using libpcap to spam broadcast packets down the
management interface.
So I try packetspammer on iwlwifi and zd1211rw-mac80211: both are
associated to a WPA protected network during the test and a second
machine in Monitor mode looks on.
* zd1211rw-mac80211: packets spew out at any delay, including 0.
Remains associated during the testing. The netdev start and stop stuff
must regulate the packet flow. Good!
* iwlwifi: drops dead without dmesg error after 55 - 89 packets (0us -
1000us delay). Association lost, no further packets are sent until the
thing is rmmodded, will not reassociate with wpa_supplicant restart
unless it is rmmodded and insmodded back in. Even at 1s delay between
packets, eventually it falls over. Bad!
Also notice that packets cannot be sent by packetspammer until the
interface is brought up, which I guess is reasonable enough, but also I
found not until the interface was associated with a WPA network, which
is a problem if the plan is to use the injection action to do the work
of association in userspace.
I hope maybe this can help validate and find the source of any fragility.
-Andy
Michael Wu wrote:
> On Wednesday 07 March 2007 08:05, Andy Green wrote:
>> Also notice that packets cannot be sent by packetspammer until the
>> interface is brought up, which I guess is reasonable enough, but also I
>> found not until the interface was associated with a WPA network, which
>> is a problem if the plan is to use the injection action to do the work
>> of association in userspace.
>>
> There is a hostap/prism2 sub-ioctl to enable userspace mlme mode, which should
> fix that issue. Look around in ieee80211_ioctl.c for
> PRISM2_IOCTL_PRISM2_PARAM, ieee80211_ioctl_prism2_param, and
> PRISM2_PARAM_USER_SPACE_MLME for hints. These sub-ioctls are, of course,
> quite evil and need to be replaced, but it's a little better than hacking
> mac80211 to start with user_space_mlme enabled by default.
Thanks for that tip Michael, I found it needed only
PRISM2_PARAM_ALLOW_BROADCAST_ALWAYS to work without association. So you
only need to
- bring the interface up, and
- set the channel
before running it now. The updated version can be had here:
http://warmcat.com/packetspammer-0.2.tar.gz
-Andy
On Wednesday 07 March 2007 08:05, Andy Green wrote:
> Also notice that packets cannot be sent by packetspammer until the
> interface is brought up, which I guess is reasonable enough, but also I
> found not until the interface was associated with a WPA network, which
> is a problem if the plan is to use the injection action to do the work
> of association in userspace.
>
There is a hostap/prism2 sub-ioctl to enable userspace mlme mode, which should
fix that issue. Look around in ieee80211_ioctl.c for
PRISM2_IOCTL_PRISM2_PARAM, ieee80211_ioctl_prism2_param, and
PRISM2_PARAM_USER_SPACE_MLME for hints. These sub-ioctls are, of course,
quite evil and need to be replaced, but it's a little better than hacking
mac80211 to start with user_space_mlme enabled by default.
-Michael Wu