Hello,
I traced mon.wlan0 and wlan0 on an accesspoint, because I wanted to see,
which data is sent through which device (WPA2 TLS).
That's what I saw:
mon.wlan0 wlan0
---------------------------------------------------------------------------------
initial authentication
probe request x
probe response x (2 times)
authentication requ x
authentication resp x (2 times)
association request x
association response x (2 times)
request identity x (2 times)
response identity x
request eaptls x (2 times)
Server Hello x
Client Hello x
IEEE 802.11 x
request eap-tls x (2 times)
response eap-tls x (2 times)
Change Cipher Spec x (2 times)
Certificate Client x
EAP Success x (2 times)
Response eap-tls x
EAPOL Key msg 1/4 x (2 times)
EAPOL Key msg 2/4 x
EAPOL Key msg 3/4 x (2 times)
EAPOL Key msg 4/4 x
IEEE 802.11 action success x
GTK - rekeying
QoS Data 2 times (WEP and CCMP)
EAPOL Key msg 2/2 x
Reauthentication
QoS (request identity?) x
response identity x
QoS (server hello?) x
client hello x
QoS (Change Cipher Spec?) x
QoS (EAPOL Key msg 1/4?) x
EAPOL Key msg 2/4 x
QoS (EAPOL Key msg 3/4?) x
EAPOL Key msg 4/4 x
QoS (IEEE 802.11 success) x
I'm surprised, that not all of the management packages went through the
mon-device.
At the beginning (initial connection), all data went through the
mon-device. After the association, all management data from the client
(supplicant) goes through the normal wlan0 device - I would have
expected, that all management and authorization data went through the
mon device.
Could anybody please shed some light on this?
Thank you,
Andreas