Re: tcpdump for 'disassoc' not supported

2024-03-22 Thread Stefan Sperling 
On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote:
> I am getting wireless disassociation attacks.
> I wanted to look at the packets via:
> `tcpdump -nettt -I -i athn0 -s 256
> type mgt subtype disassoc`
> but I get an error:
> "tcpdump: type not supported on linktype 0x1"
> Should work according to man tcpdump.
> 
> 

Works only with tcpdump -y IEEE802_11_RADIO

Re: tcpdump for 'disassoc' not supported

2024-03-22 Thread ofthecentury 
Thanks. This does work on an interface, but not on -r /var/log/pflog?

On Fri, Mar 22, 2024 at 3:54 PM Stefan Sperling  wrote:
>
> On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote:
> > I am getting wireless disassociation attacks.
> > I wanted to look at the packets via:
> > `tcpdump -nettt -I -i athn0 -s 256
> > type mgt subtype disassoc`
> > but I get an error:
> > "tcpdump: type not supported on linktype 0x1"
> > Should work according to man tcpdump.
> >
> >
>
> Works only with tcpdump -y IEEE802_11_RADIO

Re: tcpdump for 'disassoc' not supported

2024-03-22 Thread Peter Hessler 
pflog does not monitor the RADIO.  They are not Layer 3 packets, and are
not seen by pf.


On 2024 Mar 22 (Fri) at 16:25:08 +0500 (+0500), ofthecentury wrote:
:Thanks. This does work on an interface, but not on -r /var/log/pflog?
:
:On Fri, Mar 22, 2024 at 3:54 PM Stefan Sperling  wrote:
:>
:> On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote:
:> > I am getting wireless disassociation attacks.
:> > I wanted to look at the packets via:
:> > `tcpdump -nettt -I -i athn0 -s 256
:> > type mgt subtype disassoc`
:> > but I get an error:
:> > "tcpdump: type not supported on linktype 0x1"
:> > Should work according to man tcpdump.
:> >
:> >
:>
:> Works only with tcpdump -y IEEE802_11_RADIO
:

-- 
To err is human, to moo bovine.

Re: tcpdump for 'disassoc' not supported

2024-03-22 Thread Stefan Sperling 
On Fri, Mar 22, 2024 at 04:25:08PM +0500, ofthecentury wrote:
> Thanks. This does work on an interface, but not on -r /var/log/pflog?

You cannot log wifi management frames in PF because PF does not operate
at the wifi layer.

There is hostapd(8) which and can do some interesting things with these
frames.

To avoid deauth attacks there is ifconfig nwflag stayauth.
The proper fix would be management frame protection but this has not been
implemented (yet?).

Re: tcpdump for 'disassoc' not supported

2024-03-22 Thread ofthecentury 
Right on. It should be -y IEEE802_11 to see dissociations, though.
IEEE802_11_RADIO just gives scan results.

On Fri, Mar 22, 2024 at 4:33 PM Peter Hessler  wrote:
>
> pflog does not monitor the RADIO.  They are not Layer 3 packets, and are
> not seen by pf.
>
>
> On 2024 Mar 22 (Fri) at 16:25:08 +0500 (+0500), ofthecentury wrote:
> :Thanks. This does work on an interface, but not on -r /var/log/pflog?
> :
> :On Fri, Mar 22, 2024 at 3:54 PM Stefan Sperling  wrote:
> :>
> :> On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote:
> :> > I am getting wireless disassociation attacks.
> :> > I wanted to look at the packets via:
> :> > `tcpdump -nettt -I -i athn0 -s 256
> :> > type mgt subtype disassoc`
> :> > but I get an error:
> :> > "tcpdump: type not supported on linktype 0x1"
> :> > Should work according to man tcpdump.
> :> >
> :> >
> :>
> :> Works only with tcpdump -y IEEE802_11_RADIO
> :
>
> --
> To err is human, to moo bovine.