This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture 5GHz WiFi traffic for a 40MHz width channel.

0

Hello,

Am trying to capture Wireless traffic in 5Ghz band in 40Mhz mode (HT40). I am using "802.11a/b/g/n 3x3 Wireless LAN PCIe Mini Card" for the capture and the operating system is Ubuntu 12.04.

Following are the steps am following:

  1. sudo iwconfig wlan2 mode monitor (To get into the monitor mode.)
  2. sudo iw dev wlan2 set channel 40 (Setting the channel to 5200)
  3. Running wireshark (2.0.3) on wlan2 to capture the traffic

Issue I am facing.

An not able to capture the both primary and secondary channels here. First of all I have to run below command to start capturing the actual data.

iw dev wlan2 set channel 40 ht40+

but we are not able to capture the primary channel data here.

Question:

what is the right procedure to capture in 40MHz mode. How can we capture both primary and secondary data simultaneously.

asked 15 Jul '16, 03:52

shivamudugal's gravatar image

shivamudugal
6112
accept rate: 0%

edited 15 Jul '16, 16:34

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

0

Have you ever tried the follwing command?

iw dev wlan2 set channel 40 ht40-

answered 15 Jul '16, 12:05

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

As I have understood the HT40 mode means that 40Mhz width channel and its achieved by bundling adjacent 20MHz width channels. One of the 20Mhz is referred as the primary/main channel and the other is referred as the auxiliary/secondary. Each carrying specific data (may be primary is carrying the management frames and other data) and the secondary carrying the actual data.

Now my requirement is to capture both primary and secondary in a single capture. How to achieve this. As I have seen in "iw" tool, we can set one of ht40 or ht40+/ht40-. How to capture both (ht40 and ht40+) or (ht40 and ht40-). Considering ht40 is the primary and ht40+/- is the secondary.

Please correct my if an wrong in my understanding.

(17 Jul '16, 22:29) shivamudugal

Did you try one of the techniques described in the answers? I think your understanding is correct, and the symbol for +/- on HT40 indicates where the secondary channel lies. A beacon frame will tell you as well: in the HT Information IE, there will be a field that will indicate where the secondary channel lies (above or below), in which case use the appropriate iw command with HT40+ or HT40-. This should give both channels.

Note that just because a wireless device supports 40MHz, it may not support monitor mode with 40MHz. Play around with it: maybe something like this - as we know 20MHz likely works (no trace provided to review, but assume you have one that is from both monitor/promiscuous mode):

  1. Find your beacons
  2. Find the HT information IE and it will tell you whether the adjacent channel is high or low. The beacon will also tell you if it supports 40MHz bandwidth, LDPC, SGI, etc. All of this could be important if your capture device is to pick up these frames.
  3. Config your capture device with the appropriate iw command
  4. Validate that you are seeing traffic you expect, like QoS Data, etc, from the client. The radiotap header will tell you if it is 40MHz or 20MHz bandwidth.

If it doesn't work, keep trying: change iw commands, move channels, get a different capture device, etc.

(17 Jul '16, 22:54) Bob Jones

In addition to the comment made by @Bob Jones My understanding is the following by assuming that channel 40 is your primary: A 40 MHz channel can be achieved by the following channel bindings:

Channel 40 + Channel 44 = HT40+

Channel 40 + Channel 36 = HT40-

That is, my understanding, in easy words said what Ht40+ and HT40- do.

(17 Jul '16, 23:42) Christian_R

@Bob Jones @Christian_R

Thanks for the information. I will do some tryouts with "iw" options...

Is there a way to find out if my capture device supports monitor mode with 40MHz. As i have said in my first post, am using qualcomm's "802.11a/b/g/n 3x3 Wireless LAN PCIe Mini Card". This one support 40Mhz channel width and also can capture either primary (ht40) or secondary (ht40+/-) at a time. But not together.

(18 Jul '16, 03:03) shivamudugal

Am able to capture either of primary or secondary channels at a time a given time. But my requirement is to capture both of them in a single capture.

QoS data will be on secondary channel and management frames will be on the primary channel. Some times QoS data will also creep into primary channel. So I want to capture both primary and secondary channel in a single capture.

But till now by using "iw" options am able to capture only primary or secondary.

(18 Jul '16, 22:57) shivamudugal

Could you provide us a capture with a beacon inside?

(18 Jul '16, 23:29) Christian_R
showing 5 of 6 show 1 more comments

0

Only a slight modification to @Christian_R's comment, which is on point - from

https://en.wikipedia.org/wiki/List_of_WLAN_channels

Channel 40 in UNII-1 band is 20MHz. I would try to move to channel 36 and use your HT+ command. It may seem equivalent to a channel 40 HT40- (i.e. channel 36 HT40+) but it may not be, depending on some specific conditions set in the driver. It may not solve your problem, just something to try.

answered 15 Jul '16, 12:44

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%