Passive airport scanning does not show 5ghz networks

[tkoyn]

I have a 2011 MacBook Pro. If I scan with airpot in passive mode no 5ghz networks show. If I use active mode they do show.

[orinem]

Same with Airport Extreme. I'd guess it's because the 5GHz channels aren't scanned. I'll look at this once #56 is fixed.

[orinem]

OK, looked at this some more.

Yes, the 5GHz channels aren't being scanned in passive mode; only (integer) channels 1 to 14 at the most are scanned.

This is not a trivial fix. I added code to print the channels available from the Airport Extreme on my Mac Mini and got the following:

2015-08-15 18:08:32.867 KisMac2[30492:2213040] Channel 124, BW 1, band 2
2015-08-15 18:08:32.867 KisMac2[30492:2213040] Channel 1, BW 1, band 1
2015-08-15 18:08:32.867 KisMac2[30492:2213040] Channel 2, BW 1, band 1
2015-08-15 18:08:32.867 KisMac2[30492:2213040] Channel 3, BW 1, band 1
2015-08-15 18:08:32.867 KisMac2[30492:2213040] Channel 4, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 5, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 6, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 7, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 8, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 9, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 10, BW 1, band 1
2015-08-15 18:08:32.868 KisMac2[30492:2213040] Channel 11, BW 1, band 1
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 128, BW 2, band 2
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 128, BW 1, band 2
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 132, BW 1, band 2
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 136, BW 2, band 2
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 140, BW 1, band 2
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 136, BW 1, band 2
2015-08-15 18:08:32.869 KisMac2[30492:2213040] Channel 132, BW 2, band 2
2015-08-15 18:08:32.870 KisMac2[30492:2213040] Channel 149, BW 2, band 2
2015-08-15 18:08:32.870 KisMac2[30492:2213040] Channel 149, BW 1, band 2
2015-08-15 18:08:32.870 KisMac2[30492:2213040] Channel 153, BW 2, band 2
2015-08-15 18:08:32.870 KisMac2[30492:2213040] Channel 153, BW 1, band 2
2015-08-15 18:08:32.870 KisMac2[30492:2213040] Channel 157, BW 2, band 2
2015-08-15 18:08:32.872 KisMac2[30492:2213040] Channel 157, BW 1, band 2
2015-08-15 18:08:32.873 KisMac2[30492:2213040] Channel 161, BW 2, band 2
2015-08-15 18:08:32.873 KisMac2[30492:2213040] Channel 161, BW 1, band 2
2015-08-15 18:08:32.873 KisMac2[30492:2213040] Channel 36, BW 2, band 2
2015-08-15 18:08:32.873 KisMac2[30492:2213040] Channel 165, BW 1, band 2
2015-08-15 18:08:32.873 KisMac2[30492:2213040] Channel 36, BW 1, band 2
2015-08-15 18:08:32.873 KisMac2[30492:2213040] Channel 40, BW 2, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 40, BW 1, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 44, BW 2, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 44, BW 1, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 48, BW 2, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 48, BW 1, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 52, BW 2, band 2
2015-08-15 18:08:32.874 KisMac2[30492:2213040] Channel 52, BW 1, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 56, BW 2, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 56, BW 1, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 60, BW 2, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 60, BW 1, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 64, BW 2, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 64, BW 1, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 100, BW 2, band 2
2015-08-15 18:08:32.875 KisMac2[30492:2213040] Channel 100, BW 1, band 2
2015-08-15 18:08:32.876 KisMac2[30492:2213040] Channel 104, BW 2, band 2
2015-08-15 18:08:32.887 KisMac2[30492:2213011] Got location update!
2015-08-15 18:08:32.896 KisMac2[30492:2213040] Channel 104, BW 1, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 108, BW 2, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 108, BW 1, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 112, BW 2, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 112, BW 1, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 116, BW 2, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 116, BW 1, band 2
2015-08-15 18:08:32.897 KisMac2[30492:2213040] Channel 120, BW 2, band 2
2015-08-15 18:08:32.898 KisMac2[30492:2213040] Channel 120, BW 1, band 2
2015-08-15 18:08:32.898 KisMac2[30492:2213040] Channel 124, BW 2, band 2

Band 1 is 2 GHz and band 2 is 5 GHz. The different BW values correspond to 20 and 40 MHz channel bandwidths.

We have four major problems.

1. The code doesn't scan these channels.
2. There is no UI to enable/disable scanning these channels.
3. There are two possible bandwidths available per channel. I do not know if we need to treat them separately, or if we should scan both, but report as one.
4. Various jurisdictions put limitations on which channels are available and the terms under which they may be used (see https://en.wikipedia.org/wiki/List_of_WLAN_channels ). More realistically, the limitations are on which channels one can transmit on and how much power one can use. But it is quite possible that a driver (hardware adapter) may refuse to monitor a channel that it is not allowed to transmit on. This should not be a problem for those of us are merely trying to ensure our networks aren't being abused; I have no need to monitor a channel that I can't actively use for communication; I am monitoring the channels I am using, looking for suspicious activity.

[tkoyn]

Thanks for the update.

This is not a trivial fix. I added code to print the channels available from the Airport Extreme on my Mac Mini and got the following:

We have four major problems. The code doesn't scan these channels.

There is no UI to enable/disable scanning these channels.

Adding a checkbox to enable/disable all 5ghz channels would be sufficient for a first cut of this feature. It would appear in the driver preferences for the adapter. Maybe later could add checkboxes for each channel. There are two possible bandwidths available per channel. I do not know if we need to treat them separately, or if we should scan both, but report as one.

I am not sure on this. You will have to test by setting the different channel widths on a router and seeing how the app acts. Various jurisdictions put limitations on which channels are available and the terms under which they may be used (see https://en.wikipedia.org/wiki/List_of_WLAN_channels ). More realistically, the limitations are on which channels one can transmit on and how much power one can use. But it is quite possible that a driver (hardware adapter) may refuse to monitor a channel that it is not allowed to transmit on. This should not be a problem for those of us are merely trying to ensure our networks aren't being abused; I have no need to monitor a channel that I can't actively use for communication; I am monitoring the channels I am using, looking for suspicious activity.

For a first cut of the feature, If the driver refuses to monitor a channel illegal in the area for this reason, you may or may not get an error code when you try to tune to the channel in the scan cycle. Just silently skip any channels on subsequent scan cycles if they do give an error code that they cannot be tuned. If the driver is willing to tune and scan channels outside the jurisdiction, just scan them anyway since you are just listening this would be legal. If the driver does not give an error code when tuning such channels it may be scanning them or silently always saying no activity. If this is the case, you will not be able to distinguish what is happening in this last scenario without yourself deliberately transmitting from another device on an illegal channel, so don't do that, and in this case just let the scan loop go through all the channels.

For an enhanced version of the feature, you could add a checkbox to include/exclude channels outside the jurisdiction. You would do this only if you can determine which channels are out of the jurisdiction at run time by error codes or based on detecting which country the wifi adapter is set to. This would shorten the scan cycle at user option, if they do not want to look for networks on illegal channels, since there would be very few or no such networks in existence.

Can you please also take a look at my issue 58?

[tkoyn]

I see there's a new commit for this. I am curious what were your design decisions on how you and korich made this work for this first cut of this feature? What did you find out on the question of whether you get errors when trying to passive scan channels unavailable in the area? Does the code have any way of identifying such channels? What does the code do about such channels? Are they scanned or not? Also, How are the multiple bandwidths handled?

[ikorich]

Fixed scan for one channel

[ikorich]

@tkoyn , if you have some correction for GUI, please, tell us or better - show ;)

[ikorich]

Nightly Build has been updated with 5ghz fixes http://downloads.igrsoft.com/beta/KisMac2.zip

NEED TEST

[tkoyn]

I just grabbed the latest of the master branch, namely the below stated commit and I am seeing new performance issues with passive Airport scanning, even when I turn off 5ghz scanning: -The updates of packets seen and last seen timestamp of 2.4ghz networks are more infrequent -I see an off-and-on spinning beach ball during scanning -I think a 5ghz network even showed up on the list once when I had 5Ghz turned off. Is the program taking the time to scan the 5ghz networks and then through away the results when 5ghz scanning is turned off?

This is the commit point I built and ran:

commit 46858f30b2f730e3bb9ecb1251bad82274feacf4 Author: Orin Eman orin.eman@gmail.com Date: Tue Aug 18 22:14:32 2015 -0700

Allow individual USB drivers to inspect incoming frames before queueing them.

Also, can you explain in english how you are handling the 5ghz channels that are illegal in the area where the program is running? Are they scanned? Are they skipped? Can this be passively scanned? Also how are you handling the bandwidth options?

Also, can you (orient or iKorich) please also take a look at my issue 58 about exporting the mapping data for Google Earth?

[orinem]

-The updates of packets seen and last seen timestamp of 2.4ghz networks are more infrequent

How many channels are you scanning? At 0.25 seconds per channel, it can take quite a while to scan all the channels. Make sure the Hopping frequency is 0.25s.

-I see an off-and-on spinning beach ball during scanning

That can happen if the driver fails to set a channel. It can be because of some random failure in the low level driver (I've seen it fail to set a channel once, then work on a second attempt), or that the channel is illegal where you are running. The spinning beach ball problem was far worse before I changed PrefsDriver.m to not allow you to set an invalid 5GHz channel, but the set of channels you can set in the UI is not yet intersected with the set of channels that the Apple driver supports. So it is still possible to set a range that includes a channel that Apple consider invalid. I reproduced this problem with the latest code on my machine by selecting all channels. For now, use a range of channels that you know to be valid. I'll look into this issue.

"Also, can you explain in english how you are handling the 5ghz channels that are illegal in the area where the program is running? Are they scanned? Are they skipped?"

The Apple driver won't report them as valid channels, so you cannot set them and cannot passively scan them. The listing above shows the list of channels that Apple consider valid where I am. I think it's scanning the first bandwidth option reported by the driver for each channel. I'll look into that. Note that the test code that I had that scanned both bandwidths had some unexpected results:

I got nothing when channel 149 was selected, either bandwidth I got packets reported on channel 153 when channel 153 20MHz was selected I got packets reported on channel 149(!) when channel 153 40MHz was selected. Yes, 40MHz bandwidth on channel 153 does use channel 149 as well, but I did not expect incoming packets to be reported on channel 149.

[tkoyn]

In my test when I complained about performance, I actually had 5ghz turned off. So it should not have been scanning any 5ghz channels for that particular scan. So I should have seen no beachballs as well during that test, since if I am not scanning 5ghz channels, then there should be no attempts to tune an invalid channel sent to Apple's driver. And I did have the hop set at .25 seconds.

If the user includes an invalid channel or chooses to scan all channels in the UI, and then an invalid channel is sent to the Apple driver, that application should take note of that and not send that same channel number to the Apple driver again for the remainder of the time Kismac is executing. e.g. not try the channel until user restarts KisMac, possibly in a different location.

I am curious, how does the Apple driver decide the jurisdiction of the computer? Is it based on last location identified through location services? Is it based on the location set by the user for the date/time settings? Or what? In other words, what do I need to do if I travel to ensure my computer will use the correct jurisdiction for the Airport both in general use and for Kismac?

[orinem]

"If the user includes an invalid channel or chooses to scan all channels in the UI, and then an invalid channel is sent to the Apple driver, that application should take note of that and not send that same channel number to the Apple driver again for the remainder of the time Kismac is executing. e.g. not try the channel until user restarts KisMac, possibly in a different location."

There is code to do that, but there was a problem stopping it from working correctly. I have checked in a fix. Unfortunately, there are some 2 second delays in the code that recovers from a failure to set a channel, so you'll see an occasional beach ball in this version until it eliminates the bad channels.

Your problem probably came from one or more of channels 12-14.

I only asked about the hop set at 0.25 sec as at one point, mine got set to 2 seconds and I don't know why or how.

Finally, for the first 2 seconds, the channel that the adapter was previously using will be used, so If you'd previously scanned 5GHz channels, you'll get 2 seconds worth of packets on the 5GHz channel. I've not tried to fix this yet.

I'm not sure how Apple decide the jurisdiction. You can check it with "About This Mac"/"System Report" and select Wi-Fi under Network. There is supposedly some way of setting it via "System Preferences"/"Language & Region". Google wasn't particularly helpful.

[orinem]

It was looking pretty good for the Airport Extreme, but RTL8187 was refusing to change channel.

Fix is checked in: https://github.com/IGRSoft/KisMac2/commit/92f35f19ae2886d3e47b0a4066750d1f9541e916

I have an Alfa AWUSO36NH arriving tomorrow. It has a native Yosemite driver... with a bit of luck, it will be possible to copy/re-use the Airport Extreme KisMac driver code and extend my testing coverage to three devices.

No, I haven't looked at issue #58. I'll take a look after this issue is closed, but FWIW, for me, the move/zoom buttons randomly disappear/reappear and the map doesn't properly zoom; it looks like the low-res image is expanded rather than a higher resolution image downloaded... See attached screenshot. Let's keep discussion of issue #58 separate... we'll get there.

The position data isn't accurate anyway... probably my ISP's location!

[tkoyn]

The Airport scanning seems improved in tests where I scan either all 2.4 or all 2.4 and 5 ghz channels. I am curious, what is the shortest hop time I can usefully set?

I'm not sure how Apple decide the jurisdiction. You can check it with "About This Mac"/"System Report" and select Wi-Fi under Network. There is supposedly some way of setting it via "System Preferences"/"Language & Region". Google wasn't particularly helpful.

Will Kismac recheck the jurisdiction or available channels one time each time the application has started so it can adapt to scan the valid channels in case the user has travelled? Or maybe there should be a menu option to recheck the jurisdiction. Also, I am curious if you found out more about how the jurisdiction is set. If I travel, I wouldn't want to change the language, but I would want the wifi to support the correct channels.

Also I see misspelling of the word channel as chanel in the UI of the application.

[tkoyn]

It was looking pretty good for the Airport Extreme, but RTL8187 was refusing to change channel. Fix is checked in: 92f35f1

I have an Alfa AWUSO36NH arriving tomorrow. It has a native Yosemite driver... with a bit of luck, it will be possible to copy/re-use the Airport Extreme KisMac driver code and extend testing coverage to three devices.

These USB adapters may have their own list of what channels they can use not provided by Apple. Since the scan does not transmit, I would suggest that USB adapters be allowed to scan any channels they can receive regardless of what Apple shows for location/jurisdiction.

[orinem]

The country code is checked at OS boot time - it's logged in system.log. The AWUS036NH driver does some kind of check when the device is plugged in, again logged in system.log.

From what I could tell from google searches, to change the settings used by the airport extreme, you have to change the settings in System Preferences and restart to make the change take effect.

I cannot at the moment recommend the AWUS036NH. It does not integrate with the OSX settings and installed its own "Wireless Utility" which promptly connected to the first open network it could find! There is no obvious setting to stop it... other than creating and activating a profile with a non-existent SSID. There doesn't seem to be a way of putting it into monitor mode to capture 802.11 frames. It was worse on a Windows Server 2012 R2. Their utility kept crashing in one of their dlls and never found any networks.

As far as I could tell, the KisMac RT8187 driver was happy to scan any channel the device was capable of and KisMac doesn't stop you checking channels 12-14, so I think your request there is moot.

[tkoyn]

I recall reading that the old Kismac from the pre Snow Leopard days required that the OS driver for AWUS036H not be installed, and that Kismac uses its own driver. In order to support more cards, you probably need to write driver level code as a part of KisMac like had been done with the 8187. You probably need to research adapters that work with the Linux Kismet application to find which ones are good ones to implement. I do see your new adapter listed in http://www.wirelesshack.org/top-wardriving-usb-adapters.html. BTW issue #37 asks for support of modern Yosemite compatible wifi cards.

[orinem]

Right, don't install an OS driver for the AWUS036H to use it with KisMac; KisMac accesses it directly with the RT8187 driver. The NH seems to be a waste of time for KisMac, though I do now have it working OK on a Windows 7 laptop. I'd send it back, but shipping costs make it hardly worth it. I'm not going to pursue it further for use with KisMac unless it happens as a side effect of other work.

Actually, I think any adapter that has a Linux driver (and Kali Linux might be the way to go there) can be adapted by taking the relevant parts out of the Linux driver... just have to beware of the licensing.

Looking at the AWS052NH now...

I know about issue #37. All I can say is that I've tested "Airport Extreme" and AWS036H on Yosemite.

[tkoyn]

I did some more testing with the Airport passive scanning.

1) I scanned 5ghz only passive Airport, all channels. It appears to work showing the single 5ghz network that was near, but takes about 6 seconds per scan cycle. Is it a good idea to shorten the hop to less than 0.25s?

2) I set up for simultaneous scanning with 5ghz on airport and 2.4ghz on RTL8187. On that scan session the nearby 5ghz network did not appear at all, while the nearby 2.4ghz networks appeared just fine. It seems there may be an issue with simultaneous scanning on two adapters and getting the results of both adapters to the screen.

3) I tested Airport scan where network interface was removed in the system network settings. This crashes Kismac upon start of scan. There should be a popup error message that scanning could not begin because the adapter could not be found.

[orinem]

1: I think it depends on how long the driver/adapter takes to change channel. You could try 0.1 seconds, but you might find that it spends very little time actually listening on each channel.

2: I've seen similar with two drivers selected. It's a problem with the start scan method not being asynchronous, so only one driver scans until you hit the stop button. I'll take a look at it once the 5GHz stuff is working.

3: That's not very nice of it. I'll see if I can reproduce it.

4: I fixed the typos in the channel select dialog.

[orinem]

I checked in changes for scanning with more than one driver selected and 0.1 sec hop interval. I also tweaked the default column widths since channels > 100 were being truncated.

I think it's time to close this issue since we now are scanning 5GHz channels successfully.

Any other 'issue' that was mentioned above that still exists and the crash if you remove the adapter should be raised as new issues.

[tkoyn]

I just tried the code from the latest commit.

It appears to be scanning from both Airport and RTL8187 at the same time OK and I believe 5Ghz Airport scanning is working properly from by short test runs.

I still see one typo "All Chanels" under the 5ghz setting.

I am curious if you figured out how to change your computer's jurisdiction so you could test if Kismac (on its first startup or scan in a new jurisdiction) finds and adapts to the channels of that new jurisdiction.

I hope you will work on issue 58 next about exporting the mapping data (which should be relatively easy to fix), before you invest the substantial time it will take to support a new adapter type. (I am interested in both, but would like to see continuing fixes of former functionality before adding new features.)

orinem, Thanks for breathing new life into this program.

[orinem]

Best I've come up with Re: country code on the adapter is: https://discussions.apple.com/thread/2712936

At the end, it says it's set automatically via the 802.11d protocol. I get the following messages in my system.log:

Aug 22 12:52:54 Orins-Mac-mini kernel[0]: IO80211AWDLPeerManager::configure Dynamic country code not supported on this device

Aug 22 12:53:54 Orins-Mac-mini kernel[0]: en1: 802.11d country code set to 'US'. Aug 22 12:53:54 Orins-Mac-mini kernel[0]: en1: Supported channels 1 2 3 4 5 6 7 8 9 10 11 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 149 153 157 161 165

Setting the region to Europe/UK made no difference.

[tkoyn]

The article you reference links to a longer discussion, but the link is broken as Apple must have reorganized its discussion forums. The correct link is https://discussions.apple.com/thread/2183102 instead of http://discussions.apple.com/thread.jspa?threadID=2183102&start=0&tstart=1.

Anyway to test KisMac's adaptation to different jurisdictions without actually traveling would require having one or more routers of a current jurisdiction that you can turn on to get the Mac to switch jurisdiction. Then you would have to turn on your Airport driver very near that router and hope it hears the 802.11d packet from the test router first. If you have DD-WRT (or possibly other 3rd party firmwares) on a router, you can temporarily change the regulatory domain of the router to make your test to see the Kismac adjusts its set of valid channels when the Airport driver has been exposed to a different 802.11d country code.

Also, does Kismac have a way of displaying 802.11d information that has been sniffed during scanning so that one can check if nearby networks are putting out correct 802.11d info?

[orinem]

Well, I have a spare Linksys WRT54GL that I could put OpenWRT on and play with, but it's not likely to happen in the near future.

I put test code in to pull the country out of beacon packets and not all local APs are sending it (it's optional in the beacon packet). Those that are sending it are sending "US ". For example:

2015-08-23 21:54:22.724 KisMac2[4527:266607] Country 'US ' for SSID xfinitywifi
2015-08-23 21:54:25.191 KisMac2[4527:266607] Country 'US ' for SSID HOME-442A-5

Those aren't my networks; my 5GHz extender is not including country information. It probably wouldn't be difficult to add another column to the network display, but that will have to wait.

The copy of Kismet on Kali Linux that I have been trying claims to be able to display it, but is only displaying '---'. Kali is running in a VirtualBox VM on the Mac Mini. The '036NH is hopeless in the VM. I did get the '036H' to work, but it seemed to see less packets than with Kismac. Now trying the '052NH in the VM.

[TobiAkatsuki]

Hello, just want to confirm if it is hopeless to get the AWUS036NH working with Kismac2?