linuxtcpdumpwifitsharkdata-link-layer

Read WLAN Link Layer packages using tcpdump/tshark in raspberry pi

I have a raspberry pi, a WLAN stick (Ralink Technology, Corp. RT5370) in monitor mode and tcpdump (+tshark) installed.

Now I want to read link layer packages from a WLAN wristband device that patients in a retirement home use. This device sends link layer data every second in order to be detected by access points using fingerprinting. The content of this packages is not important, only the RSSI values and the MAC of the device is needed.

With my rPi now I wants to detect when a patient is neat to its own flat door in order to open it automatically. For this, the Pi needs to receives this LLC packages so that I can use the associated RSSI value to calculate the distance.

Using Wireshark and Windows (Airpcap) I can read these LLC packages without problems. The output is for example:

35748 152.953461000 00:00:00_00:00:00 57:01:ff:00:00:00 LLC 62 I, N(R)=0, N(S)=0; DSAP NULL LSAP Individual, SSAP 0x1e Command

If I do the same thing on raspbian using tcpdump or tshark, I don't receive data at all.

tcpdump (command is sudo tcpdump llc -i wlan1) returns

tcpdump: 'llc' supported only on raw ATM

Looks like my linux/driver is not able to pass link layer data to tcpdump. How can I enable it?

Thank you for any hint

UPDATE

Thanks to Guy Harris I found a solution

sudo tcpdump -e -i wlan1 type data

returns all LLC packages and the -e value adds all types of mac. Output is something like this where TA is the MAC of the device. I parsed it using python line by line to get the data I needed

02:56:21.346146 11.0 Mb/s 2462 MHz 11b -53dB signal antenna 1 RA:01:40:96:00:00:03 (oui Unknown) TA:00:18:8e:40:62:03 (oui Unknown) DA:00:00:00:00:00:00 (oui Ethernet) SA:00:00:00:00:00:00 (oui Ethernet) LLC, dsap Null (0x00) Individual, ssap OSI (0xfe) Response, ctrl 0x0b: Unnumbered, 0b, Flags [Response], length 24

BR Stefan

Solution

  • tcpdump: 'llc' supported only on raw ATM

    First of all, the filter comes after all the command-line flags, including -i, so, if you're going to be capturing on wlan1 with a filter, what you want is

    sudo tcpdump -i wlan1 {filter}

    That's how tcpdump works - the filter comes after all the command-line flags and the arguments to those flags, including -i, -r, etc.

    Second of all, "llc" means something very specific - from the "pcap-filter" man page (with older versions of libpcap and tcpdump, it's in the tcpdump man page, but the filter expressions aren't understood by tcpdump, they're understood by libpcap, the library tcpdump uses to capture and to read capture files):

       llc    True if the packet is an ATM packet, for SunATM on Solaris,  and
          is an LLC-encapsulated packet.

    On 802.11, all 802.11 data frames have an 802.2 LLC header, so you want

    tcpdump -i wlan1 type data

    which will filter out management and control frames (which don't have 802.2 LLC headers).