Linux Orinoco RFMON HOWTO dragorn@kismetwireless.net v1.0.2 April 01 2005 1. Introduction There are several different Orinoco drivers circulating which act differently, require different patches, and have different features. Raw monitor mode/rfmon is a sniffing mode which allows the card to report drivers from the 802.11 layer. Without this mode, sniffing is only possible on the data layer of the associated network. Utilities like Kismet and Airsnort require rfmon support for data capture and will not work without it. 2. Who this is for This HOWTO is for anyone running Orinoco HermesI based cards in Linux, who wants to use raw monitor mode sniffing (for example, with Kismet, Ethereal, TCPDump, etc). If you're only interested in using your card for normal mode, you don't need this. 3. What drivers (and patches) are there? There is a plethora of different drivers, both standalone packages which build driver modules outside of the kernel tree, and kernel mainline drivers which are part of the kernel source itself. 3.1 Orinoco 0.13 standalone drivers Type: Standalone Kernel: 2.4.x Site: http://ozlabs.org/people/dgibson/dldwd/orinoco-0.13e.tar.gz Patches: http://www.kismetwireless.net/download.shtml#orinoco For 2.4 kernels, the 0.13e standalone driver release is the typical choice. The 0.13 drivers don't support monitor mode natively, but patches are available. The official 0.13 standalone release will NOT work with 2.6 kernels. The patches add monitor support (Snax of the Shmoo group) and fix certian broken behavior in the driver which leads to stuttering sound, serial data corruption, and overall system lag during channel hopping (Dragorn) 3.2 Orinoco 0.13-26 standalone drivers Type: Standalone Kernel: 2.6.x Site: http://www.kismetwireless.net/download.shtml#orinoco1326 Patches: Not required An unofficial release for 2.6 kernels, the 0.13-26 package contains the 0.13e drivers with Linux 2.6.x compatability and the rfmon+fix patches already applied. This is not a release by the Orinoco driver developers nor do they support it. Users who cannot or do not want to patch their 2.6 kernel sources can use these standalone drivers. 3.3 Linux Kernel 2.6 < 2.6.9 builtin drivers Type: In kernel source Kernel: 2.6.x before 2.6.9 Site: n/a Patches: http://www.kismetwireless.net/download.shtml#orinoco The 2.6 kernel tree began to include the Orinoco 0.13e driver. Releases earlier than 2.6.9 (ie, up to 2.6.8.1) include the same code as the standalone 0.13 driver package, and use the same patches. Instructions for applying the 0.13 patches available at: http://www.kismetwireless.net/HOWTO-26_Orinoco_Rfmon.txt Vendors often backport newer drivers into older kernel versions, if you use a vendor customized kernel you may not have the drivers that match this kernel version. 3.4 Linux Kernel 2.6.9 and 2.6.10 Type: In kernel source Kernel: 2.6.9 - 2.6.10 Site: n/a Patches: http://www.kismetwireless.net/download.shtml#orinoco269 As of kernel 2.6.9, the in-kernel Orinoco drivers are beginning to shift towards the new codebase. Headers were changed, structures redefined or moved, and other code shifts make the 0.13 standard driver patches incompatible. The 2.6.9 kernel patches apply to the base of the kernel source tree. 3.5 Linux Kernel 2.6.11 Type: In kernel source Kernel: 2.6.11 Site: n/a Patches: http://www.kismetwireless.net/download.shtml#orinoco2611 2.6.11 subtly changes the orinoco drivers, again. The 2.6.11 kernel patches apply to the base of the kernel source tree. 3.6 Orinoco 0.15 standalone drivers Type: Standalone Kernel: 2.6.x Site: http://ozlabs.org/people/dgibson/dldwd/orinoco-0.15rc2.tar.gz Patches: http://www.kismetwireless.net/download.shtml#orinoco15 The next generation of Orinoco drivers are the 0.15 source branch. Destined to eventually become the mainstream kernel drivers, the 0.15 branch is a major rewrite which includes a modified monitor mode without patching. Unfortunately, the new monitor code subtly changes how packet data is formatted, making it unusable with existing applications that expect the previous format. The new driver structure also lacks per-packet statistics for signal and noise. Because of monitor mode unreliability on some firmware versions, the 0.15 drivers completely disable monitor mode on newer firmwares. The patches available on the kismetwireless.net site restore this missing functionality. 3.7 WLAGS/Greenblaze drivers Type: Patchset to pcmcia-cs Kernel: 2.4.x Site: http://www.agere.com/mobility/wireless_lan_drivers.html Patches: None available The wlags drivers from Proxim work with HermesI and more recent HermesII cards. They compile only under 2.4 kernels, and do not include monitor mode support. The wlags drivers use a volatile firmware load to initialize the card and support adhoc and access point modes. The wlags drivers are the only option for HermesII based cards. 4. Applying the patches For drivers which need them, patch files are available as standard ``diff'' files. To apply these, use the ``patch'' command. When applying a patch, it's a good idea to use the ``--dry-run'' option to patch. This applies the patch without modifying any files. If there is a problem, you will not have damaged the original files. If the patches do not specify how to patch them, a typically safe test would be to apply them at the top of the source tree with: ``patch -p1 --dry-run < /path/to/patch'' To apply a patch to the head of the kernel tree, go to your current kernel source (typically /usr/src/linux-version) and use ``patch -p1''. Using --dry-run is always recommended to test. The patch WILL NOT be applied until you remove ``--dry-run'' from the command. As always, see the man page on patch for more information about the command. 5. Installing If you are installing a standalone driver package, first go into your modules directory (typically /lib/modules/linux-version/) and remove all the kernel versions of the module you're installing. Having two copies of the same module will lead to significant confusion. Be sure to use ``lsmod'' and ``rmmod'' to remove any running versions of the modules. ``make install'' will install the modules from the standalone package. Reinitialize your card if it is PCMCIA, or reload the modules with ``modprobe'' if it is PCI. If you are reinstalling kernel modules, ``make modules modules_install'' will compile the changed modules and install them. Use ``lsmod'' and ``rmmod'' to remove running versions, and reinitialze your card (PCMCIA) or reload the modules with ``modprobe'' (pci). 6. Picking a driver Currently, the 0.13 driver chain seems to be the most stable and useful choice for HermesI based cards. The 0.15 drivers have shown some instability in monitor mode and don't work at all with many firmware versions. The Orinoco drivers attempt to support Prism2 cards as well, but much better functionality is available from HostAP (http://hostap.epitest.fi) and USB support is available with WLAN-NG (http://linux-wlan.com). Prism2 specific drivers should always be used for prism2 cards. 7. But I did all this, and it doesn't work If you've applied all the patches and tools like Kismet still say unable to enter monitor mode, or if ``iwpriv ethX'' doesn't show 'monitor' on the 0.13 drivers: You did it wrong. Either you did not apply the patch, or you aren't running the drivers you think you're running. Find all the old driver components in your /lib/modules// directory: orinoco.[k]o hermes.[k]o orinoco_cs.[k]o orinoco_pci.[k]o orinoco_plx.[k]o orinoco_tmd.[k]o 2.6.x kernels use the extension '.ko' for modules. 2.4 kernels use the extension '.o'. Make sure that no old copies of the modules are in diffrent directories that might be loaded before the patched drivers. Make sure you have removed the current running drivers using ``rmmod''.