On Tue, Dec 16, 2008 at 3:58 PM, Bob Copeland wrote: > On Mon, Dec 15, 2008 at 12:16 PM, Bob Copeland wrote: >> On Mon, Dec 15, 2008 at 11:12 AM, Stefanik Gábor >> wrote: >>> That is not the problem - aireplay-ng operates on a monitor interface >>> that is already up. Likely this patch somehow misses monitor >>> interfaces. >> >> Agreed, that is probably the case. Reverting that hunk makes it come up >> with the eeprom mac without adding any interface. Looking at the >> add_interface() code, it 'should' program the mac for monitor interfaces >> too, so offhand I'm not sure, will take a look tonight. > > Okay, so that I understand the problem a bit better: what used to happen > and what does not happen now? Is the ath5k device not sending ACKs, or > not passing any frames back to the host? > > The code, for mac address setting at least, looks to be working as > designed: the mac address is only set up at add_interface time to avoid > automatically acking packets before an interface is brought up (see the > kerneldoc comments in mac80211 on add/remove_interface). > > The ath5k rx filter for unicast frames requires mac addresses to match in > order to accept or ack frames. However, in monitor mode, mac80211 will > never call add_interface(). Instead, it should configure the filter to > put the card in promiscuous mode which then should enable all packets > to be passed back to the host. > > Does the fragmentation attack also work with e.g. b43 (which also only > sets up the mac at add_interface time)? > > -- > Bob Copeland %% www.bobcopeland.com > The fragmentation attack works perfectly in b43, regardless of whether I set the main interface to monitor mode, or create a secondary monitor interface. In the second case, it also doesn't matter whether the main interface is up or down. With the "buggy" ath5k, it only works if I use a secondary interface, and also bring the main (managed) interface up. About the attachments: ath5k-debug-sent.cap was captured on the monitor interface set up on the ath5k device, while ath5k-debug-mon.cap was captured on my rtl8187. They are not from the same session, but they were created the same way: I started a fragmentation attack with ath5k's managed interface down, then while it was retrying, brought up the managed interface using ifconfig. -- Vista: [V]iruses, [I]ntruders, [S]pyware, [T]rojans and [A]dware. :-)