Posted: Fri Sep 09, 2016 17:32 Post subject: To capture all WiFi login attempts
Is there a way to setup dd-wrt (with tcpdump and some fancy iptables commands) to log all the authentication attempted on my router?
I've tried a tcpdump -v -i eth0: type command to send the capture info to a file and then open it in wireshark just fine. During the capture I made several failed attempts to connect from a new device,but I was unable to see this device or the failed attempts in the capture file.
I'm trying to avoid purchasing a USB monitor type tool like the Airpcap NX. Or is that a requirement?
Any help?Thanks guys _________________ Location (urban) - 1x Linksys EA8500 (AP wlan0 & wlan1 enabled)
1x Asus 68u (Repeater Bridge w/VAP) - wl0 disabled
1x Asus 87u (Client Bridge) - wl1 disabled
I know syslog shows them on my atheros wndr3700v4. They are associated for couple seconds while trying to authenticate then kicked off with no authorization.
But I never noticed this in syslog with broadcom E2500.
I know syslog shows them on my atheros wndr3700v4. They are associated for couple seconds while trying to authenticate then kicked off with no authorization.
But I never noticed this in syslog with broadcom E2500.
Do you happen to know the logging settings associated with the messages that you observed? I currently have logging level set too high and only accepted enabled _________________ Location (urban) - 1x Linksys EA8500 (AP wlan0 & wlan1 enabled)
1x Asus 68u (Repeater Bridge w/VAP) - wl0 disabled
1x Asus 87u (Client Bridge) - wl1 disabled
I just have System Log (Syslogd) enabled is Services. Whatever its default logging value is.
Not using any remote server. I just look at it thru terminal.
This is what EA8500 will show it someone tries log onto WiFi without correct password... yea it shows the full MAC.
Done this couple times using my phone ---
Sep 10 15:20:19 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
Sep 10 15:20:19 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 4)
Sep 10 15:20:28 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request
Sep 10 15:20:32 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
Sep 10 15:20:32 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 4)
Sep 10 15:20:41 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request
I don't recall seeing that on my broadcom devices with their default system log enabled and I don't currently have any running.
I turned off all my WAPs at home .. don't need it -- the EA8500 is a beast
--
I do know that with this router (Syslogd enabled) thru GUI go to Security/Firewall
Enable log management
Log Level set to high
Dropped enabled
Rejected enabled
Accepted enabled
telnet/ssh and pull up 'cat /tmp/var/log/messages' and it will make your brain hurt
I just have System Log (Syslogd) enabled is Services. Whatever its default logging value is.
Not using any remote server. I just look at it thru terminal.
This is what EA8500 will show it someone tries log onto WiFi without correct password... yea it shows the full MAC.
Done this couple times using my phone ---
Sep 10 15:20:19 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
Sep 10 15:20:19 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 4)
Sep 10 15:20:28 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request
Sep 10 15:20:32 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
Sep 10 15:20:32 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 4)
Sep 10 15:20:41 ------- daemon.info hostapd: ath1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request
I don't recall seeing that on my broadcom devices with their default system log enabled and I don't currently have any running.
I turned off all my WAPs at home .. don't need it -- the EA8500 is a beast
--
I do know that with this router (Syslogd enabled) thru GUI go to Security/Firewall
Enable log management
Log Level set to high
Dropped enabled
Rejected enabled
Accepted enabled
telnet/ssh and pull up 'cat /tmp/var/log/messages' and it will make your brain hurt
I have the ASUS 68u and an ES4200 and ea4500 for testing. I'm testing on the ASUS 68u right now. I've setup the syslog and I can see very few message i the remote syslogd. It logs when I login to SSH and reboot it, that's about it, nothing else is logged. _________________ Location (urban) - 1x Linksys EA8500 (AP wlan0 & wlan1 enabled)
1x Asus 68u (Repeater Bridge w/VAP) - wl0 disabled
1x Asus 87u (Client Bridge) - wl1 disabled
I have the ASUS 68u and an ES4200 and ea4500 for testing. I'm testing on the ASUS 68u right now. I've setup the syslog and I can see very few message i the remote syslogd. It logs when I login to SSH and reboot it, that's about it, nothing else is logged.
That seems strange. I know they disabled a lot of broadcom kernel logging to save space but wouldn't think if should affect those bigger routers.
Hopefully someone can tell you what's up with that.
good luck -
Posted: Thu Jan 19, 2023 15:12 Post subject: WNDR4500
I know this is an old thread, but was wondering if you got anywhere with this?
I have a Netgear WNDR4500, and I’d like to see these Wi-Fi transaction messages for some testing that I’m doing for work.
Anyone know where in the code / any code changes specifically, where this was disabled?
I’m willing to recompile if necessary, just don’t know where things are. Thanks!
According to the document, there are two commands that should get me what I need (I believe):
wl msglevel N
wl phymsglevel N
Executing the second command gets me "wl: Unsupported".
Executing the first command without N gets me what I believe is the current level (0).
Trying to set it to one of the values in the referenced pdf gets me "wl: Buffer too short"; or what appears to be error BCME_BUFTOOSHORT. I'm not sure how to move beyond this error tbh.
Regarding the rest of the document, there are some commands that do appear to work, but many don't. Not sure if the referenced document is just out of date, or wl in dd-wrt has limits imposed on it?
I also came across nvram log_levels, which I've tinkered with, but I don't see any difference. I would expect that if I attempt to authenticate over wifi with an invalid (or a valid - for that matter) psk, I should see something in /var/log/messages or dmesg, but I basically have nothing beyond what's printed during bootup, and nobody / nothing seems to print much to those logs beyond that.
In fact, I have the firewall logging level set to High, and both kmesg and syslog enabled in the GUI, but they don't seem to produce any more enhanced logging that I could see.
