hcxdumptool not working on Archlinux Kernel 6.13.1 / iwlwifi / Wireless 8265 / 8275

[DaniloNC]

Upgraded the archlinux kernel to 6.13.1 and after that the monitor interface hcxdumptool -i INTERFACE does not display any network, neither does tcpdump capture any packet in monitor mode (tested both with hcxdumptool -M and iw dev XXX set type [info.txt](https://github.com/user-attachments/files/18649894/info.txt) monitor

I rebooted and tested the lts kernel version (6.12), which is working fine.
I have a different machine that has Wi-Fi 6 AX200 and 6.13.1 is working fine there.

How can I get the Linux 6.13.1, hcxdumptool and Wireless 8265 / 8275 to play well together?
Anyone else facing similar issues?

Workaround for now is to run the lts kernel.

info.txt

[ZerBea]

That looks like a driver issue.
During the last past weeks, numerous changes have been made on iwlwifi
https://patchwork.kernel.org/project/linux-wireless/list/?state=*&archive=both&param=3&page=1
It looks like one of them broke the driver (monitor mode and/or packet injection).

How can I get the Linux 6.13.1, hcxdumptool and Wireless 8265 / 8275 to play well together?
To identify the faulty commit, I suggest to bisect the Linux kernel:
https://bbs.archlinux.org/viewtopic.php?id=271926
https://www.kernel.org/doc/html/latest/admin-guide/bug-bisect.html
Once it has been identified report the regression as explained here:
https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html

Anyone else facing similar issues?
Unfortunately yes. That is the reason why I mentioned in README.md:

Not recommended WiFi chipsets:
* Intel (Monitor mode and frame injection problems.)
* Broadcom (Neither monitor mode nor frame injection by official Linux kernel.)
* Qualcomm (No frame injection by official Linux kernel.)

Absolutely not recommended:
* All kinds of WiFi PCIe cards, due to massive interference.

[ZerBea]

To get more information, you can enable hcxdumptool's debug mode.
Uncomment HCXDEBUG in Makefile:

# uncomment to enable DEBUG log
#DEFS		+= -DHCXDEBUG

run make and start hcxdumptool:
$ ./hcxdumptool .....
Now, additional ERROR messages (coming from kernel, driver, hcxdumptool) are stored in "hcxdumptool.log".
Maybe this is useful to identify the driver regression.

[DaniloNC]

Thanks, @ZerBea!

I’d prefer not to mess with my current OS installation or repeatedly recompile the kernel on my aging 8th-gen i7. Instead, I’ll likely replace the wireless card with one that supports monitor mode and packet injection, then reproduce and debug the issue later on a different machine.

That said, recompiling hcxdumptool with debug enabled seems like a solid first step before diving into a kernel bisect. I’ll give it a shot when I have the time.

[ZerBea]

Don't be afraid to bisect the Linux kernel. Running Arch Linux, this is very simple:

1. enable bisect
2. compile kernel (using latest Arch kernel config)
3. build PKG
4. install PKG additional to your Linux and Linux-LTS kernel
5. choose the RC kernel on next boot
6. test interface
7. bisect next commit
8. goto 2

Please consider to buy an USB 2 adapter instead of an internal device.
Since Linux kernel 6.6 a new player has entered the field: rtl8xxxu
It has opened up the world to cheap hardware:

• TP-Link TL-WN722N (V2/3) in combination with a high gain panel antenna
• TP-Link TL-WN822N
• TP-Link TL-WN823N
  As of today, I use them as reference hardware to test new functions and to identify vulnerabilities on my test targets.

BTW:
I do not recommend to use:

• USB3 adapters
• Combined WiFi & BT adapters
• WiFi 5,6,7 (AC & AX) adapters
• high TX power adapters
• internal WiFi cards
• on-board WiFi chips
  Sooner or later you will have problems with it.

[DaniloNC]

Compiled the latest git commit with debug enabled, nothing in the log files:
https://asciinema.org/a/MIlIpclfQYQMLChb8FpnXuOB1

[ZerBea]

Thanks for sharing the screen record.
Looks like monitor mode is completely broken. The driver doesn't even send error messages.

[ZerBea]

To make sure the problem is not related to the general mac80211 stack or hcxdumptool, I did a test:

$ uname -r
6.13.1-arch1-1

$ lsusb
Bus 005 Device 003: ID 2357:010c TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]

$ sudo hcxdumptool --rcascan=active --tot=1
...
2065 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1043 PROBERESPONSE(s) captured

exit on TOT

Running "--rcascan=active" hcxdumptool counts all PROBERESPONSEs directed to it.
Everything is working as expected (all test targets respond to hcxdumptool) running a TP-Link TL-WN722N as reference.

[ZerBea]

Looks like other users are affected, too:
aircrack-ng/aircrack-ng#2650

[DaniloNC]

Interesting, I don't have problems when using 6.12 / arch-lts. (https://archlinux.org/packages/core/x86_64/linux-lts/)

Wondering if fedora back ported something from 6.13.

[ZerBea]

Looks like the 8260 (rev 3a) is a little different to the 8265 / 8275:
https://community.intel.com/t5/Wireless/Difference-Between-8260-and-8265/m-p/279299

[DaniloNC]

I recently had some free time and decided to test the new Arch Linux kernel version 6.13.3; unfortunately, the issue persists. Consequently, I manually configured monitor mode using the iw and ip utilities.

I can confirm that manually setting the interface to monitor mode was successful. The commands I used were:

iw dev wlp2s0 del
iw --debug phy phy0 interface add mon0 type monitor
ip link set mon0 up
hcxdumptool -i mon0

With this setup, I was able to generate .22000 files in a controlled environment and successfully recover passwords.

Is there anything I can assist with to discover why the interface configured by hcxdumptool is failing?

[DaniloNC]

dmesg of hcxdumptool

➜  shm grep -Eri '(iwlwifi|wlp2s0|mon0|80211)'  hcxdumptool-dmesg.txt | sed -e 's#[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]#aa:aa:aa:aa:aa:aa#g'
[   11.910443] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   11.984836] iwlwifi 0000:02:00.0: Detected crf-id 0xbadcafe, cnv-id 0x10 wfpm id 0x80000000
[   11.984896] iwlwifi 0000:02:00.0: PCI dev 24fd/0010, rev=0x230, rfid=0xd55555d5
[   11.984901] iwlwifi 0000:02:00.0: Detected Intel(R) Dual Band Wireless AC 8265
[   12.010178] iwlwifi 0000:02:00.0: loaded firmware version 36.ca7b901d.0 8265-36.ucode op_mode iwlmvm
[   12.369558] iwlwifi 0000:02:00.0: base HW address: aa:aa:aa:aa:aa:aa, OTP minor version: 0x4
[   12.458754] ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
[   12.464537] iwlwifi 0000:02:00.0 wlp2s0: renamed from wlan0
[   13.311356] iwlwifi 0000:02:00.0: Registered PHC clock: iwlwifi-PTP, with index: 1
[   16.879893] wlp2s0: authenticate with aa:aa:aa:aa:aa:aa (local address=aa:aa:aa:aa:aa:aa)
[   16.881526] wlp2s0: send auth to aa:aa:aa:aa:aa:aa (try 1/3)
[   16.896229] wlp2s0: authenticated
[   16.897694] wlp2s0: associate with aa:aa:aa:aa:aa:aa (try 1/3)
[   16.900130] wlp2s0: RX AssocResp from aa:aa:aa:aa:aa:aa (capab=0x1111 status=0 aid=10)
[   16.903144] wlp2s0: associated
[   16.973974] wlp2s0: Limiting TX power to 36 (36 - 0) dBm as advertised by aa:aa:aa:aa:aa:aa
[   69.480445] wlp2s0: deauthenticating from aa:aa:aa:aa:aa:aa by local choice (Reason: 3=DEAUTH_LEAVING)
[   81.779254] iwlwifi 0000:02:00.0 wlp2s0: entered promiscuous mode
[  146.360495] iwlwifi 0000:02:00.0 wlp2s0: left promiscuous mode

iw phy phy0 interface add + hcxdumptool -i mon0

[  211.034423] iwlwifi 0000:02:00.0 mon0: entered promiscuous mode
[  247.068471] iwlwifi 0000:02:00.0: Microcode SW error detected.  Restarting 0x82000000.
[  247.068612] iwlwifi 0000:02:00.0: Start IWL Error Log Dump:
[  247.068615] iwlwifi 0000:02:00.0: Transport status: 0x0000004B, valid: 6
[  247.068619] iwlwifi 0000:02:00.0: Loaded firmware version: 36.ca7b901d.0 8265-36.ucode
[  247.068622] iwlwifi 0000:02:00.0: 0x00002092 | ADVANCED_SYSASSERT
[  247.068626] iwlwifi 0000:02:00.0: 0x00000230 | trm_hw_status0
[  247.068629] iwlwifi 0000:02:00.0: 0x00000000 | trm_hw_status1
[  247.068631] iwlwifi 0000:02:00.0: 0x00024A8C | branchlink2
[  247.068634] iwlwifi 0000:02:00.0: 0x0003AC1E | interruptlink1
[  247.068637] iwlwifi 0000:02:00.0: 0x00000000 | interruptlink2
[  247.068639] iwlwifi 0000:02:00.0: 0x00000002 | data1
[  247.068642] iwlwifi 0000:02:00.0: 0x00000000 | data2
[  247.068644] iwlwifi 0000:02:00.0: 0xDEADBEEF | data3
[  247.068646] iwlwifi 0000:02:00.0: 0x00000000 | beacon time
[  247.068649] iwlwifi 0000:02:00.0: 0x0226D46B | tsf low
[  247.068652] iwlwifi 0000:02:00.0: 0x00000000 | tsf hi
[  247.068654] iwlwifi 0000:02:00.0: 0x00000000 | time gp1
[  247.068656] iwlwifi 0000:02:00.0: 0x0226D46C | time gp2
[  247.068659] iwlwifi 0000:02:00.0: 0x00000001 | uCode revision type
[  247.068661] iwlwifi 0000:02:00.0: 0x00000024 | uCode version major
[  247.068664] iwlwifi 0000:02:00.0: 0xCA7B901D | uCode version minor
[  247.068667] iwlwifi 0000:02:00.0: 0x00000230 | hw version
[  247.068669] iwlwifi 0000:02:00.0: 0x00489000 | board version
[  247.068672] iwlwifi 0000:02:00.0: 0x00D5011D | hcmd
[  247.068674] iwlwifi 0000:02:00.0: 0x24022082 | isr0
[  247.068677] iwlwifi 0000:02:00.0: 0x01000000 | isr1
[  247.068679] iwlwifi 0000:02:00.0: 0x08201802 | isr2
[  247.068682] iwlwifi 0000:02:00.0: 0x004128C0 | isr3
[  247.068684] iwlwifi 0000:02:00.0: 0x00000000 | isr4
[  247.068686] iwlwifi 0000:02:00.0: 0x020A001C | last cmd Id
[  247.068689] iwlwifi 0000:02:00.0: 0x00000000 | wait_event
[  247.068691] iwlwifi 0000:02:00.0: 0x00000080 | l2p_control
[  247.068694] iwlwifi 0000:02:00.0: 0x00010030 | l2p_duration
[  247.068696] iwlwifi 0000:02:00.0: 0x0000003F | l2p_mhvalid
[  247.068699] iwlwifi 0000:02:00.0: 0x00008000 | l2p_addr_match
[  247.068701] iwlwifi 0000:02:00.0: 0x0000000F | lmpm_pmg_sel
[  247.068704] iwlwifi 0000:02:00.0: 0x10032209 | timestamp
[  247.068706] iwlwifi 0000:02:00.0: 0x00008898 | flow_handler
[  247.068775] iwlwifi 0000:02:00.0: Start IWL Error Log Dump:
[  247.068777] iwlwifi 0000:02:00.0: Transport status: 0x0000004B, valid: 7
[  247.068780] iwlwifi 0000:02:00.0: 0x00000070 | NMI_INTERRUPT_LMAC_FATAL
[  247.068783] iwlwifi 0000:02:00.0: 0x00000000 | umac branchlink1
[  247.068785] iwlwifi 0000:02:00.0: 0xC008694C | umac branchlink2
[  247.068788] iwlwifi 0000:02:00.0: 0xC0083B0C | umac interruptlink1
[  247.068790] iwlwifi 0000:02:00.0: 0xC0083B0C | umac interruptlink2
[  247.068793] iwlwifi 0000:02:00.0: 0x00000800 | umac data1
[  247.068795] iwlwifi 0000:02:00.0: 0xC0083B0C | umac data2
[  247.068797] iwlwifi 0000:02:00.0: 0xDEADBEEF | umac data3
[  247.068800] iwlwifi 0000:02:00.0: 0x00000024 | umac major
[  247.068802] iwlwifi 0000:02:00.0: 0xCA7B901D | umac minor
[  247.068805] iwlwifi 0000:02:00.0: 0xC088628C | frame pointer
[  247.068807] iwlwifi 0000:02:00.0: 0xC088628C | stack pointer
[  247.068809] iwlwifi 0000:02:00.0: 0x00D5011D | last host cmd
[  247.068812] iwlwifi 0000:02:00.0: 0x00000000 | isr status reg
[  247.068845] iwlwifi 0000:02:00.0: IML/ROM dump:
[  247.068847] iwlwifi 0000:02:00.0: 0x000028A7 | IML/ROM error/state
[  247.068871] iwlwifi 0000:02:00.0: 0x00000003 | IML/ROM data1
[  247.068887] iwlwifi 0000:02:00.0: Fseq Registers:
[  247.068903] iwlwifi 0000:02:00.0: 0x69DB6B6D | FSEQ_ERROR_CODE
[  247.068919] iwlwifi 0000:02:00.0: 0x02FCB37D | FSEQ_TOP_INIT_VERSION
[  247.068935] iwlwifi 0000:02:00.0: 0x44414476 | FSEQ_CNVIO_INIT_VERSION
[  247.068951] iwlwifi 0000:02:00.0: 0x0000A10B | FSEQ_OTP_VERSION
[  247.068967] iwlwifi 0000:02:00.0: 0x01A83108 | FSEQ_TOP_CONTENT_VERSION
[  247.068983] iwlwifi 0000:02:00.0: 0xADECD573 | FSEQ_ALIVE_TOKEN
[  247.068999] iwlwifi 0000:02:00.0: 0x1ED532C3 | FSEQ_CNVI_ID
[  247.069015] iwlwifi 0000:02:00.0: 0x6ED6227D | FSEQ_CNVR_ID
[  247.069031] iwlwifi 0000:02:00.0: 0x00000010 | CNVI_AUX_MISC_CHIP
[  247.069050] iwlwifi 0000:02:00.0: 0x0BADCAFE | CNVR_AUX_MISC_CHIP
[  247.069069] iwlwifi 0000:02:00.0: 0x0BADCAFE | CNVR_SCU_SD_REGS_SD_REG_DIG_DCDC_VTRIM
[  247.069088] iwlwifi 0000:02:00.0: 0x0BADCAFE | CNVR_SCU_SD_REGS_SD_REG_ACTIVE_VDIG_MIRROR
[  247.069104] iwlwifi 0000:02:00.0: 0x5D420A18 | FSEQ_PREV_CNVIO_INIT_VERSION
[  247.069120] iwlwifi 0000:02:00.0: 0x9700CD35 | FSEQ_WIFI_FSEQ_VERSION
[  247.069136] iwlwifi 0000:02:00.0: 0x343AA48F | FSEQ_BT_FSEQ_VERSION
[  247.069153] iwlwifi 0000:02:00.0: 0x2F90BC5B | FSEQ_CLASS_TP_VERSION
[  247.069169] iwlwifi 0000:02:00.0: Collecting data: trigger 2 fired.
[  247.069174] ieee80211 phy0: Hardware restart was requested
[  247.069232] iwlwifi 0000:02:00.0: FW error in SYNC CMD SCD_QUEUE_CFG
[  247.069239] CPU: 3 UID: 0 PID: 1753 Comm: hcxdumptool Not tainted 6.13.3-arch1-1 #1 0e057b3ba87c8453f3120f28a0cea5eaa8068906
[  247.069245] Hardware name: REDACTED
[  247.069246] Call Trace:
[  247.069249]  <TASK>
[  247.069253]  dump_stack_lvl+0x5d/0x80
[  247.069265]  iwl_trans_pcie_send_hcmd+0x456/0x460 [iwlwifi 62d5d59c508a28c936694ef6c0de9f1b75ffd138]
[  247.069307]  ? __pfx_autoremove_wake_function+0x10/0x10
[  247.069312]  iwl_trans_send_cmd+0x80/0xf0 [iwlwifi 62d5d59c508a28c936694ef6c0de9f1b75ffd138]
[  247.069351]  iwl_mvm_send_cmd_pdu+0x62/0xb0 [iwlmvm ebbe3ff2bc638574f2572e305d698354f3f264ad]
[  247.069395]  iwl_mvm_disable_txq+0x1bf/0x2c0 [iwlmvm ebbe3ff2bc638574f2572e305d698354f3f264ad]
[  247.069436]  iwl_mvm_rm_snif_sta+0x33/0x80 [iwlmvm ebbe3ff2bc638574f2572e305d698354f3f264ad]
[  247.069472]  __iwl_mvm_unassign_vif_chanctx+0xae/0x140 [iwlmvm ebbe3ff2bc638574f2572e305d698354f3f264ad]
[  247.069502]  iwl_mvm_unassign_vif_chanctx+0x42/0x70 [iwlmvm ebbe3ff2bc638574f2572e305d698354f3f264ad]
[  247.069531]  drv_unassign_vif_chanctx+0xfb/0x1d0 [mac80211 35888a67b6177782b23f0e366cc32544d6c3b54a]
[  247.069620]  ieee80211_assign_link_chanctx+0x60/0x3f0 [mac80211 35888a67b6177782b23f0e366cc32544d6c3b54a]
[  247.069726]  __ieee80211_link_release_channel+0x63/0x140 [mac80211 35888a67b6177782b23f0e366cc32544d6c3b54a]
[  247.069824]  ieee80211_set_monitor_channel+0xbb/0x210 [mac80211 35888a67b6177782b23f0e366cc32544d6c3b54a]
[  247.069915]  cfg80211_set_monitor_channel+0x63/0x110 [cfg80211 93ac45686d18ced1e4b62a6b0a85e2e7990aa0c0]
[  247.070016]  __nl80211_set_channel+0x253/0x360 [cfg80211 93ac45686d18ced1e4b62a6b0a85e2e7990aa0c0]
[  247.070094]  ? filename_lookup+0xf2/0x200
[  247.070099]  ? __nla_validate_parse+0x5f/0xca0
[  247.070104]  nl80211_set_wiphy+0x1fd/0xa20 [cfg80211 93ac45686d18ced1e4b62a6b0a85e2e7990aa0c0]
[  247.070180]  genl_family_rcv_msg_doit+0x101/0x160
[  247.070191]  genl_rcv_msg+0x1b7/0x2c0
[  247.070194]  ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211 93ac45686d18ced1e4b62a6b0a85e2e7990aa0c0]
[  247.070266]  ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211 93ac45686d18ced1e4b62a6b0a85e2e7990aa0c0]
[  247.070337]  ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211 93ac45686d18ced1e4b62a6b0a85e2e7990aa0c0]
[  247.070407]  ? __pfx_genl_rcv_msg+0x10/0x10
[  247.070410]  netlink_rcv_skb+0x50/0x100
[  247.070417]  genl_rcv+0x28/0x40
[  247.070421]  netlink_unicast+0x242/0x390
[  247.070426]  netlink_sendmsg+0x21b/0x470
[  247.070432]  sock_write_iter+0x18d/0x1a0
[  247.070438]  vfs_write+0x3a3/0x450
[  247.070445]  ksys_write+0xc8/0xe0
[  247.070450]  do_syscall_64+0x82/0x190
[  247.070457]  ? syscall_exit_to_user_mode+0x37/0x1c0
[  247.070460]  ? do_syscall_64+0x8e/0x190
[  247.070463]  ? syscall_exit_to_user_mode+0x37/0x1c0
[  247.070466]  ? do_syscall_64+0x8e/0x190
[  247.070470]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  247.070476] RIP: 0033:0x77cd5c4afe56
[  247.070504] Code: 89 df e8 7d bd 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 15 83 e2 39 83 fa 08 75 0d e8 32 ff ff ff 66 90 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
[  247.070507] RSP: 002b:00007ffe85134110 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[  247.070511] RAX: ffffffffffffffda RBX: 000077cd5c147b00 RCX: 000077cd5c4afe56
[  247.070513] RDX: 0000000000000024 RSI: 00005bbb9918da60 RDI: 0000000000000004
[  247.070515] RBP: 00007ffe85134120 R08: 0000000000000000 R09: 0000000000000000
[  247.070516] R10: 0000000000000000 R11: 0000000000000202 R12: 00005bbb9918eda0
[  247.070518] R13: 0000000000000000 R14: 00005bbb9918ec50 R15: 0000000004310400
[  247.070523]  </TASK>
[  247.070550] iwlwifi 0000:02:00.0: Failed to disable queue 2 (ret=-5)
[  247.070556] iwlwifi 0000:02:00.0: Failed to remove station. Id=2
[  247.070559] iwlwifi 0000:02:00.0: Failed sending remove station
[  247.070562] iwlwifi 0000:02:00.0: Failed to send quota: -5
[  247.070565] iwlwifi 0000:02:00.0: Failed to send binding (action:3): -5
[  247.070576] iwlwifi 0000:02:00.0: PHY ctxt cmd error. ret=-5
[  247.564402] iwlwifi 0000:02:00.0: PHY ctxt cmd error. ret=-5
[  247.564408] iwlwifi 0000:02:00.0: Failed to add PHY context
[  247.818492] iwlwifi 0000:02:00.0: restart completed
[  260.279644] iwlwifi 0000:02:00.0 mon0: left promiscuous mode
[  636.817746] debugfs: Directory 'netdev:phy0-monitor' with parent 'phy0' already present!
[  653.300872] wlp2s0: authenticate with aa:aa:aa:aa:aa:aa (local address=aa:aa:aa:aa:aa:aa)
[  653.302242] wlp2s0: send auth to aa:aa:aa:aa:aa:aa (try 1/3)
[  653.308979] wlp2s0: authenticated
[  653.309282] wlp2s0: associate with aa:aa:aa:aa:aa:aa (try 1/3)
[  653.312176] wlp2s0: RX AssocResp from aa:aa:aa:aa:aa:aa (capab=0x1111 status=0 aid=16)
[  653.314083] wlp2s0: associated
[  653.388229] wlp2s0: Limiting TX power to 36 (36 - 0) dBm as advertised by aa:aa:aa:aa:aa:aa

iw dev - hcxdump monitor interface

phy#0
        Interface wlp2s0
                ifindex 3
                wdev 0x1
                addr REDACTED
                type monitor
                channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0               0

sudo iw --debug phy phy0 interface add mon0 type monitor

phy#0
        Interface mon0
                ifindex 5
                wdev 0x3
                addr REDACTED
                type monitor
                channel 11 (2462 MHz), width: 20 MHz (no HT), center1: 2462 MHz

[ZerBea]

If you decide to try it, just change the code here:
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L3517
From: Command: NL80211_CMD_SET_INTERFACE (6)

Linux Generic Netlink protocol
    Netlink message header (type: 0x0026)
        Length: 36
        Family ID: 0x26 (nl80211)
        Flags: 0x0005
            .... .... .... ...1 = Request: 1
            .... .... .... ..0. = Multipart message: 0
            .... .... .... .1.. = Ack: 1
            .... .... .... 0... = Echo: 0
            .... .... ...0 .... = Dump inconsistent: 0
            .... .... ..0. .... = Dump filtered: 0
        Sequence: 8
        Port ID: 35323
    Command: NL80211_CMD_SET_INTERFACE (6)
    Family Version: 1
    Reserved

To: NL80211_CMD_NEW_INTERFACE (7)

Linux Generic Netlink protocol
    Netlink message header (type: 0x0026)
        Length: 48
        Family ID: 0x26 (nl80211)
        Flags: 0x0005
            .... .... .... ...1 = Request: 1
            .... .... .... ..0. = Multipart message: 0
            .... .... .... .1.. = Ack: 1
            .... .... .... 0... = Echo: 0
            .... .... ...0 .... = Dump inconsistent: 0
            .... .... ..0. .... = Dump filtered: 0
        Sequence: 2554892259
        Port ID: 2256570613
    Command: NL80211_CMD_NEW_INTERFACE (7)
    Family Version: 0
    Reserved

and add a VIF name.

[ZerBea]

Last but not least.

create VIF by kismet:

$ sudo kismet -c wlp48s0f4u2u4
$ iw dev
phy#11
	Interface kismon0
		ifindex 21
		wdev 0xb00000002
		addr 74:da:38:eb:46:6b
		type monitor
		channel 9 (2452 MHz), width: 20 MHz (no HT), center1: 2452 MHz
		txpower 20.00 dBm
	Interface wlp48s0f4u2u4
		ifindex 20
		wdev 0xb00000001
		addr 74:da:38:eb:46:6b
		type managed
		txpower 20.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

Please remember: kismon0 == great VIF for a passive sniffer.

Run hcxdumptool on it:

$ sudo hcxdumptool -i kismon0 --rcascan=active

Requesting physical interface capabilities. This may take some time.
Please be patient...

failed to arm interface
PACKET_STATISTICS failed

1 ERROR(s) during runtime
Possible reasons:
 driver is broken
 driver is busy (misconfigured system, other services access the INTERFACE)
0 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
Warning: too less packets received (monitor mode may not work as expected)
Possible reasons:
 driver is broken (most likely)
 no transmitter in range
 frames are filtered out by BPF
Warning: no PROBERESPONSES received (frame injection may not work as expected)
Possible reasons:
 no AP in range
 frames are filtered out by BPF
 driver is broken
 driver does not support frame injection

but unusable for an active ATTACK tool!

[ZerBea]

You can create a fork of hcxdumptool and apply your patch. I`ll do a git clone of your patched fork and give it a try.
Beside creating a VIF, you have to patch the entire control engine and the entire attack engine too. Otherwise hcxdumptool does not work when running on a VIF. This are massive code changes that have no advantage whatsoever.

[DaniloNC]

I’d like to get your thoughts on what works best with iwlwifi on kernel 6.13.3 in my case, I also have some other usb and pcie cards I could test (using other drivers / chipsets)

By default, the interface fails when I try:

➜  ~ sudo iw dev
phy#0
        Unnamed/non-netdev interface
                wdev 0x2
                addr REDACTED
                type P2P-device
        Interface wlp2s0
                ifindex 3
                wdev 0x1
                addr REDACTED
                ssid REDACTED
                type managed
                channel 153 (5765 MHz), width: 40 MHz, center1: 5755 MHz
                txpower 22.00 dBm
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0               0
➜  ~ sudo hcxdumptool -i wlp2s0

However, the following manual approach works:

sudo nmcli device set wlp2s0 managed no

➜  ~ sudo iw dev
phy#0
        Interface wlp2s0
                ifindex 3
                wdev 0x1
                addr REDACTED
                type managed
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0               0
➜  ~ sudo iw dev wlp2s0 del
➜  ~ sudo iw phy phy0 interface add mon0 type monitor
➜  ~ sudo ip l set mon0 up
➜  ~ sudo hcxdumptool -i mon0

# this is the iw dev output while hcxdumptool is running
➜  ~ sudo iw dev
phy#0
        Interface mon0
                ifindex 7
                wdev 0x6
                addr REDACYED
                type monitor
                channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz

Instead of creating an additional VIF, I would like to try implementing:

• Deleting all existing interfaces of that phy.
• Creating a new monitor mode interface.
• On quit, delete the monitor interface and recreating the managed interface. (If that was the case before starting hcxdumptool)

This at least improves the iwlwifi but I wonder if that can break other drivers.
Would love to hear your thoughts on this approach.

[DaniloNC]

If you think this is merely a workaround for iwlwifi specific cases, I can simply provide hcxdumptool with my monitor interface (despite the README recommendation against it) and move forward with it.

I'm mainly wondering if this approach would offer better stability across different chipsets and drivers beyond iwlwifi.

[ZerBea]

What is hcxdumptool/hcxlabtool doing:

• in automatic mode == search for the best suitable WiFi interface and set it to monitor mode and set it up)
• on option -i == set this interface to monitor mode and set it up

In both cases NETLINK (set monitor mode) and RTNETLINK (bring interface up) is used. This is by far the most likely to succeed on modern systems.

Conclusion:

Intel chipset

• passive monitor mode is working more or less as expected
• packet injection is a mess.

Absolutely no word about packet injection:
https://wireless.docs.kernel.org/en/latest/en/users/drivers/iwlwifi.html#about-the-monitor-sniffer-mode

VIF

• an additional VIF running in monitor mode is designed to capture packets only.
• this monitor mode is a passive-only mode, no packets are transmitted.
  https://wireless.docs.kernel.org/en/latest/en/users/documentation/modes.html

If you run a passive sniffer on an additional VIF (in monitor mode), it works as expected:

$ sudo hcxnmealog -d /dev/ttyACM0 -o /tmp/test.nmea -i kismon0
Summary:
-------
NMEA 0183 sentences logged.......: 142
802.11 packets received by kernel: 88
802.11 packets dropped by kernel.: 0

Packet injection on an additional VIF (running in monitor mode) fails epically:

$ sudo hcxdumptool -i kismon0 --rds=1

Requesting physical interface capabilities. This may take some time.
Please be patient...

failed to arm interface
PACKET_STATISTICS failed

1 ERROR(s) during runtime
Possible reasons:
 driver is broken
 driver is busy (misconfigured system, other services access the INTERFACE)
0 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
Warning: too less packets received (monitor mode may not work as expected)
Possible reasons:
 driver is broken (most likely)
 no transmitter in range
 frames are filtered out by BPF
0 SHB written to pcapng dumpfile
0 IDB written to pcapng dumpfile
0 ECB written to pcapng dumpfile
0 EPB written to pcapng dumpfile

A workaround for Intel chipsets (iwlwifi) will mess up all the other drivers (Ralink, Realtek, MediaTek) which adhere to the standard API (NETLINK and RTNETLINK).

Intel is not(!) interested in monitor mode, so don't expect firmware updates regarding monitor mode and packet sniffing!
Monitor mode and package injection are not supported on Intel® Wireless adapters.
https://community.intel.com/t5/Wireless/How-to-enable-wireless-monitor-mode-in-Intel-Wireless-AC-9560/m-p/654032

On quit, delete the monitor interface and recreating the managed interface. (If that was the case before starting hcxdumptool)
No. Mostly I run tshark in parallel with hcxdumptool/hcxlabtool. Even if it has already terminated, tshark is still running (for analysis purpose). Manipulating (deleting) the interface causes tshark to stop.

If you think this is merely a workaround for iwlwifi specific cases, I can simply provide hcxdumptool with my monitor interface (despite the README recommendation against it) and move forward with it.
I suggest to use iw and ip for your special case (iwlwifi , Intel chipset and Intel firmware).

But adding it to README.md is against all my recommendations:
help

Important recommendation:
-------------------------
Do not set monitor mode by third party tools or third party scripts!
Do not use virtual interfaces (monx, wlanxmon, prismx, ...)!
Do not use virtual machines or emulators!
Do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)!
Do not use tools to change the virtual MAC (like macchanger)!
Do not merge (pcapng) dump files, because this destroys assigned hash values!

README.md

Not recommended WiFi chipsets:
* Intel (Monitor mode and frame injection problems.)
* Broadcom (Neither monitor mode nor frame injection by official Linux kernel.)
* Qualcomm (No frame injection by official Linux kernel.)
Absolutely not recommended:
* All kinds of WiFi PCIe cards, due to massive interference.
https://duckduckgo.com/?t=ffab&q=Static+Interference+from+PCIe+wifi&ia=web

That prevent a lot of issue reports itf the iw/ip way is not working in future times any longer.

Feel free to open a new discussion (e.g. hcxdumptool and Intel chipsets) and explain your way to handle Intel chipsets.
Similar like this ones:
https://github.com/ZerBea/hcxdumptool/discussions/495
#406

Run tshark in parallel on a second hardware interface to make sure that the Intel interface is really transmitting all kind of packets generated by hcxdumptool.

[DaniloNC]

Thank you for your input! Closing the discussion.

[ZerBea]

You're welcome.
Unfortunately Intel chipsets are a real problem. Mostly nothing is working as expected.