bosswatt/GL-XE300
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Page: Aircrack-NG Dual-Band Scanning Notes
Pages
Advanced QMI State Inspection Aircrack-NG Dual-Band Scanning Notes Diagnosing EP06-A Drops After Attach GL-XE300 Device Tree Using AT Commands to Verify PDP Context and QMI Sync
Clone
6
Aircrack-NG Dual-Band Scanning Notes
Scott Leonard edited this page 2025-11-24 12:46:48 +00:00

1. Overview

To capture Wi-Fi traffic, first ensure both wireless interfaces are in monitor mode (which allows sniffing all packets on the air). On OpenWRT, that means stopping any AP or client services on those radios (e.g. hostapd/WPA supplicant) and switching the mode. You can use the Aircrack airmon-ng tool to enable monitor mode (e.g. airmon-ng start wlan0 for the internal radio and airmon-ng start wlan1 for the USB card). This will create monitor interfaces (like wlan0mon) ready for capturing. If airmon-ng isn't available, you can manually add a monitor interface with the iw utility.

Important: If the internal radio was previously hosting an SSID, putting it into monitor mode will take that network down, disconnecting clients. In a dual-radio OpenWRT device, you might dedicate one radio for scanning to avoid disrupting connectivity. Also, it's wise to kill any processes that could interfere (e.g. NetworkManager on Linux, or wpad on OpenWRT) - the command airmon-ng check kill can terminate common network managers that fight for the interface.

With both adapters in monitor mode, we use airodump-ng to passively listen on the Wi-Fi channels. By default, running airodump-ng will hop through all 2.4g channels (channels 1-11 in the US). The tool displays a real-time table of access points (APs) it hears and their key parameters, and it can also output this data to files for scripting.

We are particularly interested in the following fields:

  • ESSID - the network name (SSID) of the AP (may be blank for hidden networks).
  • BSSID - the MAC address of the AP (we'll use this internally to uniquely identify APs).
  • CH (Channel) - the Wi-Fi channel number that the AP is on.
  • PWR (Signal Power) - the signal strength as seen by our adapter (RSSI). Higher numbers are stronger (e.g. -40 is strong, -80 is weak).
  • #Data - number of data packets captured from that network.
  • Other columns (Beacons, #/s, ENC, etc.) can be ignored for our purposes.

To record discovered networks:

airodump-ng --band bg --write scan2ghz --output-format csv wlan0mon

This logs to scan2ghz-01.csv. Similarly, run a second instance for 5g. The CSV includes BSSID, ESSID, channel, power, #data, etc., and is updated every 5 seconds by default (tweak with --write-interval). We can't run two airodump processes on the same radio. Each should have its own dedicated adapter - one for 2.4g and one for 5g. To reduce latency in data collection, set a shorter --write-interval, e.g. --write-interval 1 to update CSV files every second. This is helpful for real-time polling or monitoring tools that process new results continuously.

2. Dual-Adapter Scanning on 2.4g and 5g

To cover the full Wi-Fi spectrum efficiently, we leverage two adapters simultaneously. Though airodump-ng supports multiple interfaces in one command, using separate instances simplifies control.

Both airodump processes can run in parallel, each scanning its own band. Just ensure different -w output prefixes to avoid file conflicts. If desired, you can run both interfaces with one command and control behavior with --cswitch, but separate processes are easier. Check that each instance is hopping through its channels (1-11 and 36+). If the 5g scan shows no results initially, it may be due to current channel inactivity. Also, if the PWR column shows -1 for all entries, this usually indicates a driver issue or lack of packet capture (not an empty band). Recheck monitor mode status or test with a known active network nearby.

Dual-band APs with same SSID but different BSSIDs will show twice - expected. Use BSSID for deduplication internally. End-user output can omit BSSID :)

3. Channel Hopping Timing and Optimization

How Long to Stay on Each Channel? Default airodump hopping is aggressive (~100-250 ms per channel). This is fast but may miss data on quieter APs. Use the -f flag to set dwell time. A dwell of 200-250 ms improves packet capture on each channel. At 200 ms dwell, full 2.4g sweep (11 channels) takes ~2.2 seconds. Start with default. If data counts are low, increase dwell to -f 300. You can experiment live to compare results.

For higher resolution, especially when scripting your own hopping logic, use --channel to lock airodump to one channel (e.g. --channel 1) and loop through them manually. You can still use CSV logging, and this approach helps prevent overlap between processes and gives finer control in state-machine-driven scans.

airodump-ng --band bg -f 200 -w scan2ghz --output-format csv wlan0mon