Kismet Wardriving Software - WardrivingOnline.com

Linux Orinoco RFMON HOWTO
dragorn@kismetwireless.net
v1.0.2
April 01 2005

1. Introduction

There are several different Orinoco drivers circulating which act differently,
require different patches, and have different features.

Raw monitor mode/rfmon is a sniffing mode which allows the card to report
drivers from the 802.11 layer. Without this mode, sniffing is only possible
on the data layer of the associated network. Utilities like Kismet and
Airsnort require rfmon support for data capture and will not work without it.

2. Who this is for

This HOWTO is for anyone running Orinoco HermesI based cards in Linux, who
wants to use raw monitor mode sniffing (for example, with Kismet, Ethereal,
TCPDump, etc). If you're only interested in using your card for normal
mode, you don't need this.

3. What drivers (and patches) are there?

There is a plethora of different drivers, both standalone packages which build
driver modules outside of the kernel tree, and kernel mainline drivers which
are part of the kernel source itself.

3.1 Orinoco 0.13 standalone drivers

Type: Standalone
Kernel: 2.4.x
Site: http://ozlabs.org/people/dgibson/dldwd/orinoco-0.13e.tar.gz
Patches: http://www.kismetwireless.net/download.shtml#orinoco

For 2.4 kernels, the 0.13e standalone driver release is the typical choice.
The 0.13 drivers don't support monitor mode natively, but patches are
available. The official 0.13 standalone release will NOT work with 2.6
kernels.

The patches add monitor support (Snax of the Shmoo group) and fix certian
broken behaviour in the driver which leads to stuttering sound, serial data
corruption, and overall system lag during channel hopping (Dragorn)

3.2 Orinoco 0.13-26 standalone drivers

Type: Standalone
Kernel: 2.6.x
Site: http://www.kismetwireless.net/download.shtml#orinoco1326
Patches: Not required

An unofficial release for 2.6 kernels, the 0.13-26 package contains the
0.13e drivers with Linux 2.6.x comparability and the rfmon+fix patches
already applied. This is not a release by the Orinoco driver developers
nor do they support it.

Users who cannot or do not want to patch their 2.6 kernel sources can
use these standalone drivers.

3.3 Linux Kernel 2.6 < 2.6.9 builtin drivers

Type: In kernel source
Kernel: 2.6.x before 2.6.9
Site: n/a
Patches: http://www.kismetwireless.net/download.shtml#orinoco

The 2.6 kernel tree began to include the Orinoco 0.13e driver. Releases
earlier than 2.6.9 (ie, up to 2.6.8.1) include the same code as the
standalone 0.13 driver package, and use the same patches. Instructions
for applying the 0.13 patches available at:
http://www.kismetwireless.net/HOWTO-26_Orinoco_Rfmon.txt

Vendors often backport newer drivers into older kernel versions, if you
use a vendor customized kernel you may not have the drivers that match
this kernel version.

3.4 Linux Kernel 2.6.9 and 2.6.10

Type: In kernel source
Kernel: 2.6.9 - 2.6.10
Site: n/a
Patches: http://www.kismetwireless.net/download.shtml#orinoco269

As of kernel 2.6.9, the in-kernel Orinoco drivers are beginning to shift
towards the new codebase. Headers were changed, structures redefined or
moved, and other code shifts make the 0.13 standard driver patches
incompatible.

The 2.6.9 kernel patches apply to the base of the kernel source tree.

3.5 Linux Kernel 2.6.11

Type: In kernel source
Kernel: 2.6.11
Site: n/a
Patches: http://www.kismetwireless.net/download.shtml#orinoco2611

2.6.11 subtly changes the orinoco drivers, again.

The 2.6.11 kernel patches apply to the base of the kernel source tree.

3.6 Orinoco 0.15 standalone drivers

Type: Standalone
Kernel: 2.6.x
Site: http://ozlabs.org/people/dgibson/dldwd/orinoco-0.15rc2.tar.gz
Patches: http://www.kismetwireless.net/download.shtml#orinoco15

The next generation of Orinoco drivers are the 0.15 source branch.
Destined to eventually become the mainstream kernel drivers, the 0.15
branch is a major rewrite which includes a modified monitor mode
without patching.

Unfortunately, the new monitor code subtly changes how packet data is
formatted, making it unusable with existing applications that expect
the previous format. The new driver structure also lacks per-packet
statistics for signal and noise. Because of monitor mode unreliability
on some firmware versions, the 0.15 drivers completely disable monitor
mode on newer firmwares.

The patches available on the kismetwireless.net site restore this
missing functionality.

3.7 WLAGS/Greenblaze drivers

Type: Patchset to pcmcia-cs
Kernel: 2.4.x
Site: http://www.agere.com/mobility/wireless_lan_drivers.html
Patches: None available

The wlags drivers from Proxim work with HermesI and more recent HermesII
cards. They compile only under 2.4 kernels, and do not include monitor mode
support. The wlags drivers use a volatile firmware load to initialise the
card and support adhoc and access point modes.

The wlags drivers are the only option for HermesII based cards.

4. Applying the patches

For drivers which need them, patch files are available as standard ``diff''
files. To apply these, use the ``patch'' command. When applying a patch,
it's a good idea to use the ``--dry-run'' option to patch. This applies the
patch without modifying any files. If there is a problem, you will not have
damaged the original files.

If the patches do not specify how to patch them, a typically safe test would
be to apply them at the top of the source tree with:
``patch -p1 --dry-run < /path/to/patch''

To apply a patch to the head of the kernel tree, go to your current kernel
source (typically /usr/src/linux-version) and use ``patch -p1''. Using
--dry-run is always recommended to test.

The patch WILL NOT be applied until you remove ``--dry-run'' from the command.

As always, see the man page on patch for more information about the command.

5. Installing

If you are installing a standalone driver package, first go into your modules
directory (typically /lib/modules/linux-version/) and remove all the kernel
versions of the module you're installing. Having two copies of the same
module will lead to significant confusion. Be sure to use ``lsmod'' and
``rmmod'' to remove any running versions of the modules. ``make install''
will install the modules from the standalone package. Reinitialize your card
if it is PCMCIA, or reload the modules with ``modprobe'' if it is PCI.

If you are reinstalling kernel modules, ``make modules modules_install'' will
compile the changed modules and install them. Use ``lsmod'' and ``rmmod'' to
remove running versions, and reinitialze your card (PCMCIA) or reload the
modules with ``modprobe'' (pci).

6. Picking a driver

Currently, the 0.13 driver chain seems to be the most stable and useful choice
for HermesI based cards. The 0.15 drivers have shown some instability in
monitor mode and don't work at all with many firmware versions.

The Orinoco drivers attempt to support Prism2 cards as well, but much better
functionality is available from HostAP (http://hostap.epitest.fi) and USB
support is available with WLAN-NG (http://linux-wlan.com). Prism2 specific
drivers should always be used for prism2 cards.

7. But I did all this, and it doesn't work

If you've applied all the patches and tools like Kismet still say unable to
enter monitor mode, or if ``iwpriv ethX'' doesn't show 'monitor' on the
0.13 drivers: You did it wrong.

Either you did not apply the patch, or you aren't running the drivers you
think you're running. Find all the old driver components in your
/lib/modules/<version>/ directory:
orinoco.[k]o
hermes.[k]o
orinoco_cs.[k]o
orinoco_pci.[k]o
orinoco_plx.[k]o
orinoco_tmd.[k]o

2.6.x kernels use the extension '.ko' for modules. 2.4 kernels use the
extension '.o'. Make sure that no old copies of the modules are in diffrent
directories that might be loaded before the patched drivers.

Make sure you have removed the current running drivers using ``rmmod''.

Click Here to go back to the Kismet Page.