Fwd: Error with attempt to monitor RF Monitor port mon0 /wifi

[David Saint Ruby <davidsaintruby () gmail com>]

Hello all… have a use case to monitor a wifi channel (open AP).

 Am opening up a virtual RF Monitor interface with airmon-ng.

 version 2.9.5.5.

 Compiled from source with   --enable-non-ether-decoders

Message:

pcap DAQ configured to passive.

The DAQ version does not support reload.

Acquiring network traffic from "mon0".

Reload thread starting...

Reload thread started, thread 0xa777db70 (15787)

ERROR: Cannot decode data link type 127

Fatal Error, Quitting..



Has anyone seen or tried this before?  Is monitoring an interface showing
the full 802.11 frames even possible with snort?

Looking way back at older versions of snort, there used to be a -w option
to look at some 802.11 that is deprecated.



       -w     Show management frames if running on an 802.11  (wireless)
net-
              work.





 Wireshark is fine with it.  I do not care about rules around the radio
management fields or frames.   I suspect that the RF Monitor mode may have
some additional "RF tap" headers that is tripping up the decode?









Thanks


David Saint Ruby

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!