Airodump-ng stops working after 2 minutes.

[Mev69]

Hi. I’m new to BackTrack and new to Linux. Not the best combo apparently.

I have resolved all my issues so far by searching posts on this forum, as well as others. But now I am stumped and, although I have an idea of what the issue might be, I don’t really know what commands to try to find and resolve what is going on.

The issue is my connection seems to drop, or I stop picking up data in airodump after 2 minutes of normal operation. The error is repeatable and always occurs after exactly 2 minutes.

Here is my initial configuration:

Code:

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:25:22:a8:53:7e  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:43 Base address:0x8000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:49 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:7257 (7.2 KB)  TX bytes:7257 (7.2 KB)

wlan0     Link encap:Ethernet  HWaddr 00:c0:ca:4a:c1:aa  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:94 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18943 (18.9 KB)  TX bytes:0 (0.0 B)

root@bt:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on

I use the following commands to place the card into monitor:

Code:

root@bt:~# ifconfig wlan0 down
root@bt:~# iwconfig wlan0 mode monitor
root@bt:~# ifconfig wlan0 up

So then I have:

Code:

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:25:22:a8:53:7e  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:43 Base address:0x8000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:54 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8057 (8.0 KB)  TX bytes:8057 (8.0 KB)

wlan0     Link encap:UNSPEC  HWaddr 00-C0-CA-4A-C1-AA-30-30-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:36918 (36.9 KB)  TX bytes:0 (0.0 B)

root@bt:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  Mode:Monitor  Tx-Power=20 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

I run airmon check and kill the processes:

Code:

root@bt:~# airmon-ng check kill

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID    Name
1341    dhclient3
1393    dhclient3
Process with PID 1341 (dhclient3) is running on interface wlan0
Killing all those processes...

Airmon now reports nothing that might interfere. I start airodump and immediately get some feedback:

Code:

root@bt:~# airodump-ng -c 11 wlan0

 CH 11 ][ Elapsed: 4 s ][ 2011-06-22 12:14                                     
                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH E
                                                                               
 00:FE:F4:16:2A:C8  -72   0        5        0    0   1  54e. WPA2 CCMP   PSK  B
 00:24:B2:AF:C9:82  -82   0       10        0    0   1  54 . OPN              T
 00:1E:74:BA:DE:0B  -84   0        6        8    0   1  54   WPA  TKIP   PSK  S
 00:18:4D:44:88:3C  -86   0        7        0    0   1  54e. WPA  TKIP   PSK  S
                                                                               
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes     
                                                                               
 00:1E:74:BA:DE:0B  00:18:4D:31:6C:9E   -1    1 - 0      0        8

Airodump functions normally but then, every single time, when the elapsed time reaches 2 minutes it stops picking anything up.

The best advice I have found so far is on the aircrack website and says, “if airodump-ng stops capturing data after a short period of time, the most common cause is that a connection manager is running on your system and takes the card out of monitor mode. Be sure to stop all connection managers prior to using the aircrack-ng suite. In general, disabling “Wireless” in your network manager should be enough but sometimes you have to stop them completely. It can be done with airmon-ng:”

It then advises to run ‘airmon-ng check kill’ which I already did prior to starting airodump, but this does not seem to have helped.

Running iwconfig after this tells me that my card is still in monitor mode but I have to drop it into managed mode and then back into monitor mode before it will pick anything up with airodump again, and then it just drops out at 2 minutes each time.

I’m under the impression, from what I have read, that it may be some network service or something that is running in conflict and that airmon-ng is failing to properly kill.

I wonder what the ‘dhclient3 process running on wlan0’ is that gets picked up by airmon?

My setup is on a dedicated machine, with BackTrack 5 GNOME-32 installed on a single partition HDD. I have updated and upgraded the packages. I have an Alfa AWUS036NH wireless card, which appears to work out of the box with the backtrack drivers, at least for the first 2 minutes.

When I try to test for injection I get ‘0 AP’s found’ as well, maybe that is related or maybe that is a separate issue that I will have to face after this one. I mention it just in case it is relevant, more information can be provided.

I’m at a loss because I don’t really know what commands to type to do any further kind of diagnostic work or to try to remedy the problem. I’m hoping some advice from the community will be able to point to a solution.

Thanks in advance!

[Mev69]

Ok. So now i have managed to get injection working via aireplay, and airodump working, but they both seem to get interrupted and then fail to work at all when restarted.

Despite my attempts to kill dhclient it seems that it can be reinvoked at any point when the system decides that the card needs reconfiguring. It seems this is what is happening in my case and why my card stops picking up traffic 'monitor' style after a short time.

So i go through all the commands as i posted above to put my card into monitor mode, kill the dhclient processes and start aireaplay or airodump. Everything works normally for a short time (with airodump, always 2 minutes) and then i either loose the AP and BSSID info in airodump or i get errors in aireplay (errors as though the card is not in monitor mode). At this point, when i re-run airmon-ng check i can see that the dhclient process is again running on my wireless card interface and usually the card has been put back into managed mode.

I have gained most of this info from reading the man pages for dhclient but I'm a bit of a n00b and so I'm not too confident with editing the conf files myself.

I guess I'll give it a go but any advice from anyone more experienced and knowledgeable would be greatly appreciated.

[TPwn666]

Good troubleshooting.

I think you're right and that another process is trying to take over wlan0. It seems in BT5, networking is started automatically, in contrast to previous BT versions. Anyone care to chime in on that? Admittedly I have only searched casually about that so I don't yet know the full story.

Regardless, I think you'll get past this by using airmon-ng to put your alfa into monitor mode

Code:

airmon-ng start wlan0

because then it will kind of create 'another' adapter from wlan0, and it will be mon0. Then, whatever process is grabbing wlan0 can just keep doing that because you'll be using mon0 instead.

This is how I use my Alfa AWUS036H (which I realize has a different chipset, but that shouldn't matter, and I don't think this is a driver issue). I use it from live cd, and installed as vm. It throws errors about other processes potentially causing a problem, and I ignore them and start airodump-ng and leave it running for as long as I like.

[Mev69]

Hi TPwn666, thanks for your reply and suggestions.

I switched to using iwconfig to place the card into monitor mode as when i used airmon i wasn't able to pick up any AP's at all.

Secondly, i can now effectively kill the dhclient3 process that kept coming back to life. I found the information in this link and it effectively involves stopping another service.

However, the situation seems to have changed quite a bit since my initial post.

As i said, i couldn't get the card to pick up any AP's using airmon to put the card into monitor mode, so i was using iwconfig and was able to get the card to pick up AP's in airodump for a period of 2 minutes, before it dropped out. I didn't notice at the time, but for those 2 minutes that it was picking up AP's, it wasn't actually working properly. The packet counts (Beacons, #Data, etc) would not increase beyond the first few detected, as can be seen in the code snippet below where airodump should have been picking up packets for over 1 minute.

Code:

 CH 11 ][ Elapsed: 1 min ][ 2011-06-28 15:06                                         
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                      
                                                                                                                             
 00:01:E3:EF:B0:22  -74   0        5        0    0  11  54 . WPA2 CCMP   PSK  OrangeEFB020               
 00:18:F6:AA:55:03  -82   0        6        0    0  11  54e  WEP  WEP         BTHomeHub-D0E8                                
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

Quite by accident i managed to get it to work properly by repeatedly switching the card between manage and monitor mode. I decided to test this and found the following;

The first time i place the card into monitor mode i only pick up a couple of AP's and the packet counts don't go up, as is seen in the code snippet above.

Usually, the second time i put the card into monitor mode, i pick up a few more AP's but the packet count doesn't go up still.

If it didn't work normally the second time, usually by the time i switch the card from managed to monitor for a third time airodump will work normally. It will detect all the AP's in range and the packet counts increase as normal for the entire time airodump is running. Notice this time the higher Beacons and #Data counts after 1 minute of elapsed time.

Code:

 CH 11 ][ Elapsed: 1 min ][ 2011-06-28 15:13                                         
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                      
                                                                                                         
 FA:7C:2E:BD:E9:E4   -1   0      163        1    0  11  54   WEP  WEP         WASC-001641d18dd3-PHILIPS  
 00:25:9C:8C:B1:B8  -40  90      742       61    1  11  54e  WPA2 CCMP   PSK  mbhwN                      
 00:01:E3:EF:B0:22  -76  60      623      231    1  11  54 . WPA2 CCMP   PSK  OrangeEFB020               
 00:18:F6:AA:55:03  -82  61      595        7    0  11  54e  WEP  WEP         BTHomeHub-D0E8             
 00:24:B2:F0:81:56  -84  57      558        0    0  11  54 . WPA  TKIP   PSK  SKY48942                   
 00:17:3F:92:2F:81  -86   4      115       94    0  11  54   WEP  WEP         Belkin_N1_Wireless_922F81  
 00:22:3F:5B:EC:E8  -86   0        2        0    0  11  54e. WPA2 CCMP   PSK  Hancock                    
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                
                                                                                                          
 FA:7C:2E:BD:E9:E4  00:16:41:D1:8D:D3  -86    0 - 1     11      163                                        
 FA:7C:2E:BD:E9:E4  00:1A:6B:04:C4:F7  -86    0 - 1      0        1                                        
 00:25:9C:8C:B1:B8  7C:61:93:03:74:E5  -127    0 - 0e     0        9                                       
 (not associated)   64:A7:69:B3:20:76  -70    0 - 1      0        4  TALKTALK-778CD4                       
 00:18:F6:AA:55:03  00:16:44:1D:2B:27   -1    5 - 0      0        2                                        
 (not associated)   64:A7:69:B3:20:76  -70    0 - 1      0        4  TALKTALK-778CD4                      
 (not associated)   00:26:AB:69:1B:86  -74    0 - 1      0        2                                       
 (not associated)   00:26:37:3F:97:55  -86    0 - 1      0        1

Sometimes the number of times i have to switch the card varies and i get mixed results until it starts working normally. But I can leave it running once it is working for as long as i like.

Once i have been through the above process to get the card working, i am able to drop wlan0 back into managed mode and then use 'airmon-ng start wlan0' to place the card into monitor, and now, this time, when i run airodump (with mon0) it works! So putting the card into monitor mode with airmon only works after i have managed to get airodump working by repeatedly switching the card between managed/monitor using iwconfig.

This is wierd, but kind of good, at least now i can (eventually) run airodump for as long as i like using either wlan0 or mon0 depending on how i chose to switch the card. However, the whole thing come grinding to a halt when i use aireplay. It seems to either switch wlan0 back into managed mode (if i am using wlan0) or drop mon0 completely (if i am using mon0).

So, whilst airodump is running, i open another shell and run aireplay but then get the following error:

Code:

root@bt:~# aireplay-ng -1 0 -e mbhwN -a 00:25:9C:8C:B1:B8 -h 00:C0:CA:4A:C1:AA  wlan0
15:17:36  Waiting for beacon frame (BSSID: 00:25:9C:8C:B1:B8) on channel 11

15:17:36  Sending Authentication Request (Open System)

15:17:39  Sending Authentication Request (Open System)read failed: Network is down
wi_read(): Network is down

And airodump halts with the following error:

Code:

 CH 11 ][ Elapsed: 1 min ][ 2011-06-28 15:17                                         
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                      
                                                                                                         
 FA:7C:2E:BD:E9:E4   -1   0      182        3    0  11  54   WEP  WEP         WASC-001641d18dd3-PHILIPS  
 00:25:9C:8C:B1:B8  -39  89      856       64    0  11  54e  WPA2 CCMP   PSK  mbhwN                      
 00:01:E3:EF:B0:22  -76  64      712      218    0  11  54 . WPA2 CCMP   PSK  OrangeEFB020               
 00:18:F6:AA:55:03  -83  89      694      109    0  11  54e  WEP  WEP         BTHomeHub-D0E8             
 00:24:B2:F0:81:56  -84  62      554        0    0  11  54e. WPA  TKIP   PSK  SKY48942                   
 00:17:3F:92:2F:81  -87   0       13        4    0  11  54   WEP  WEP         Belkin_N1_Wireless_922F81  
 00:22:3F:5B:EC:E8  -88   0        2        0    0  11  54e. WPA2 CCMP   PSK  Hancock                    
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                               
                                                                                                          
 FA:7C:2E:BD:E9:E4  00:16:41:D1:8D:D3  -88    0 - 1     18      185                                        
 (not associated)   64:A7:69:B3:20:76  -72    0 - 1      0        6  TALKTALK-778CD4                       
 (not associated)   00:26:AB:69:1B:86  -78    0 - 1      0        4                                        
 00:25:9C:8C:B1:B8  00:C0:CA:4A:C1:AA    0    0 - 1      0        1                                        
 00:25:9C:8C:B1:B8  7C:61:93:03:74:E5  -127    0 - 0e     0        7                                       
 00:18:F6:AA:55:03  00:16:44:1D:2B:27   -1    1 - 0      0      153                                       
 00:18:F6:AA:55:03  00:16:44:1D:2B:27   -1    1 - 0      0      153                                       
read failed: Network is down
Interface wlan0: 
ioctl(SIOCGIFINDEX) failed: No such device
Can't reopen wlan0

So wlan0 or mon0 are no longer usable, as a consequence of running aireplay!! When i run iwconfig, either wlan0 has been switched back into managed mode or if i was using mon0 it has been dropped.

Why would running aireplay make this happen? Why do i have to repeatedly switch my card from managed to monitor to get airodump to work normally?

What am i getting wrong? I know i'm a n00b but surly with my rig configuration/card this should work fairly easily??

[jamko]

Hi TPwn666, thanks for your reply and suggestions.

However, the whole thing come grinding to a halt when i use aireplay. It seems to either switch wlan0 back into managed mode (if i am using wlan0) or drop mon0 completely (if i am using mon0).

So, whilst airodump is running, i open another shell and run aireplay but then get the following error:

Code:

root@bt:~# aireplay-ng -1 0 -e mbhwN -a 00:25:9C:8C:B1:B8 -h 00:C0:CA:4A:C1:AA  wlan0
15:17:36  Waiting for beacon frame (BSSID: 00:25:9C:8C:B1:B8) on channel 11

15:17:36  Sending Authentication Request (Open System)

15:17:39  Sending Authentication Request (Open System)read failed: Network is down
wi_read(): Network is down

And airodump halts with the following error:

read failed: Network is down
Interface wlan0:
ioctl(SIOCGIFINDEX) failed: No such device
Can't reopen wlan0[/CODE]


So wlan0 or mon0 are no longer usable, as a consequence of running aireplay!!

Did you find a resolution to aireplay crashing your card? I am also having this same above issue with the Alfa AWUS036NH, every time I run aireplay, my adapter crashes. I am running BT4 R2 in VirtualBox, installed. When this happens I have to reboot host computer to get the adapter functioning again.

[sickness]

Did you find a resolution to aireplay crashing your card? I am also having this same above issue with the Alfa AWUS036NH, every time I run aireplay, my adapter crashes. I am running BT4 R2 in VirtualBox, installed. When this happens I have to reboot host computer to get the adapter functioning again.

Download the latest Backtrack 5, Backtrack 4 is not longer supported.

[shadowzero]

I found this which might be of some help: http://forum.aircrack-ng.org/index.php?topic=5755.0
If you haven't already, I'd suggest contacting the author of that post as he/she seems to have gotten it working.

[ekajjake]

BT5 shouldn't start networking automatically, as that has been the case with all releases. Try using "airmon-ng start wlan0" to start up monitor mode. That way you have a "mon0" interface to start airodump on, in addition to any other aircrack-ng tools. Check that the mon0 interface is up and in monitor mode with an iwconfig. When you are finished capturing, or finished using the monitor mode interface (usually mon0), you can run "airmon-ng stop mon0" to stop the interface. Hope this helps, as it is the way I capture packets in monitor mode.

-ekajjake

[michelinok]

I've the same exact problem with bt5, and yes, i'm using airmon-ng start wlan0
Any suggestion?

[michelinok]

I've just tryed from the live dvd and got the same results...after some minutes airodump stops capturing packets,i've also tryed reinstalling on hdd, same result.

Any idea?