Analysis of Injection Capabilities and Media Access of IEEE 802.11 Hardware in Monitor Mode Stephan M. Günther * , Maurice Leclaire * , Julius Michaelis † , Georg Carle † * Associate Institute for Signal Processing, Department of Electrical Engineering † Institute for Network Architectures and Services, Department of Computer Science Technische Universität München Email: {guenther, j.michaelis, carle}@tum.de, leclaire@in.tum.de Abstract—Support for monitor mode and frame injection is key to setup wireless testbeds based on IEEE 802.11 hardware that allow implementation and evaluation of custom link-layer pro- tocols, e.g. network coding, opportunistic routing, and software defined networking. While monitor mode is a widely supported feature, frame injection seems to be limited to legacy data rates in the 2.4 GHz band if supported at all. In addition we found that many devices do not adhere to basic media access procedures when operating in monitor mode, which has severe effects in contended environments. In this paper we investigate the injection capabilities and MAC procedures of different chipsets. To enable IEEE 802.11n rates and 5 GHz, we developed a series of small patches, which mostly apply to the generic part of the Linux drivers. In addition we present a command line tool for automated evaluation of injection capabilities of different devices. The patches, tools, and the underlying injection library used in this paper are publicly available [1]. I. I NTRODUCTION Monitor mode refers to an operational mode of wireless hardware that makes any type of valid IEEE 802.11 frames user-accessible. In contrast, a device operating in promiscuous mode accepts frames not destined for the local node as indicated by the receiver address but does not make avail- able management and control frames. Frame injection, i.e., transmission of cooked frames including link layer header, is allowed only in monitor mode. Both features must be supported by the device drivers and firmware. There are several examples of testbeds and protocols re- quiring monitor mode operation: In [2] a mesh testbed based on IEEE 802.11n hardware is presented that relies on monitor mode operation and raw frame injection. MORE [3] and COPE [4] are different network coding implementations that require a wireless interface operating in monitor mode capable of frame injection. CloudMAC [5], [6] is an OpenFlow- based [7] architecture that allows processing of IEEE 802.11 MAC frames on an OpenFlow controller. The implementation of access points in CloudMAC relies on monitor mode opera- tion to forward link-layer frames. Investigating security issues of wireless networks also requires low-level access to the hardware. For instance, insecurities resulting from the virtual carrier sense mechanisms in IEEE 802.11 are investigated and practically evaluated in [8]–[10] which requires injection of control frames. The Click modular router [11] is a framework to create flexible software-based routers. It also offers the possibility to use monitor interfaces for frame injection, which was used for instance by the MIT roofnet project [12]. The variety of applications for native frame injection shows that there is reasonable scientific interest in hardware and drivers offering robust monitor mode operation. Identifying suitable chipsets and drivers for a testbed is diffi- cult. Choosing devices with stable drivers and high throughput is a starting point but insufficient in general. The devices might still show significant MAC layer misbehavior, e.g. not adhering to basic media access rules or deliberately choosing non- standard backoff intervals. As a result, performance in a multi- node scenario is severely degraded although bulk injection rates of individual devices indicate good performance. Many researchers therefore rely on the popular Atheros/Qualcomm PCIe-based chipsets, most of them are known to support injection and offer solid and well-maintained drivers. Media access procedures in wireless networks have been intensively studied in the past. The efficiency of collision avoidance mechanisms is analyzed in [13]. The basic access procedure, the distributed coordination function (DCF), its backoff algorithm, as well as RTS/CTS protection are ana- lytically modeled and analyzed in [14]. Theoretic throughput under heavy traffic conditions, i.e., many concurrent transmit- ters, is considered in [15]. An overview of various subsequent studies can be found in [16], and a comparative, measurement- based study of IEEE 802.11n compared to its predecessors is given in [17]. However, these analyses do not take the implication of mon- itor mode operation into account. One of the few publications dealing with performance of frame injection is [2], which presents a low-cost MIMO testbed based on IEEE 802.11n- capable Atheros/Qualcomm devices. Features such as per- packet rate selection and 5 GHz support also require driver patches that are not publicly available to the best of our knowledge. This paper offers a comprehensive experimental analy- sis of IEEE802.11 hardware. We investigate their injection capabilities and MAC procedures. This reveals significant differences between chipsets, which are partly due to MAC implementations not adhering to the standard. While this may give individual devices an advantage when contending for transmission opportunities, it may have serious side effects 978-1-4799-0913-1/14/$31.00 © 2014 IEEE