netskink · July 23, 2021 20:37
diff --git a/afilename b/afilename
 # Background
 So, filed an issue with the arduino gcp library I am using.  Its (here)[https://github.com/GoogleCloudPlatform/google-cloud-iot-arduino/issues/230]

 # Pivot
 I was looking through code and getting lost, so I thought it might be helpful to see what happens in wireshark.  
 I figure I don't know SSL/TLS so at least just running a tool might enlighten me about the subject as well as perhaps 
 see where the failure occurs.  For instance in GCP I dont see any errors in logs, so I am very concerned that it might be 
 failing after getting time sync from ntp server prior to first reporting of telemetry via mqtt.  (From my limited time with 
 the code tracing it fails on the first read with a read failure error).

 # Wireshark
 Using this (guide)[https://wiki.wireshark.org/CaptureSetup/WLAN#Linux] I configured a mon0 interface which seems 
 to be a virtual interface associated with my network  capture card.  According to the guide if an interface is not in monitor mode
 it will not see traffic for other devices.  It also mentions network manager will cause a channel switch problem.  I have not figured
 out how to adjust for this yet.  Perhaps that is my problem with my wireshark setup.  Its mentioned in the guide.  I am using network manager.

 ## host interface config
 See (ss1.png)[https://flic.kr/p/2mcY8sn] for what ip addr output is.  It shows wlx00c0ca6d23eb interface and its associated mon0 interface.  
 Perhaps this is a virtual interface?  On the mon0 interface is shows its set to PROMISC.  Doesn't show monitor.  
 If I run the iw commands is shows that interface mon0 is set to type monitor.  See ss1.png for this result as well.

 ## Wireshark config
 After I created the mon0 interface I was able to configure the capture options for the interface to be "monitor" enabled.  Before
 I made the mon0 interface when i clicked enable monitor mode on the wlx00ca6d23eb interface it would refresh the list of 
 interfaces and then monitor would be disabled again.  Using this method the setting would stick.  Also FWIW, I'm not using 
 the built-in interface for wireshark.  I am using an old alfa usb wifi gizmo. I believe it supports all the capabilities needed
 for wifi captures. Perhaps I am wrong.  See (ss2.png)[https://flic.kr/ps/3N3tD5]

 ## Wireshark operation
 I added some code in the arduino to print the mac address and ip address when active. The mac address is F8:F0:05:EC:83:08.  The ip address is 192.168.3.251.
 I am not using a capture address.  After a capture, I can use the display filters to hone in on the arduino traffic using `wlan.addr == F8:F0:05:EC:83:08`.  
 When I do this, I see probe request/response frames intially.  I believe this is for getting on the network. ie. device sends probe
 request and the access point/router responds with a probe response.  Later I see Authentication frames, key frames, request to send frames, etc.
 Where the SSL starts is a mystery.

 I should also mention that in the source and destination address columns it lists NewportM_ec:83:08 for the mac address.  I believe
 that is the vendor bytes.  I looked up newportm and it appears to be manufaturer associated with atmel.  I'm using a MKR1000 which I believe
 uses an atmel part.  

 Anyway, traffic is in the buffer when I do display filter: wlan.addr == F8:F0:05:EC:83:08 but once I switch to a display filter: ssl nothing is show.  See 
 ss3.png, last of mac addr associated frame ss4.png and no ssl frames ss5.png

 * (ss3.png)[https://flic.kr/ps/3N3tD5]
 * (ss4.png)[https://flic.kr/ps/3N3tD5]
 * (ss5.png)[https://flic.kr/ps/3N3tD5]

 Any advice is appreciated.
	# Background
	So, filed an issue with the arduino gcp library I am using. Its (here)[https://github.com/GoogleCloudPlatform/google-cloud-iot-arduino/issues/230]

	# Pivot
	I was looking through code and getting lost, so I thought it might be helpful to see what happens in wireshark.
	I figure I don't know SSL/TLS so at least just running a tool might enlighten me about the subject as well as perhaps
	see where the failure occurs. For instance in GCP I dont see any errors in logs, so I am very concerned that it might be
	failing after getting time sync from ntp server prior to first reporting of telemetry via mqtt. (From my limited time with
	the code tracing it fails on the first read with a read failure error).

	# Wireshark
	Using this (guide)[https://wiki.wireshark.org/CaptureSetup/WLAN#Linux] I configured a mon0 interface which seems
	to be a virtual interface associated with my network capture card. According to the guide if an interface is not in monitor mode
	it will not see traffic for other devices. It also mentions network manager will cause a channel switch problem. I have not figured
	out how to adjust for this yet. Perhaps that is my problem with my wireshark setup. Its mentioned in the guide. I am using network manager.

	## host interface config
	See (ss1.png)[https://flic.kr/p/2mcY8sn] for what ip addr output is. It shows wlx00c0ca6d23eb interface and its associated mon0 interface.
	Perhaps this is a virtual interface? On the mon0 interface is shows its set to PROMISC. Doesn't show monitor.
	If I run the iw commands is shows that interface mon0 is set to type monitor. See ss1.png for this result as well.

	## Wireshark config
	After I created the mon0 interface I was able to configure the capture options for the interface to be "monitor" enabled. Before
	I made the mon0 interface when i clicked enable monitor mode on the wlx00ca6d23eb interface it would refresh the list of
	interfaces and then monitor would be disabled again. Using this method the setting would stick. Also FWIW, I'm not using
	the built-in interface for wireshark. I am using an old alfa usb wifi gizmo. I believe it supports all the capabilities needed
	for wifi captures. Perhaps I am wrong. See (ss2.png)[https://flic.kr/ps/3N3tD5]

	## Wireshark operation
	I added some code in the arduino to print the mac address and ip address when active. The mac address is F8:F0:05:EC:83:08. The ip address is 192.168.3.251.
	I am not using a capture address. After a capture, I can use the display filters to hone in on the arduino traffic using `wlan.addr == F8:F0:05:EC:83:08`.
	When I do this, I see probe request/response frames intially. I believe this is for getting on the network. ie. device sends probe
	request and the access point/router responds with a probe response. Later I see Authentication frames, key frames, request to send frames, etc.
	Where the SSL starts is a mystery.

	I should also mention that in the source and destination address columns it lists NewportM_ec:83:08 for the mac address. I believe
	that is the vendor bytes. I looked up newportm and it appears to be manufaturer associated with atmel. I'm using a MKR1000 which I believe
	uses an atmel part.

	Anyway, traffic is in the buffer when I do display filter: wlan.addr == F8:F0:05:EC:83:08 but once I switch to a display filter: ssl nothing is show. See
	ss3.png, last of mac addr associated frame ss4.png and no ssl frames ss5.png

	* (ss3.png)[https://flic.kr/ps/3N3tD5]
	* (ss4.png)[https://flic.kr/ps/3N3tD5]
	* (ss5.png)[https://flic.kr/ps/3N3tD5]

	Any advice is appreciated.