default kernel option CONFIG_BPF_JIT=y breaking bpf filtering on 802.11 monitor mode traffic
Username: Tyler Gray
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2197
Between 18.06.2 and the Trunk the kernel option CONFIG_BPF_JIT=y was added.
With JIT enabled, a simple beacon filter shows no traffic.
With JIT disabled, the filter works normally.
Device: ar71xx generic device (gl-mifi):
Test:
put the radio card in monitor mode:
iw wlan0 set type monitor
ifconfig wlan0 up
iw wlan0 set channel 1 # some channel with an AP
tcpdump -i wlan0
see lots of traffic and beacons
tcpdump -i wlan0 wlan type mgt subtype beacon
no traffic
Fix:
echo 0 > /proc/sys/net/core/bpf_jit_enable
tcpdump -i wlan0 wlan type mgt subtype beacon
see lots of beacons
More detail:
Testing on my side, with JIT enabled, it seems to be computing the offset to the start of the wlan packet incorrectly. In my case, the offset was off by +16 bytes. A filter of “wlan[0] == 0×80” should show beacons, because the type/subtype field is the first byte of the wlan packet. With JIT enabled, wlan[0] was equal to the first byte of the addr3/bssid field (the first byte of my AP’s MAC address), which is 16 bytes later in the packet.