AP: mon.wlan0 vs wlan0

[Andreas Hartmann <andihartmann@freenet.de>]

Hello,

I traced mon.wlan0 and wlan0 on an accesspoint, because I wanted to see,
which data is sent through which device (WPA2 TLS).

That's what I saw:


				mon.wlan0		wlan0
---------------------------------------------------------------------------------
initial authentication

probe request			x
probe response			x (2 times)
authentication requ		x
authentication resp		x (2 times)
association request		x
association response		x (2 times)

request identity		x (2 times)
response identity					x
request eaptls			x (2 times)

Server Hello			x
Client Hello						x
IEEE 802.11			x

request eap-tls			x (2 times)
response eap-tls					x (2 times)
Change Cipher Spec		x (2 times)
Certificate Client					x
EAP Success			x (2 times)
Response eap-tls					x
EAPOL Key msg 1/4		x (2 times)
EAPOL Key msg 2/4					x
EAPOL Key msg 3/4		x (2 times)
EAPOL Key msg 4/4					x
IEEE 802.11 action success	x


GTK - rekeying

QoS Data			2 times (WEP and CCMP)
EAPOL Key msg 2/2					x


Reauthentication

QoS (request identity?)		x
response identity					x
QoS (server hello?)		x
client hello						x
QoS (Change Cipher Spec?)	x
QoS (EAPOL Key msg 1/4?)	x
EAPOL Key msg 2/4					x
QoS (EAPOL Key msg 3/4?)	x
EAPOL Key msg 4/4					x
QoS (IEEE 802.11 success)	x


I'm surprised, that not all of the management packages went through the
mon-device.
At the beginning (initial connection), all data went through the
mon-device. After the association, all management data from the client
(supplicant) goes through the normal wlan0 device - I would have
expected, that all management and authorization data went through the
mon device.

Could anybody please shed some light on this?


Thank you,
Andreas