SDB:Tracking down wireless problems

Jump to: navigation, search
Icon-cleanup.png
This article is in need of attention because it does not follow our wiki guidelines. Seems to be not up to date - e. g. no warning about Wired Equivalent Privacy (WEP) as a deprecated and insecure old technique. --Pistazienfresser 16:32, 6 February 2011 (MST)
If you want to contribute, please read the rules for this wiki and if you have any questions, don't hesitate to contact the wiki team, we are more then willing to help you! :-)


This page aims to be a guide on how to track down wireless issues as a lot of components are involved when setting up a wireless connection either using Network Manager or YaST.

Purpose

The main components used when setting up a wireless connection are:

Common Pitfalls

MAC Address Filter

Be sure to disable the MAC address filter in your wireless access point (WAP, AP) or add your wireless card's MAC address.

Kill Switch

Most built-in wireless cards may be activated/deactivated using a hardware switch. Make sure the wireless device is physically enabled. If the hardware switch is deactivated the driver has no chance to set the wireless network up.

Firmware

Some wireless devices (e.g. iwl3945, iwlagn, b43, ...) need a so-called firmware which has to be provided by the host operating system. Some firmware files are already provided with openSUSE in form of rpm packages (e.g. iwl3945-ucode or ralink-firmware) but some firmware files may not be provided due to legal reasons. Hence they have to be installed manually. Some of these firmware files may be downloaded with scripts provided in /usr/sbin (e.g. install_acx100_firmware, install_bcm43xx_firmware and install_intersil_firmware).

To determine if you need to install firmware:

dmesg | less

and step through the output looking for error messages.

Channels 12,13 and 14 are disabled (wrong regulatory domain)

As of openSUSE 11.0 most wireless drivers depend on mac80211. Regulatory domain handling has been implemented in the wireless stack, but it is not available until kernel 2.6.27. In order to stay FCC compliant the stack enables only the minimal subset of available channels (1-11 in the bg-band). For example in Germany the channels 12 and 13 are allowed too but disabled by default. These channels can be enabled by overwriting the regulatory domain (allowed parameters are US, EU and JP):

echo "options cfg80211 ieee80211_regdom=EU" > /etc/modprobe.d/cfg80211 

Either reload all wireless modules (mac80211, cfg80211, iwl3945, etc.) or just reboot to enable the new regulatory domain.

This is fixed in Factory due to the use of CRDA

NetworkManager

Which logs are needed

In order to track down wireless issues with NetworkManager the following logs are needed after a failed connection attempt:

  • /var/log/NetworkManager
  • /var/log/wpa_supplicant (if possible with verbose debug output)
  • the output of dmesg

Enable wpa_supplicant debug output

Permanent

To get maximum debug output from wpa_supplicant you have to modify the file /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service.

Just change the line

Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log

to

Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -dddt -f /var/log/wpa_supplicant.log

and run the following commands as root:

> rcnetwork stop
> killall wpa_supplicant
> rcnetwork start

Now wpa_supplicant will write very verbose debug output to /var/log/wpa_supplicant.log

Short Term

If the debug output should be enabled only for a short period of time (for example to debug one connection attempt) the debug level can be changed with

> kill -SIGUSR1 `pidof wpa_supplicant`

The supplicant log (/var/log/wpa_supplicant) will print a line indicating the new debug level:

Signal 10 received - changing debug level to MSGDUMP

JFI: this is openSUSE specific, the signal handler is not implemented in upstream wpa_supplicant

How to set up a connection manually

Stop NetworkManager and wpa_supplicant

In order to set up a connection manually ensure that no instance of NetworkManager or wpa_supplicant is running at the moment.

> rcnetwork stop
> killall wpa_supplicant

If your access point does not use any security you may use plain iwconfig for setting the connection up. Even WEP secured connections can be set up this way. For all other connection types (WPA-PSK, WPA-EAP, 802.1x with dynamic WEP) wpa_supplicant is required.

Basic commands

First run iwconfig to find out which wireless interface you want to use.

> iwconfig
lo        no wireless extensions.

eth1      no wireless extensions.

eth0      unassociated  ESSID:""
          Mode:Managed  Frequency=2.412 GHz  Access Point: Not-Associated
          Bit Rate:0 kb/s   Tx-Power=20 dBm   Sensitivity=8/0
          Retry limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:3  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:53   Missed beacon:0

In this example eth0 is the wireless interface.

If you don't know the name (Essid) of your wireless network you might want to run a scan.

> iwlist eth0 scan
...
          Cell 02 - Address: XX:XX:XX:XX:XX:XX
                    ESSID:"XXXXXX"
                    Protocol:IEEE 802.11bg
                    Mode:Master
                    Channel:2
                    Frequency:2.417 GHz (Channel 2)
                    Encryption key:off
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
                    Quality=37/100  Signal level=-78 dBm
                    Extra: Last beacon: 488ms ago
...

This command prints all access points in range. If your access point doesn't show up in the list it does most likely not broadcast its essid. Try scanning for this specific network.

> iwlist eth0 scan essid your_essid_here
...

iwconfig

Unsecured connection

If you are using a mac80211-driver (e.g. iwl3934, iwl4965, ath5k, b43, rtl8187, rt2x00, ...) the interface has to be up before the connection can be established:

> ip link set eth0 up

Setting up an unsecured wireless connection with iwconfig is quite easy.

> iwconfig eth0 essid your_essid_here

Wait a few seconds and run iwconfig to see if a connection was established.

> iwconfig eth0
eth0      IEEE 802.11g  ESSID:"XXXXXX"
          Mode:Managed  Frequency:2.417 GHz  Access Point: XX:XX:XX:XX:XX:XX
          Bit Rate:54 Mb/s   Tx-Power=20 dBm   Sensitivity=8/0
          Retry limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=58/100  Signal level=-68 dBm  Noise level=-90 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:10

The important information is

  • Access Point: XX:XX:XX:XX:XX:XX - should contain the MAC-address of your access point
  • Link Quality=58/100 - should be something else then 0
  • Signal level=-68 dBm - should be something else then 0
  • Noise level=-90 dBm - should be something else then 0

Now the wireless connection is set up :)

But before you can actually do something useful with this connection you have to get an IP address as described later (Getting an IP address).

WEP secured connection

TBD

wpa_supplicant

Setting up a connection using wpa_supplicant is a bit more complicated than connection to an unsecured wireless network. You first have to write a configuration file which contains all needed information. The configuration file first contains some basic information which is identical for every network you want to connect to.

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1

The next step is to include the required network block into the configuration file. The network block differs for each type of wireless security.

Open System WEP

network={
        ssid="your_ssid_here"
        key_mgmt=NONE
        group=WEP40 WEP104
        # Passphrase keys must be in double-quotes. Hex and ASCII are ok unquoted
        wep_key0=FFFFFFFFFF
        # wep_key1="passphrase"
        # wep_key2=CCCCC
        # wep_key3="another_passphrase"
        priority=5
        #Be sure to set the wep_keyX you want to try first using this
        wep_tx_keyidx=0
        auth_alg=OPEN
}

WPA with shared keys (PSK)

For a wpa-psk-secured network, just take this one and modify the parameters ssid and psk.

network={
	ssid="your_essid_here"
	psk="your_password_here"
	key_mgmt=WPA-PSK
	priority=5
	proto=WPA
}

WPA-EAP

 network={
       ssid="your_essid_here"
       identity="your_usename_here"
       psk="your_password_here"
       # wpa_supplicant debug output will tell you what to put here
       subject_match="/C=US/ST=Utah/L=Provo/O=Novell, Inc./CN=foo.novell.com"
       proto=WPA
       key_mgmt=WPA-EAP
       group=CCMP TKIP
       eap=PEAP
       phase2="auth=MSCHAPV2"
       ca_path="/etc/ssl/certs"
 }

Starting the connection

To start the previously configured connection using wpa_supplicant run the following command

> wpa_supplicant -Dwext -ieth0 -c/etc/your_config_file -dddt

-Dwext tells wpa_supplicant to use the wext-driver for communication with the low level driver, most current drivers should work fine with this setting (at least add mac80211-based drivers).
-ieth0 describes which interface should be used for the wireless connection
-c/etc/your_config_file simply tells wpa_supplicant which configuration to use
-dddt enables maximum debug output

After a few seconds wpa_supplicant hopefully shows something like

1213018160.349324: State: GROUP_HANDSHAKE -> COMPLETED
1213018160.349334: CTRL-EVENT-CONNECTED - Connection to XX:XX:XX:XX:XX:XX completed (auth) [id=0 id_str=]
1213018160.349341: wpa_driver_wext_set_operstate: operstate 0->1 (UP)
1213018160.349348: WEXT: Operstate: linkmode=-1, operstate=6
1213018160.349880: EAPOL: External notification - portValid=1
1213018160.349899: EAPOL: External notification - EAP success=1
1213018160.349905: EAPOL: SUPP_PAE entering state AUTHENTICATING
1213018160.349911: EAPOL: SUPP_BE entering state SUCCESS
1213018160.349917: EAP: EAP entering state DISABLED
1213018160.349924: EAPOL: SUPP_PAE entering state AUTHENTICATED
1213018160.349930: EAPOL: SUPP_BE entering state IDLE
1213018160.349954: RTM_NEWLINK: operstate=1 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])
1213018160.349965: RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
1213018161.356786: RSN: processing PMKSA candidate list
1213018161.356821: RSN: not in suitable state for new pre-authentication
1213018161.852768: EAPOL: startWhen --> 0

The wireless connection is set up and you can verify it by using iwconfig on a new console as described before.

wpa_gui

To make life somewhat easier, wpa_supplicant has two companion applications wpa_cli and wpa_gui. While wpa_cli is part of the wpa_supplicant package, you will need to install wpa_gui separately.

# zypper in wpa_supplicant-gui

For wpa_gui to be able to cooperate with wpa_supplicant, we need to edit the file /etc/wpa_supplicant/wpa_supplicant.conf with gedit or your favorite editor.

# gedit /etc/wpa_supplicant/wpa_supplicant.conf

We simply add "update_config=1" after the existing lines and save the file. For reference to wpa_supplicant configuration see /usr/share/doc/packages/wpa_supplicant/wpa_supplicant.conf

Now we start wpa_supplicant

# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -B

followed by

# wpa_gui

The wpa_gui dialog opens, we press scan and are presented with a window listing all detected Access Points. Double clicking on any one entry opens yet another dialog which lets us enter the passphrase, by pressing Add, the network is added to wpa_gui and connection is made. This works for open, WEP and WPA encrypted networks. wpa_gui also writes the proper parameters to wpa_supplicant.conf, so if you're interested what they look like, do

# cat /etc/wpa_supplicant/wpa_supplicant.conf

Note: wpa_gui will not work with the instance of wpa_supplicant started by NetworkManager, as that is using D-Bus to communicate. It works perfectly with the instance started by ifup though, not even a configuration file is needed.

Getting an IP address

DHCP

If your network uses dhcp for IP address assignment you need to first check for instances of dhcpcd or dhclient running and stop them, if any.

# killall -TERM dhcpcd dhclient

Now you can use either dhcpcd wlan0 | eth1 or dhclient wlan0 | eth1 to acquire an IP address

# dhcpcd wlan0

If dhccpcd returns to the commandline the interface should have an IP address assigned. That can be verified using ip.

> ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 50
    link/ether XX:XX:XX:39:49:b4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.173/24 brd 196.168.0.255 scope global eth0
    inet6 fe80::212:f0ff:fe39:49b4/64 scope link 
       valid_lft forever preferred_lft forever

The relevant part is 192.168.0.173.

Manual IP setup

Just set the desired IP address using iproute2

> ip addr add 192.168.0.145/24 dev eth0

Verify if the connection is working

The best way to determine if the connection is up and running is to ping an internet site

>  ping google.com
PING google.com (64.233.167.99) 56(84) bytes of data.
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=1 ttl=242 time=156 ms
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=2 ttl=242 time=151 ms
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=3 ttl=242 time=151 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 151.011/152.976/156.665/2.648 ms

If the output looks like the above the connection is working!

If you don't get that response, you may want to check whether at least the AP is reachable. In this example 192.168.0.1:

ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=1.75 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=2.14 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=1.75 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=1.84 ms
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3012ms
rtt min/avg/max/mdev = 1.754/1.874/2.145/0.160 ms

If you can ping the AP but no Internet address, there is someting wrong with name resolution. This could be caused by two NICs being enabled (i.e. wired and wireless) where each one has dhcpcd running.

Please take down both interfaces and then up the wireless NIC and retry from top.

# ifdown eth0
# ifdown wlan0 
# ifup wlan0

TODO: Explain what to do now..

Capturing packets aka monitor mode

Needed software

For capturing packets on a wireless interface you can use kismet. Afterwards Wireshark is able to read a capture file produced by kismet and show the packets in a user friendly way.

Enable monitor mode

If you have a second wireless card which can be used for monitoring the wireless traffic the following starts capturing the traffic:

> ip link set wlan0 down
> iwconfig wlan0 mode monitor
> ip link set wlan0 up
> iwconfig wlan0 channel X
> wireshark -i wlan0 -k

This will open wireshark and start capturing all frames received by wlan0 on channel X.

FAQ

Q: My connection is dropped every few minutes
A: Some access points tend to drop connections if the client is inactive for a specific amount of time. Sometimes this behavior can be changed in the access points configuration interface.

Links to Novell and openSUSE pages

External links

Authors

Helmut Schaa <hschaa@suse.de>