hcxdumptool poor injection ratio

[slawson]

I am using an Asus AWUS036AC adapter (Chipset RTL8812AU).  I also upgraded the antennas to 10 dbi.

The card gets excellent reception.  Although, when using hcxdumptool, it is not performing very well (I don't think).  I ran hcxdumptool -i wlan1 --do_rcascan and it only hits about 7-9% injection ratio.

In comparison my cheaper TP-Link WN772N, which doesn't have near the range as my Asus, seems to perform much better on picking up PMKIDs.

Is there anything I can do to improve the injection ratio?

Thanks for any insight.

[ZerBea]

Realtek chipsets are not recommended to be used in combination with hcxdumptool/hcxlabtool due to their NETLINK dependency (README.md).

Code:

Adapters
--------------
Driver must support (mandatory) ioctl() system calls, monitor mode and full packet injection.
NETLINK (libnl) is not supported (asynchronous).
Get information about VENDOR, model, chipset and driver here: https://wikidevi.wi-cat.ru/
Manufacturers do change chipsets without changing model numbers. Sometimes they add (v)ersion or (rev)vision.
Prefered chipsets MediaTek and Ralink because stock kernel drivers are well maintained, ioctl() system call support, monitor mode and full frame injection out of the box.  
This list is for information purposes only and should not be regarded as a binding presentation of the products:
* ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
* ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
* ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter
* ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
* ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
* ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
* ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
* ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter

Always verify the actual chipset with 'lsusb' and/or 'lspci'!
Due to a bug in xhci subsystem other devices may not work at the moment: <br /> https://bugzilla.kernel.org/show_bug.cgi?id=202541
No support for a third party driver which is not part of the official kernel (https://www.kernel.org/) <br /> Report related issues to the site, from which you downloaded the driver
No support for a driver which doesn't support ioctl() system calls and monitor and full frame injection, native <br /> If you need this features, do a request on www.kernel.org

Not recommended WiFi chipsets due to driver problems:
* Broadcom (neither monitor mode nor frame injection)
* Intel PRO/Wireless (several driver issues and NETLINK dependency)
* Realtek (driver chaos - some drivers working, some not, monitor mode and frame injection mostly only on third party drivers, often no ioctl() system call support, NETLINK dependency)
* Atheros (some driver problems on older kernels)
more information about possible issues on https://bugzilla.kernel.org

Also it is not recommended to use high TX power devices, because it doesn't make sense if you transmit with 1000mW RF power and your target only transmit using 100mW TX power. It is much better to use a high gain antenna in combination with a low TX power device. Antenna gain is cheaper and more efficient than power gain. Power gain may increase range only in transmit direction, but in every case antenna gain increase range in both directions (transmit and receive).
Antenna theory and transmitter theory and the practical use of both forms the core of the injection radio. There is a trade off between both:
Increasing your TX power doesn’t raise the level of the received signal on the same unit.
Increasing antenna gain whilst decreasing TX power of the adapter results in a greater range.

[ZerBea]

This may help to understand the theory:
https://www.rfwireless-world.com/calcula...lator.html

BTW:
There are some more competitors in the range game like frequency and speed:
Increasing the frequency will decrease the range, because antenna gain is absolutely affected by frequency.
Increasing the speed will decrease the range.

[slawson]

That is very interesting and informative. Thank you for taking the time to explain it.

I have tried many different adapters/antennas. Do you have an adapter and antenna that you recommend?

Also, just curious, but does the same principle that you explained above also apply to methods like obtaining handshakes with airodump-ng?

[ZerBea]

Yes I have:
https://github.com/ZerBea/hcxdumptool/wi...g-system-2
https://github.com/ZerBea/hcxdumptool/wi...g-system-1
https://github.com/ZerBea/hcxdumptool/wi...g-system-4
https://github.com/ZerBea/hcxdumptool/wi...g-system-5

and some more adapter information here:
https://github.com/ZerBea/hcxdumptool/wi...i-Adapters

MediaTek (former Ralink) and Ralink chipsets are fine. Both drivers (rt2x00 and mt76) are part of the Linux stock kernel and well maintained.

ALFA AWUS036ACM ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter

Code:

$ hcxdumptool -I
wlan interfaces:
phy2    00c0caf3718a    wlp39s0f3u1u1u1    (driver:mt76x2u)

$ sudo hcxdumptool -i wlp39s0f3u1u1u1 --check_injection -c 6
initialization of hcxdumptool 6.2.7-30-g362a817 (depending on the capabilities of the device, this may take some time)...
starting antenna test and packet injection test (that can take up to two minutes)...
stage 2 of 2 probing frequency 2437/6 proberesponse 10  
packet injection is working on 2.4GHz!
injection ratio: 100% (BEACON: 10 PROBERESPONSE: 30)
your injection ratio is huge - say kids what time is it?
antenna ratio: 93% (NETWORK: 32 PROBERESPONSE: 30)
your antenna ratio is huge - say kids what time is it?

CSL 300MBit 300649 ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter

Code:

$ hcxdumptool -I
wlan interfaces:
phy1    dc4ef4036f69    wlp39s0f3u1u1u1    (driver:rt2800usb)

$ sudo hcxdumptool -i wlp39s0f3u1u1u1 --check_injection -c 6
initialization of hcxdumptool 6.2.7-30-g362a817 (depending on the capabilities of the device, this may take some time)...
starting antenna test and packet injection test (that can take up to two minutes)...
stage 2 of 2 probing frequency 2437/6 proberesponse 14  
packet injection is working on 2.4GHz!
injection ratio: 52% (BEACON: 40 PROBERESPONSE: 21)
your injection ratio is good
antenna ratio: 100% (NETWORK: 1 PROBERESPONSE: 1)
your antenna ratio is huge - say kids what time is it?

[slawson]

Thank you so much for this wealth of information.

[ZerBea]

Both devices mentioned above are high TX power devices, but they are powered down (20dBm instead of possible 30dBm) by wireless regulatory domain:

Code:

$ iw reg get
global
country DE: DFS-ETSI
    (2400 - 2483 @ 40), (N/A, 20), (N/A)
    (5150 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW
    (5250 - 5350 @ 80), (N/A, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW
    (5470 - 5725 @ 160), (N/A, 26), (0 ms), DFS
    (5725 - 5875 @ 80), (N/A, 13), (N/A)
    (5945 - 6425 @ 160), (N/A, 23), (N/A), NO-OUTDOOR
    (57000 - 66000 @ 2160), (N/A, 40), (N/A)

Also the the channels and the operation modes are limited by the regulatory domain to prevent to jam weather RADAR.

hcxdumptool and hcylabtool respect this (crda) settings:

Code:

$ hcxdumptool -I
wlan interfaces:
phy0    00c0caf3718a    wlp39s0f3u1u1u1    (driver:mt76x2u)

$ sudo hcxdumptool -i wlp39s0f3u1u1u1 -C
initialization of hcxdumptool 6.2.7-30-g362a817 (depending on the capabilities of the device, this may take some time)...
wlp39s0f3u1u1u1 available frequencies, channels and tx power reported by driver:
2412MHz   1 (20 dBm)
2417MHz   2 (20 dBm)
2422MHz   3 (20 dBm)
2427MHz   4 (20 dBm)
2432MHz   5 (20 dBm)
2437MHz   6 (20 dBm)
2442MHz   7 (20 dBm)
2447MHz   8 (20 dBm)
2452MHz   9 (20 dBm)
2457MHz  10 (20 dBm)
2462MHz  11 (20 dBm)
2467MHz  12 (20 dBm)
2472MHz  13 (20 dBm)
2484MHz  14 ( 0 dBm)
5180MHz  36 (20 dBm)
5200MHz  40 (20 dBm)
5220MHz  44 (20 dBm)
5240MHz  48 (20 dBm)
5260MHz  52 (20 dBm)
5280MHz  56 (20 dBm)
5300MHz  60 (20 dBm)
5320MHz  64 (20 dBm)
5500MHz 100 (20 dBm)
5520MHz 104 (20 dBm)
5540MHz 108 (20 dBm)
5560MHz 112 (20 dBm)
5580MHz 116 (20 dBm)
5600MHz 120 (20 dBm)
5620MHz 124 (20 dBm)
5640MHz 128 (20 dBm)
5660MHz 132 (20 dBm)
5680MHz 136 (20 dBm)
5700MHz 140 (20 dBm)
5720MHz 144 (13 dBm)
5745MHz 149 (13 dBm)
5765MHz 153 (13 dBm)
5785MHz 157 (13 dBm)
5805MHz 161 (13 dBm)
5825MHz 165 (13 dBm)
5845MHz 169 (13 dBm)
5865MHz 173 (13 dBm)

terminating...

TX power on ch 14 is set to 0, because using this channel is not allowed in the EU:
2484MHz 14 ( 0 dBm)

Also you should know that the RTL8812AU driver is not(!) part of the Linux kernel:
https://git.kernel.org/pub/scm/linux/ker...k?h=v6.1.5
It is a third party driver from here:
https://github.com/aircrack-ng/rtl8812au
You can follow the problems here:
https://github.com/aircrack-ng/rtl8812au/issues
I know the maintainer and he really is doing his best on this driver, but unfortunately he is too busy to work on it constantly.

[slawson]

Thanks again. I have learned a lot. I would like to get a TENDA W311U+, but I don't see one available online. Do you have another suggestion with a current available model?

[ZerBea]

These days it is not easy to buy something like that. Most vendors sell cheap devices running Realtek chipsets. Most manufacturers change chipset but do not change packaging and order number.
You have to look twice, before purchasing such a device.
Just search for:
mt7610u
mt7601u
rt5370

https://duckduckgo.com/?q=mt7610u&t=ffab&ia=web
https://duckduckgo.com/?q=mt7601u&t=ffab&ia=web
https://duckduckgo.com/?t=ffab&q=rt5370&ia=web


Do not buy this ultra cheap ones (neither mt76 nor rt5370 devices using this case):
https://ricelee.s3.ap-northeast-1.amazon...ngle-1.jpg

[ZerBea]

Just noticed this driver update and the first impression is quite good:
https://github.com/kimocoder/realtek_rtwifi/issues/34
Let's see how the device (in my case a cheap TP-Link TL-WN722N v2/v3 - Realtek RTL8188EUS chipset) performs in further going tests.