Mac Wireless airport Command

In macOS and prior most functionality found in the GUI can also be performed from the command line. One of those is the “airport” command which allows users to scan, sniff, connect, and disconnect from Wireless routers.

If you are not comfortable with the command line, I have a previous post here on Mac Built-in Wireless Tools accessible in the GUI.

Getting Started

The airport command is found in the following directory:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport

The easiest way to use the airport command is by creating a Symbolic link.

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

Scan

Perform a wireless scan of available Wireless networks by using the -s or –scan option. Example:

$ airport -s
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
              TheCenturionLounge 6c:f3:7f:58:3X:XX -77  1       Y  US NONE
                    WiFi Printer 28:cf:e9:82:eX:XX -91  149,+1  Y  US WPA2(PSK/AES/AES) 
  HP-Print-A5-Officejet Pro 8610 58:20:b1:5f:eX:XX -67  1       N  -- NONE
                   McCarran WiFi 40:e3:d6:f8:0X:XX -58  11      Y  -- NONE
                            Ji6S 3a:71:de:d3:6X:XX -78  11      Y  US WPA2(PSK/AES/AES) 
                            TCLO 6c:f3:7f:58:3X:XX -80  52,+1   Y  US WPA2(PSK/AES/AES) 
                        icandy 2 30:46:9a:3e:dX:XX -64  6       Y  -- WEP
 DIRECT-41-HP OfficeJet Pro 8730 72:5a:0f:f1:1X:XX -49  6       Y  -- WPA2(PSK/AES/AES)

Sniff

When sniffing, you will need to define your WLAN interface. A channel number can be specified as well.

$sudo airport en0 sniff
Password:
Capturing 802.11 frames on en0.
^CSession saved to /tmp/airportSniffDiGthp.cap.

Status

Using the -I option will view the current wireless status information such as signal, BSSID, Authentication, etc. Example:

$ airport -I
     agrCtlRSSI: -66
     agrExtRSSI: 0
    agrCtlNoise: -95
    agrExtNoise: 0
          state: running
        op mode: station 
     lastTxRate: 174
        maxRate: 289
lastAssocStatus: 0
    802.11 auth: open
      link auth: none
          BSSID: 70:3a:e:21:eX:XX
           SSID: McCarran WiFi
            MCS: 8
        channel: 165

Disconnect

WLAN Disconnect

If you want to disconnect from your existing WLAN you can use the -z option.

$ sudo airport -z

Disconnect After Logout

sudo airport en0 prefs DisconnectOnLogout=Yes

Output Information

Capture

When performing a Sniff it saves a .cap file to the /tmp directory.
Wireshark (tshark) and tcpdump are great options for analyzing the 802.11 frames quickly.

Read the captured packets in tcpdump.

tcpdump -r /tmp/airportSniffDiGthp.cap

Read the captured packets in tshark.

tshark -r /tmp/airportSniffDiGthp.cap

XML

Print info as XML by using the -x option. Example:

$ airport -I -x 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AUTH_LOWER</key>
	<integer>1</integer>
	<key>AUTH_UPPER</key>
	<integer>8</integer>
	<key>CHANNEL</key>
	<integer>36</integer>
	<key>CHANNEL_FLAGS</key>
	<integer>18</integer>
	<key>NOISE_CTL_AGR</key>
	<integer>-98</integer>
	<key>NOISE_UNIT</key>
	<integer>0</integer>
	<key>RSSI_CTL_AGR</key>
	<integer>-54</integer>
	<key>RSSI_CTL_LIST</key>
	<array>
		<integer>-51</integer>
		<integer>-53</integer>
		<integer>-60</integer>
	</array>
	<key>RSSI_EXT_AGR</key>
	<integer>0</integer>
	<key>RSSI_EXT_LIST</key>
	<array>
		<integer>0</integer>
		<integer>0</integer>
		<integer>0</integer>
	</array>
	<key>RSSI_UNIT</key>
	<integer>0</integer>
</dict>
</plist>

Save the XML info to a file.

$ airport -I -x >> /Users/UserName/Desktop/wifi.xml

Using the plutil we can convert a plist or xml file from one format to another.
Convert it to JSON format.

plutil -convert json wifi.xml -o wifi.json

File example:

{
	"RSSI_UNIT": 0,
	"AUTH_LOWER": 1,
	"NOISE_UNIT": 0,
	"CHANNEL_FLAGS": 532,
	"RSSI_CTL_AGR": -58,
	"CHANNEL": 149,
	"NOISE_CTL_AGR": -95,
	"RSSI_CTL_LIST": [-56, -62, -56],
	"AUTH_UPPER": 8,
	"RSSI_EXT_AGR": 0,
	"RSSI_EXT_LIST": [0, 0, 0]
}

You can use PlistBuddy command to read and write values to the file.

$/usr/libexec/PlistBuddy

TinkerTry SuperServer Upgrades

I haven’t posted much on the TinkerTry Server bundle I purchased last year, I am still jubilant, and the server hasn’t let me down once.

I decided to make some changes for the better on the hardware front by adding another 64GB of memory and a 250GB Samsung 960 EVO M.2 harddrive.

The M.2 Samsung 960 EVO is now my primary drive for ESXi 6.5, and the other two drives (850 Evo/Pro) are datastores with VMFS 6.

The 500GB 850 Evo reserved for all virtual machines, and the 128GB 850 Pro separated for using operating systems like Project Atomic and PhotonOS for containerization (OS level virtualization).

Samsung 960 EVO M.2

Paul at TinkerTry has put in an extensive amount of time collecting information and testing the Samsung 960 M.2 after the online community had been reporting the disappearance of the drive. The remediation of this issue was a firmware fix from Samsung. I recently purchased my drive off of Amazon, and it had already come with the updated firmware.

Specs:

  • PCIe 3.0 x4 NVM Express
  • M.2 (2280)
  • Samsung V-NAND 3bit MLC
  • Samsung Polaris controller
  • Intelligent TurboWrite
  • Sequential Read Speed: Max 3,200 MB/sec
  • Sequential Write Speed: Max 1,900 MB/sec
  • Capacity: 250 GB
    • Part#: MZ-V6E250BW

Samsung 32GB DDR4 (x2)

After a few months of heavy usage, I found myself needing more memory for my Linux servers. I ordered the memory from Wired Zone who sells the server bundles and had the best pricing after shopping around.

Specs:

  • Form Factor: RDIMM 288-pin
  • Data Integrity Check: ECC
  • Memory Speed: PC4-19200 (2400MHz)
  • Registered/Unbuffered: Registered
  • Supply Voltage: 1.2V
  • Supermicro Certified Server Memory
    • Supermicro Part#: MEM-DR432L-SL01-ER24
    • Samsung Part#: M393A4K40BB1-CRC

Mac Built-in Wireless Tools

Under Wireless Diagnostics in macOS, you can find additional tools for scanning, sniffing, and monitoring Wireless 802.11.

All these hidden tools are helpful when trying to analyze channels, coverage, or even troubleshoot connectivity issues.

I include some quick tutorials to manipulate the output information like captures and log files.

Launching Wireless Diagnostics

You can open the Wireless Diagnostics menu bar from the instructions below or by Spotlight.

Instructions:

  1. On your Mac’s menu bar you’ll find the Wi-Fi icon, Push down the Option key ⌥ on your keyboard, and click the icon.
  2. You should see a long menu appear, and near the top, you’ll see a menu item called ‘Open Wireless Diagnostics.’
  3. Click “Open Wireless Diagnostics,” and now you can access the tools from the Wireless Diagnostics menu bar.

Spotlight:

Hit “Command-Space” from the keyboard to bring up Spotlight and type in “Wireless Diagnostics.”

Overview: Info, Performance, and Monitor

  • Info: Gathers vital details about your current network connection.
  • Performance: Uses three live graphs to show the performance of your Wi-Fi connection:
    • Rate: Gives the transmission rate over time in megabits per second.
    • Quality: Gives the signal-to-noise ratio over time.
    • Signal: shows both signal (RSSI) and noise measurements over time.
  • Monitor: Displays a small window with one graph showing signal (RSSI) and noise measurements over time, and another showing transmission rate over time.

Below is a deeper dive on Scan, Sniffer, and logs.

Scan

Scan can survey, locate, and list wireless routers in your vicinity, it also shows details about them.

Some information it discovers:

  • The Network Name or SSID
  • The MAC address of Access Point (BSSID)
  • Wireless security protocol in use
  • 802.11 protocol in use
  • Signal strength

You also get an overall summary which may allow you to make changes to your Wireless router configuration.

Sniffer

Sniffer captures traffic on your Wi-Fi connection giving you the ability to intercept and look at the packets afterward. The Sniffer is useful with:

  • Diagnosing or investigating potential network problems
  • Identifying configuration issues
  • Monitoring network usage and activity
  • Discovering possible network abuse, malware, and attacks

Start using the sniffer by selecting a Channel, Width, and clicking the “Start” button. When you click “Stop”, a capture file (.wcap) is saved to the /var/tmp/ directory on your Mac.

Capture File info

  • The .wcap file extension is a Wireless Diagnostics captured packet
  • Once saved they have a timestamp naming convention

Use Capture File

Copy all the capture files to a folder on your Desktop to easily access it.

sudo mkdir /Users/NameHere/Desktop/wifi && cp -R /var/tmp/*wcap wifi

You can rename the .wcap file extension to .pcap to open in third-party traffic analyzers like Wireshark or tcpdump.

sudo mv 2017.03.14_11-00-33-EDT.wcap 2017.03.14_11-00-33-EDT.pcap

Use tcpdump for analysis since it’s already available on Mac.

Read the captured packets.

tcpdump -r 2017.03.14_11-00-33-EDT.pcap

Read captured packets and print with link level header in hex along with ASCII.

tcpdump -XXr 2017.03.14_11-00-33-EDT.pcap

logs

When launching this tool, it enables logging in the background for Wireless and other parts of macOS. The results get saved to a log file (wifi.log) in the /private/var/log/ directory.

When you click the “Show” button, it will show the wifi.log file itself in the log directory.

Note: logging continues even when you quit the app or restart your Mac, so remember to disable logging after your finished.

Use Wifi log

I put together a few things below for viewing, monitoring, and handling the file.

Copy the log file to a folder on your Desktop to easily access it.

sudo mkdir /Users/NameHere/Desktop/wifi_logs && cp -R /private/var/log/wifi.log wifi_logs

Follow the wifi log file and filter out Bluetooth messages.

tail -f /private/var/log/wifi.log | grep -v 'Bluetooth'

Follow the wifi log file and view messages related to link quality like RSSI.

tail -f /private/var/log/wifi.log | grep 'link quality'

Mac Network Utility

Note: The Network Utility app is included in macOS and was relocated to /System/Library/CoreServices/Applications.

The Network Utility is a collection of tools that helps provide information for troubleshooting network issues. It can also assist with network security by providing functionality like port scanning.

The Network Utility is not a replacement for Nmap or other security utilities, but can certainly be helpful when you forget to install Nmap or just feel lazy and don’t want to enter commands manually into Terminal. 

The Network Utility includes NetstatPing, Lookup, TracerouteWhoisFinger, and Port Scan. These tools can quickly help with the following tasks:

  • Check network routing tables and stats.
  • Check connections between you another machine.
  • Query your DNS servers.
  • Trace the paths of your network or internet traffic.
  • Scan for open network ports.

Launching Network Utility

You can quickly open the Network Utility from Spotlight or the Terminal application.

  • Use Spotlight by hitting “Command-Space” from the keyboard and typing in “Network Utility”.
  • From Terminal.app in Utilities use the “open” command.

Example:

open /System/Library/CoreServices/Applications/Network\ Utility.app/

macOS Code Signing Validation

Code signing allows security-conscious users to know if an application is from an authentic source, unmodified, or even corrupt.

Manually checking the authenticity of applications is typically not needed for the average Mac user, because the majority of users obtain their software from the Mac App Store which is certified.

macOS and some versions of OS X run Gatekeeper which warns and rejects an application from being installed by checking if an unknown developer created it. Gatekeeper will enable users to open applications without any warnings if they are signed.

Everyone should be aware of any apps integrity from any source. It never hurts to validate outside of Apples built-in security features.

Manual validation

Personally, when I manually check an app, I look for hash type, hash checksum, and authority for validation.
We will be using the codesign command in Terminal.

Verify authority:

codesign -dvvv /path/Foo.app

Note: Applications distributed on the Mac App Store are all signed by Apple’s certificate.

Gatekeeper like verification:

codesign --verify --deep --strict --verbose=2 /path/Foo.app/

VMware ESXCLI ESXi Upgrade

The ESXCLI upgrade allows you to save time by skipping the hassle of logging into “My VMware” to download the ESXi ISO and apply patches directly from the VMware Online Depot to your server.

I routinely check VMware ESXi Patch Tracker to know when it’s time to update and build number I need.

Before we get started let’s turn on maintenance mode, or make sure to gracefully shut down all Virtual Machines. Once we have enabled maintenance mode lets also enable SSH to start the upgrade.

Instructions

Open the SSH session to your ESXi server and follow these instructions.

You will need to allow outbound HTTP Requests in the firewall configuration by pasting the lines below into your SSH session and pressing enter:

esxcli network firewall ruleset set -e true -r httpClient

The Image Profile will need to be downloaded using HTTPS and run patch script to apply update by pasting the line below into your SSH session and pressing enter.  Can take some time finish.

esxcli software profile update -p ESXi-6.5.0-20170104001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Next, you will need to disallow outbound HTTP Requests in the firewall configuration by pasting the line below into your SSH session and pressing enter:

esxcli network firewall ruleset set -e false -r httpClient

After you have disallowed outbound HTTP Requests, it’s safe to close out your SSH session and disable it. Remember to turn off maintenance mode after successfully rebooting your server for the upgrade.

EdgeOS NetFlow IPFIX Configuration

EdgeOS is an operating system from Ubiquiti which allows you to configure and manage your EdgeRouter. This includes the ability to generate, view, and forward NetFlow information.

I will be using NetFlow version 10 also called IPFIX. IPFIX information can be sent to a third party collector to help gain better network visibility.  A collector like IBM’s QRadar and IPFIX can discover malicious behavior indicating a compromise, finding unusual ports, unknown destinations, and much more.

For more information on IPFIX see the following RFC’s: 5101 and 5153.

Configuration

The configuration will be from the Command Line Interface (CLI).

Set Port interface for collection, typically eth0 which is my WAN interface:

set system flow-accounting interface <interface>

Choose the ID number of the flow switching engine:

set system flow-accounting netflow engine-id <0-255>

Collect flows for egress traffic:

set system flow-accounting netflow enable-egress

Set the IP and Port of the remote collector that will receive flows:

set system flow-accounting netflow server <IP> port <2055>

Specify version number of NetFlow to use:

set system flow-accounting netflow version <10>

I have the timeout options using default values found in EdgeOS configuration.

You can double check your work once you committed and saved your configuration by using the following command to view flow activity:

show flow-accounting

Example running config

}
system {
    domain-name name.local
    flow-accounting {
        ingress-capture post-dnat
        interface eth0
        netflow {
            enable-egress {
            }
            engine-id 2
            server 192.168.0.0 {
                port 2055
            }
            timeout {
                expiry-interval 60
                flow-generic 3600
                icmp 300
                max-active-life 604800
                tcp-fin 300
                tcp-generic 3600
                tcp-rst 120
                udp 300
            }
            version 10
        }

Ubiquiti UniFi AC HD Overview

I recently was in the market for a new AP and happen to stumble across an announcement made by a user on Reddit about the UniFi AC HD being available on the Ubiquiti Beta Store. I decided to purchase it for my home and home lab environment even though it’s in Beta.

Below is a quick overview of the unit and I will have more posts in the future so stay tuned.

802.11AC Wave 2

The UniFi AC HD features 802.11AC Wave 2 4×4 MU-MIMO which allows the access point to transmit to multiple client devices simultaneously unlike 802.11AC Wave 1.

The UniFi AC HD and Wave 2 4×4 MU-MIMO technology are going to provide higher speeds or bandwidth needed for supporting things like video and voice traffic which may be susceptible to latency issues, but also the delivery of large files.

I have not tested the speeds or performance yet, but this model should succeed up to following:

  • 800 Mbps using 2.4 Ghz ( 6-25 dBm / 2 Antennas, 3 dBi each)
  • 1700 Mbps at 5 GHz (6-25 dBm / 2 Antennas, 4 dBi each)

Traffic Management & Security

The UniFi AC HD has great features for traffic management such as 802.1Q VLAN tagging compartmentalizing your traffic, advanced QoS functionality for user rate limiting, and guest traffic isolation.

For protected Wi-Fi access this unit supports WEP, WPA-PSK, and WPA-Enterprise (WPA/WPA2, TKIP/AES) for security protocols.

Gigabit Ethernet

The back side of the UniFi AC HD features 2 Gigabit Ethernet ports and 1 USB C port.

  • The “Main” port is used to for power and connected to the LAN / DHCP server.
  • The “Secondary” port is for bridging.
  • The “USB-C” port has been reserved for future use by Ubiquiti.
It also uses 802.3at PoE+ functionality which can work with the UniFi PoE Switches or the EdgeRouter ERPoe‑5.

What’s included

When you purchase a single pack you get the following:

  • 1 UniFi AP AC HD
  • 1 Mounting bracket
  • 1 Ceiling backing plate
  • 4 Flathead screws
  • 4 Nuts
  • 4 Screws
  • 4 Screw anchors
  • 1 Gigabit PoE power adapter with mount bracket
  • 1 Quick Start Guide

The UniFi AC HD is compatible with existing UAP-AC-PRO mounts.

UniFi AC HD product photos

WMware AVX2 but AVX Not Present

My ESXi server recently produced an error message labeled “AVX2 but AVX Not Present”.  After converting a Virtual Machine (VM) from VMware Workstation and importing into ESXi, I received this message.

I used the vCenter Converter Standalone tool which worked flawlessly. Scouring the internet, it appears you need to modify the VMX file and downgrade the virtual hardware version labeled the following:

virtualHW.version = “AppropriateNumberHere”

You can fix the error message by changing the virtual hardware version from “11” to “10”.

macOS USB Bootable Installer

If you want to make a bootable USB for macOS, you will need to download the installation package from the Apple App Store.

Make sure your bootable USB flash drive is erased and formatted.

  1. Open Disk Utility found in the Utilities folder, select the USB flash drive in the sidebar, click the “Erase” button, and then format it.
  2. Name the USB flash drive to “Untitled” if it isn’t already assigned.

After its erased and formatted you will need to launch the Terminal application found in the Utilities folder.

Once it’s started Copy and Paste the following into the Terminal application:

sudo /Applications/Install\ macOS\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/Untitled/ --applicationpath /Applications/Install\ macOS\ Sierra.app --nointeraction

Let the installer files copy and complete. Once finished reboot and boot off the USB to start the installation.

Friday, September 23, 2016
You can boot off the USB flash drive by rebooting your Mac and pressing Option ⌥ key. 
For more information on Apple start up commands: https://support.apple.com/en-us/HT201255