Scapy does not transmit / inject wifi packets - sniffing works

[marc-y-marc]

Brief description

The issue is that Scapy does not send any packets. No errors appear. I've tried 2 examples (beacons + answering machine) and both do not seem to work. Receiving in scapy works.

My adapter does support monitor mode & injection. If i run aireplay-ng and i perform a death attack or any other option, i can see the broadcasted packets using my second adapter as sniffer.

Environment

• Scapy version: 2.4.3rc1 (also tried others)
• Python version: 3.5
• Operating System: Raspbian, 4.19.46-v7+
• Wifi dongle / driver: https://github.com/aircrack-ng/rtl8812au

How to reproduce

• Install clean raspbian on RPI3B+
• Install driver (see above)
• Put adapters in montitor mode using iwconfig / ifconfig
• Install python3 via apt-get
• Install pip3 via apt-get,
• update pip using sudo python3 -m pip install --upgrade pip
• install scapy[basic] using sudo python3 -m pip install --pre scapy[basic]

Example 1: Beacons

`
#!/usr/bin/python3

from scapy.all import *

netSSID = 'testSSID'    #Network name here
iface = 'wlan1'         #Interface name here

conf.use_pcap = True

dot11 = Dot11FCS(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33')
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00'                 #RSN Version 1
'\x00\x0f\xac\x02'         #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00'                 #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04'         #AES Cipher
'\x00\x0f\xac\x02'         #TKIP Cipher
'\x01\x00'                 #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02'         #Pre-Shared Key
'\x00\x00'))               #RSN Capabilities (no extra capabilities)

frame = RadioTap()/dot11/beacon/essid/rsn

frame.show()
print("\nHexdump of frame:")
hexdump(frame)

input("\nPress enter to start\n")

sendp(frame, iface=iface, inter=0.100, loop=1, monitor=True)
`

I tried to play with the conf.use_pcap=True and the sendp(monitor=True). However they don't seem to have any influence.

Actual result

###[ RadioTap dummy ]###
version = 0
pad = 0
len = None
present = Flags
Flags = FCS
notdecoded= ''
###[ 802.11-FCS ]###
subtype = 8
type = Management
proto = 0
FCfield =
ID = 0
addr1 = ff:ff:ff:ff:ff:ff
addr2 = 22:22:22:22:22:22
addr3 = 33:33:33:33:33:33
SC = 0
fcs = None
###[ 802.11 Beacon ]###
timestamp = 0
beacon_interval= 100
cap = ESS+privacy
###[ 802.11 Information Element ]###
ID = SSID
len = 8
info = 'testSSID'
###[ 802.11 Information Element ]###
ID = RSNinfo
len = None
info = '\x01\x00\x00\x0f\xc2\xac\x02\x02\x00\x00\x0f\xc2\xac\x04\x00\x0f\xc2\xac\x02\x01\x00\x00\x0f\xc2\xac\x02\x00\x00'

Hexdump of frame:
0000 00 00 09 00 02 00 00 00 10 80 00 00 00 FF FF FF ................
0010 FF FF FF 22 22 22 22 22 22 33 33 33 33 33 33 00 ...""""""333333.
0020 00 00 00 00 00 00 00 00 00 64 00 11 00 00 08 74 .........d.....t
0030 65 73 74 53 53 49 44 30 1C 01 00 00 0F C2 AC 02 estSSID0........
0040 02 00 00 0F C2 AC 04 00 0F C2 AC 02 01 00 00 0F ................
0050 C2 AC 02 00 00 64 0C 04 AC .....d...

Expected result

Expected that the packetis sent using wlan1 - so it can be sniffed with wlan2 operating both on the same channel. However they are not broadcasted. No error occurs when i pressed enter to start the transmit.

[gpotter2]

Thanks for the very complete report !

I see that you figured out the conf.use_pcap yourself. If libpcap can't send packets, we probably won't be able to support it :/

I don't know how the aircrack driver works, for instance if special calls should be used. Maybe you could ask there.

Maybe retry against master ? It has dropped the need to have pcapy, pypcap... install, but I don't except it to fix anything :/

[guedou]

This RPI as embedded Wi-Fi. Did you select the correct interface while trying to inject packets? What is the output of conf.iface and conf.routes ?

[marc-y-marc]

Thanks for both replies!
@gpotter2 : is there a way to test what's wrong with libpcap? And is there a specific version of libpcap i need? Sometimes the raspbian repo can be very outdated. Currently on libpcap0.8-dev. E.g. is it possible to send a raw packet without scapy so i can test that part of the chain?
I'll try against the master and let you know if it changes anything.

edit: see below -> i tried to add it to my Python evt using Pip. It get's a newer version but results remain.

@guedou : yes - i selected the correct one. wlan0 is the onboard, wlan1 and wlan2 are my external which are in monitor mode.

conf.iface = wlan1 (i changed my code a bit after your comment so i dont use iface=wlan1 but conf.iface=wlan1 from now on)

Below the full config:

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x7582e970>
BTsocket = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
L3socket6 = functools.partial(<L3PacketSocket: read/write packets at layer ...
USBsocket = None
auto_crop_tables = True
auto_fragment = 1
cache_iflist = {}
checkIPID = 0
checkIPaddr = 1
checkIPinIP = True
checkIPsrc = 1
check_TCPerror_seqack = 0
color_theme =
commands = IPID_count : Identify IP id values classes in a list of packets...
contribs = {}
crypto_valid = True
crypto_valid_advanced = True
crypto_valid_recent = True
debug_dissector = 0
debug_match = 0
debug_tls = 0
default_l2 = <class 'scapy.packet.Raw'>
dot15d4_protocol = None
emph = <Emphasize []>
ethertypes = </etc/ethertypes - 3 elements>
except_filter = ''
extensions_paths = '.'
fancy_prompt = True
geoip_city = None
histfile = '/root/.scapy_history'
iface = 'wlan1'
iface6 = 'lo'
interactive = False
interactive_shell = ''
ipv6_enabled = True
l2types = 0x0 -> Loopback (Loopback) 0x1 <- Dot3 (802.3) 0x1 <-> Ether (E...
l3types = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->...
layers = Packet : <member 'name' of 'Packet' objects> NoPayload : <membe...
load_layers = ['bluetooth', 'bluetooth4LE', 'dhcp', 'dhcp6', 'dns', 'dot11',...
logLevel = 30
manufdb = </usr/share/wireshark/manuf - 36220 elements>
mib = <MIB - 343 elements>
min_pkt_size = 60
neighbor = Ether -> IPv6 Dot3 -> SNAP Ether -> ARP Ether -> IP Dot3 -> IP ...
netcache = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it...
noenum = <Resolve []>
padding = 1
padding_layer = <class 'scapy.packet.Padding'>
prog = display = 'display' dot = 'dot' hexedit = 'hexer' ifconfig = 'i...
promisc = 1
prompt = '>>> '
protocols = </etc/protocols - 56 elements>
raw_layer = <class 'scapy.packet.Raw'>
raw_summary = False
recv_poll_rate = 0.05
resolve = <Resolve []>
route = Network Netmask Gateway Iface Output IP Metric 0.0.0.0 0.0.0.0 ...
route6 = Destination Next Hop Iface Src candidates Metric fe80::/64 :: w...
services_tcp = </etc/services-tcp - 316 elements>
services_udp = </etc/services-udp - 217 elements>
session = ''
sniff_promisc = 1
stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la...
stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye...
stealth = 'not implemented'
temp_files = []
teredoPrefix = '2001::'
teredoServerPort = 3544
use_bpf = False
use_dnet = False
use_npcap = False
use_pcap = False
use_pypy = False
use_winpcapy = False
verb = 2
version = '2.4.3rc1'
warning_threshold = 5
wepkey = ''

[marc-y-marc]

Now looking at it... the strange thing is that use_pcap is set to False while in my code i explicitly set it to True.

[marc-y-marc]

I tried adding libpcap to my Python environment, so not using apt-get but:
sudo python3 -m pip install libpcap

No difference, the use_pcap value remains False.

I do think we are on to something here.

edit: if i set use_pypy = True this actually works. So the real issue is that i can't set use_pcap to True

[gpotter2]

@marc-y-marc conf.use_pcap remains True only if it actually worked.
Have you turned off the warnings ? It will display one when it fails.
If you hop in into a scapy shell, and try it, what do you get ?

If the issue is something like "pcapy not installed", please retry against master

[marc-y-marc]

I did not turn of warnings, so its weird that it did not show me any. Anyway, i hopped into the scapy shell using sudo pyhton3 -m scapy.

i got:

>>> conf.use_pcap = True
ERROR: Unable to import any of the pcap modules: No module named 'pcapy'/No module named 'pcap'
WARNING: No pcap provider available ! pcap won't be used

So now i managed to resolve that issue in 2 ways:

• I installed pcapy using sudo pyhton3 pip install pcapy. Now the value is changing.. however.. still no result in transmitting.
• I downloaded / installed the master branch (using pip again).

Now i can change the conf.use_pcap without errors :-)

The problem however that i cannot transmit packets is still there. See next post.

[marc-y-marc]

When i added the 'monitor=True' to sendp() it gives me the following:

Master branch:

Traceback (most recent call last):
  File "./wifi-beacons.py", line 38, in <module>
    sendp(frame, monitor=True, iface=conf.iface, inter=0.100, loop=1)
  File "/usr/local/lib/python3.5/dist-packages/scapy/sendrecv.py", line 342, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 314, in __init__
    monitor=monitor)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 261, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_winpcap(*args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 207, in __init__
    raise OSError("Could not activate the pcap handler")
OSError: Could not activate the pcap handler

Back to 2.4.3rc1 sort of the same:

  File "./wifi-beacons.py", line 37, in <module>
    sendp(frame, iface=conf.iface, monitor=True, inter=0.100, loop=1)
  File "/usr/local/lib/python3.5/dist-packages/scapy/sendrecv.py", line 334, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 472, in __init__
    self.ins = open_pcap(iface, MTU, self.promisc, 100, monitor=monitor)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 417, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pcapy(*args, **kargs)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 375, in __init__
    raise OSError("Could not activate the pcap handler")   # noqa: E501
OSError: Could not activate the pcap handler

[marc-y-marc]

I also see the sockets have changed in my config object, so that part seems to function now.

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x741484f0>
BTsocket   = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen   = <L2pcapListenSocket: read packets at layer 2 using libpcap>
L2socket   = <L2pcapSocket: read/write packets at layer 2 using only libpcap>
L3socket   = <L3pcapSocket: read/write packets at layer 3 using only libpcap>
L3socket6  = functools.partial(<L3pcapSocket: read/write packets at layer 3 ...
USBsocket  = None

[marc-y-marc]

OK - I just tried to use a diffrent library (pypcap) - so i uninstalled pcapy - and i got an error from this library that gave some more detail then the pcapy library.

Error using pypcap

Traceback (most recent call last):
  File "./wifi-beacons.py", line 37, in <module>
    sendp(frame, iface=conf.iface, monitor=True, inter=0.100, loop=1)
  File "/usr/local/lib/python3.5/dist-packages/scapy/sendrecv.py", line 334, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 472, in __init__
    self.ins = open_pcap(iface, MTU, self.promisc, 100, monitor=monitor)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 323, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pypcap(*args, **kargs)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 290, in __init__
    self.pcap = pcap.pcap(device, snaplen, promisc, immediate=1, timeout_ms=to_ms, rfmon=monitor)  # noqa: E501
  File "pcap.pyx", line 231, in pcap.pcap.__init__
OSError: Activateing packet capture failed. Error returned by packet capture library was b'wlan0: SIOCGIWPRIV: Argument list too long'

[mattmart3]

Same issue here. I am using an AWUS036ACH adapter with the same chipset and driver reported by @marc-y-marc . The injection test with aireplay-ng works but on USB2.0 only. Injection also works with the mdk3 tool (tested in beacon flood mode). With scapy I have no error reported by the script which starts fine but I see no beacon frames captured from another adapter.

Environment

• Scapy version: 2.4.2
• Python version: 3.7.3
• Operating System: Arch Linux
• Wifi dongle / driver: https://github.com/aircrack-ng/rtl8812au
• Kernel: 5.1.7-arch1-1-ARCH

I have tested the same example script used by @marc-y-marc

Here's the output:

###[ RadioTap dummy ]### 
  version   = 0
  pad       = 0
  len       = None
  present   = None
  notdecoded= ''
###[ 802.11-FCS ]### 
     subtype   = 8
     type      = Management
     proto     = 0
     FCfield   = 
     ID        = 0
     addr1     = ff:ff:ff:ff:ff:ff
     addr2     = 22:22:22:22:22:22
     addr3     = 33:33:33:33:33:33
     SC        = 0
     fcs       = None
###[ 802.11 Beacon ]### 
        timestamp = 0
        beacon_interval= 100
        cap       = ESS+privacy
###[ 802.11 Information Element ]### 
           ID        = SSID
           len       = 8
           info      = 'testSSID'
###[ 802.11 Information Element ]### 
              ID        = RSNinfo
              len       = None
              info      = '\x01\x00\x00\x0f\xc2\xac\x02\x02\x00\x00\x0f\xc2\xac\x04\x00\x0f\xc2\xac\x02\x01\x00\x00\x0f\xc2\xac\x02\x00\x00'


Hexdump of frame:
0000  00 00 08 00 00 00 00 00 80 00 00 00 FF FF FF FF  ................
0010  FF FF 22 22 22 22 22 22 33 33 33 33 33 33 00 00  ..""""""333333..
0020  00 00 00 00 00 00 00 00 64 00 11 00 00 08 74 65  ........d.....te
0030  73 74 53 53 49 44 30 1C 01 00 00 0F C2 AC 02 02  stSSID0.........
0040  00 00 0F C2 AC 04 00 0F C2 AC 02 01 00 00 0F C2  ................
0050  AC 02 00 00 F0 48 B8 7C                          .....H.|
Press enter to start

..............................................................................^C

Here's the config:

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x7f429d2ad828>
BTsocket   = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen   = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket   = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket   = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
USBsocket  = None
auto_crop_tables = True
auto_fragment = 1
cache_iflist = {}
cache_in6_getifaddr = []
cache_ipaddrs = {}
checkIPID  = 0
checkIPaddr = 1
checkIPinIP = True
checkIPsrc = 1
check_TCPerror_seqack = 0
color_theme = <NoTheme>
commands   = IPID_count : Identify IP id values classes in a list of packets...
contribs   = {}
crypto_valid = False
crypto_valid_advanced = False
crypto_valid_recent = False
debug_dissector = 0
debug_match = 0
debug_tls  = 0
default_l2 = <class 'scapy.packet.Raw'>
dot15d4_protocol = None
emph       = <Emphasize []>
ethertypes = </etc/ethertypes - 31 elements>
except_filter = ''
extensions_paths = '.'
fancy_prompt = True
geoip_city = None
histfile   = '/root/.scapy_history'
iface      = 'eno1'
iface6     = 'lo'
interactive = False
interactive_shell = ''
ipv6_enabled = True
l2types    = 0x0 -> Loopback (Loopback) 0x1 <- Dot3 (802.3) 0x1 <-> Ether (E...
l3types    = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->...
layers     = Packet : <member 'name' of 'Packet' objects> NoPayload : <membe...
load_layers = ['bluetooth', 'bluetooth4LE', 'dhcp', 'dhcp6', 'dns', 'dot11',...
logLevel   = 30
manufdb    = </usr/share/wireshark/manuf - 36837 elements>
mib        = <MIB - 343 elements>
min_pkt_size = 60
neighbor   = Ether -> LLC Dot3 -> LLC Dot3 -> SNAP Ether -> Dot1Q Ether -> A...
netcache   = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it...
noenum     = <Resolve []>
padding    = 1
padding_layer = <class 'scapy.packet.Padding'>
prog       = display = 'display' dot = 'dot' hexedit = 'hexer' ifconfig = 'i...
promisc    = 1
prompt     = '>>> '
protocols  = </etc/protocols - 135 elements>
raw_layer  = <class 'scapy.packet.Raw'>
raw_summary = False
recv_poll_rate = 0.05
resolve    = <Resolve []>
route      = Network Netmask Gateway Iface Output IP Metric 0.0.0.0 0.0.0.0 ...
route6     = Destination Next Hop Iface Src candidates Metric ::1/128 :: lo ...
services_tcp = </etc/services-tcp - 5810 elements>
services_udp = </etc/services-udp - 5462 elements>
session    = ''
sniff_promisc = 1
stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la...
stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye...
stealth    = 'not implemented'
temp_files = []
teredoPrefix = '2001::'
teredoServerPort = 3544
use_bpf    = False
use_dnet   = False
use_npcap  = False
use_pcap   = False
use_pypy   = False
use_winpcapy = False
verb       = 2
version    = '2.4.2'
warning_threshold = 5
wepkey     = ''

However, the same script is working fine with another adapter TL-WN722N (ath9k_htc driver). The scapy configuration printed out before the sendp instruction is exactly the same.

[marc-y-marc]

@matteomartelli : I see you are running on 2.4.2. Can you install the master branch of scapy? Or install pypcap using pip? I see in your config:

use_pcap = False

The script should set it to True but it fails if you dont have pypcap or the latest master which doesnt need it anymore.

[mattmart3]

I have just tested with the latest version from master (2.4.3rc1.dev223) and I have the same issue. I also tried installing pypcap and nothing changed. Running the script from the scapy shell I noticed that use_pcap is correctly set to True. Still, my other adapter works fine, thus I believe the issue is related to something more deeper and closer to the raw socket and the driver. @marc-y-marc is it fixed for you? Do you see your injected beacons?

[marc-y-marc]

Ok @matteomartelli - No, i'm having the same issue and really hope we can figure a way to make it work with some help of the dev's. It could be an issue with the driver, just not sure how to proceed as aircrack-ng is working correctly. Could also be related to pypcap or libpcap.

[guedou]

Can you share frames that you are able to capture with the sniff() function?

[marc-y-marc]

@guedou : sure, see below screenshot. I used sniff('wlan0', prn=lambda x: x.summary()).

Hope this helps!

[marc-y-marc]

@guedou : i also made a screenshot of a single packet more detailed. See below.

[marc-y-marc]

I just performed a full reinstall of my raspberry. Instead of using Raspbian i switched to Ubuntu server. Same results:

Traceback (most recent call last):
  File "./wifi-beacons.py", line 37, in <module>
    sendp(frame, iface=conf.iface, inter=0.100, loop=1, monitor=True)
  File "/usr/local/lib/python3.6/dist-packages/scapy/sendrecv.py", line 334, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.6/dist-packages/scapy/arch/pcapdnet.py", line 472, in __init__
    self.ins = open_pcap(iface, MTU, self.promisc, 100, monitor=monitor)  # noqa: E501
  File "/usr/local/lib/python3.6/dist-packages/scapy/arch/pcapdnet.py", line 417, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pcapy(*args, **kargs)  # noqa: E501
  File "/usr/local/lib/python3.6/dist-packages/scapy/arch/pcapdnet.py", line 375, in __init__
    raise OSError("Could not activate the pcap handler")   # noqa: E501
OSError: Could not activate the pcap handler

I also updated to master branch. Same error.

[marc-y-marc]

I check the return value of ‘pcap.activate’ which is returned from libpcap. Libpcap returns ‘-1’ which stands for ‘generic error’.

[gpotter2]

TBH, you will most likely have more luck if you ask either on the driver's page or on libpcap than here.

On the networking side, apart from all the detection & cross platforming, we don't do much apart from calling either Python/ioctl/Libpcap :/

However please stick up to the master branch. We had some issues related with RadioTap decoding, that were only fixed quite recently.

[marc-y-marc]

@gpotter2 : I think you are right.

I discovered today that injection (airepaly-ng --test) does not work when the adapter is in monitor mode. It only works when it is 'managed' or 'auto'. This is probably the source of the problem and needs to be fixed first before anything else.

I'm rebuilding drivers etc now and will report back when i have some news for those also having the same problem.

[marc-y-marc]

Ladies and gentlemen, we've got him!

There seems to be an issue with the 5.3.4 branch (and up) of the driver:
https://github.com/aircrack-ng/rtl8812au

when libpcap needs to PCAP_SET_RFMON to 1 it just doenst PCAP_ACTIVATE() anymore and results in error code -1.

I went back to the 5.2.20 driver and everything worked again! Not sure if related but i did not use the dkms installer. I also used ifconfig and iwconfig instead of ip link and iw dev (which is in the manual).

@matteomartelli : hope this also fixes your issue!

Ps my packet is still 'mallformed' but i can now actually receive it from another adapter. Will tweak to scapy code to make sure its not malformed.

[mattmart3]

@marc-y-marc yes it's working for me too! Thank you for having shared your findings. I reinstalled the driver after editing the AUR package PKGBUILD script to point it to the 5.2.20 branch of the git repository. So this is my setup right now:
- Scapy version: 2.4.2
- Python version: 3.7.3
- Operating System: Arch Linux
- Wifi dongle / driver: https://github.com/aircrack-ng/rtl8812au version 5.2.20
- Kernel: 5.1.9-arch1-1-ARCH

About the malformed packet I had the same issue. First make sure you correctly set up the binary string of the information elements: since you are using python 3 you have to place a 'b' character before the string (https://stackoverflow.com/questions/55589199/why-scapy-added-c2-byte-in-dot11-element-infomation). Also I guess that there is some isssue with that specific example because I still see malformed beacons with it but if I try to replay a beacon which is similar to a beacon I captured over the air it works fine :

netSSID = 'TESTNET' #Network name here
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
 addr2='22:22:22:22:22:22', addr3='22:22:22:22:22:22')
beacon = Dot11Beacon(cap='ESS+privacy+res12')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rates = Dot11Elt(ID=1, info=(b"\x12\x98\x24\x30\x48\x60\x6c"))
dsset = Dot11Elt(ID='DSset', info=(b"\x01")) #channel
tim = Dot11Elt(ID='TIM', info=(b"\x00\x02\x01\x00"))
country = Dot11Elt(ID='Country', info=(b"\x55\x53\x00\x01\x0b\x17"))
erpinfo = Dot11Elt(ID=42, info=(b"\x02"))
rsn = Dot11Elt(ID='RSNinfo', info=(b"\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02\x28\x00"))
qbss = Dot11Elt(ID=11, info=(b"\x11\x00\x82\xa7\x61"))
unknown = Dot11Elt(ID=54, info=(b"\x85\x54\x00"))
ht_caps = Dot11Elt(ID='HTCapabilities', info=(b"\x2c\x19\x03\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"))
ht_info = Dot11Elt(ID=61, info=(b"\x0b\x08\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"))
extcaps = Dot11Elt(ID='ExtendendCapatibilities', info=(b"\x01\x10\x08\x00\x00\x00\x00\x00"))
frame = RadioTap()/dot11/beacon/essid/rates/dsset/tim/country/erpinfo/rsn/qbss/unknown/ht_caps/ht_info/extcaps
frame.show()
print("\nHexDump of frame:")
hexdump(frame)

The injected beacons with that custom frame are not marked as malformed by Wireshark. Still, my Android device does not list it but maybe it's because there is some mismatch between the injected capabilities and what my device is capable of. I would first try to replay one beacon of an AP listed by your other adapters exactly as it is. Then you may try to craft it.
I hope this helps and thank you again for your feedback.

EDIT:
After some adaptation to the frame I currently have the beacon listed on my Android smartphone adapter too.

First I am in Italy so I changed the Country Information Element from US to IT to match my country as the smartphone might have rejecteted that beacon due to some regulatory filter. Also, since I was injecting on channel 40 (5GHz) I added the maximum transmit power for channel 40 into the Country IE and changed the DSset element to 0x28 (channel 40). At last I removed the erpinfo information element too as it shouldn't make much sense for the 5GHz band:

dsset = Dot11Elt(ID='DSset', info=(b"\x28")) #updated channel
country = Dot11Elt(ID='Country', info=(b"\x49\x54\x00\x28\x0b\x17")) #updated country
frame = RadioTap()/dot11/beacon/essid/rates/dsset/tim/country/rsn/qbss/unknown/ht_caps/ht_info/extcaps #removed erpinfo

[marc-y-marc]

Thanks @matteomartelli, i've managed to make it appear on my phone now as well. I followed your instruction regarding the 'b' character. The only layers i needed to make it work were:

RadtioTap()/Dot11FCS/Dot11Beacon/Dot11Elt

Dot11FCS = Dot11FCS(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33')
Dot11Beacon = Dot11Beacon(cap='ESS+privacy')
Dot11Elt = Dot11Elt('id='SSID', info='TESTNET', len=len('TESTNET'))

I kind of figured out that adding more layers was not requried.

[kimocoder]

@rofl0r this may be interesting? PCAP error we faced

[rofl0r]

when libpcap needs to PCAP_SET_RFMON to 1 it just doenst PCAP_ACTIVATE() anymore and results in error code -1.

check dmesg output. the driver has some debug code which could produce clues.

[dagf2101]

I confirm, injection still not working(for scapy) on rtl8812au branches >= 5.3

Worst thing is that the latest kali driver (realtek-rtl88xxau-dkms) is crashing on boot.

Fortunately, branch 5.2 is working for kali 2019.4

[kimocoder]

Don't know if Kali pushed the latest commit, the kernel v5.3 support patch. I'll check

[kimocoder]

I'll notify Kali, its working on kernel v5.3 here, I'll tag a new dkms string. Will check injection also first.

[kimocoder]

Injection om branch v5.3.4 is working fine.

[dagf2101]

Aireplay Works but not scapy, you need to test injection with scapy and check if you received the beacon/packet on a other device.