为了验证一个无线抓包方案，在 OpenWRT 环境中先搭建下。(其实不用无线网卡，直接使用 OpenWRT 的无线 AP 也可以抓包，方法和配置和下面的类似)

由于 MT7612 的驱动在 Linux 内核的 4.19 之后才支持，需要查看 OpenWRT 的版本，如果内核版本过低，要升级到较新的版本。我使用的是 openwrt 22.03 版本，该内核为 5.10。
首先用 lsusb 命令，查看下 MT7612 USB 网卡是否检测到。(如果没有 lsusb 命令，需要用 opkg 安装 usbutils 包)

root@OpenWrt:~# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux 5.10.201 xhci-hcd xHCI Host Controller
Bus 002 Device 002: ID 0e8d:7612 MediaTek Inc. 802.11ac WLAN
Bus 002 Device 001: ID 1d6b:0003 Linux 5.10.201 xhci-hcd xHCI Host Controller

使用 opkg 命令安装 iw 和 tcpdump 包。

用 iw dev 命令，是否有三个设备，如果没有 wlan2 的话，应该是 MT7612U 没有安装相应的驱动，需要用 opkg 安装 kmod-mt76x2u 包。（wlan0 和 wlan1 是无线路由器上的 2.4G 和 5G 频段的无线设备）

root@OpenWrt:~# iw dev
phy#2
    Interface wlan2
        ifindex 8
        wdev 0x200000001
        addr 00:13:ef:3f:65:2b
        type managed
        txpower 3.00 dBm
        multicast TXQ:
            qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes    tx-packets
            0   0   0   0   0   0   0   0       0
phy#1
    Interface wlan1
        ifindex 7
        wdev 0x100000001
        addr 50:64:2b:5e:b5:b6
        type managed
        txpower 3.00 dBm
        multicast TXQ:
            qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes    tx-packets
            0   0   0   0   0   0   0   0       0
phy#0
    Interface wlan0
        ifindex 6
        wdev 0x1
        addr 50:64:2b:5e:b5:b5
        type managed
        txpower 26.00 dBm
        multicast TXQ:
            qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes    tx-packets
            0   0   0   0   0   0   0   0       0

下面就是使用 tcpdump 和 iw 的命令配置成 channel 6 抓包。有关无线抓包的配置，可以参考下面的两篇文章：
https://microchip.my.site.com/s/article/WiFi-Sniffer-data-capture-in-Linux-Ubuntu
https://blog.csdn.net/weixin_41856150/article/details/102327913

iw phy phy2 interface add mon0 type monitor
iw dev wlan2 del
ip link set mon0 up
iw dev mon0 set channel 6 NOHT

用 tcpdump 抓包

root@OpenWrt:~# tcpdump -i mon0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
14:06:02.947452 1.0 Mb/s 2437 MHz 11b -39dBm signal -42dBm signal antenna 0 -41dBm signal antenna 1 Beacon (rl_8907) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.011600 1.0 Mb/s 2437 MHz 11b -49dBm signal -51dBm signal antenna 0 -53dBm signal antenna 1 Beacon (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.050334 1.0 Mb/s 2437 MHz 11b -39dBm signal -42dBm signal antenna 0 -42dBm signal antenna 1 Beacon (rl_8907) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.113568 1.0 Mb/s 2437 MHz 11b -49dBm signal -51dBm signal antenna 0 -53dBm signal antenna 1 Beacon (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.152220 1.0 Mb/s 2437 MHz 11b -39dBm signal -42dBm signal antenna 0 -41dBm signal antenna 1 Beacon (rl_8907) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.216548 1.0 Mb/s 2437 MHz 11b -50dBm signal -52dBm signal antenna 0 -54dBm signal antenna 1 Beacon (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.255142 1.0 Mb/s 2437 MHz 11b -39dBm signal -42dBm signal antenna 0 -41dBm signal antenna 1 Beacon (rl_8907) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.318575 1.0 Mb/s 2437 MHz 11b -51dBm signal -53dBm signal antenna 0 -55dBm signal antenna 1 Beacon (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.329424 1.0 Mb/s 2437 MHz 11b -49dBm signal -51dBm signal antenna 0 -53dBm signal antenna 1 Probe Response (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] CH: 6, PRIVACY
14:06:03.331303 1.0 Mb/s 2437 MHz 11b -50dBm signal -51dBm signal antenna 0 -54dBm signal antenna 1 Probe Response (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] CH: 6, PRIVACY
14:06:03.333384 1.0 Mb/s 2437 MHz 11b -51dBm signal -53dBm signal antenna 0 -55dBm signal antenna 1 Probe Response (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] CH: 6, PRIVACY
14:06:03.356992 1.0 Mb/s 2437 MHz 11b -39dBm signal -42dBm signal antenna 0 -42dBm signal antenna 1 Beacon (rl_8907) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.420652 1.0 Mb/s 2437 MHz 11b -50dBm signal -51dBm signal antenna 0 -54dBm signal antenna 1 Beacon (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.459944 1.0 Mb/s 2437 MHz 11b -39dBm signal -42dBm signal antenna 0 -42dBm signal antenna 1 Beacon (rl_8907) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
14:06:03.523695 1.0 Mb/s 2437 MHz 11b -49dBm signal -51dBm signal antenna 0 -53dBm signal antenna 1 Beacon (rl_aa77) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit] ESS CH: 6, PRIVACY
^C
15 packets captured
15 packets received by filter
0 packets dropped by kernel