Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #651 (assigned defect)

Opened 13 years ago

Last modified 12 years ago

unable to associate to AP using WEP with madwifi-ng

Reported by: Assigned to: mentor (accepted)
Priority: major Milestone: version 0.9.x - progressive release candidate phase
Component: madwifi: other Version: trunk
Keywords: associating fails Cc:,
Patch is attached: 1 Pending:



With madwifi-ng (using the FC5 RPMs from ATrpms), I'm not able to associate to my access point using WEP anymore. (The old madwifi works fine.) "wlanconfig ath0 list scan" shows the accesspoint but even when specifying the mac with "iwconfig ath0 ap ...", it fails to associate.

I'm using the following commands:

iwconfig ath0 key xxxxxxxxxxxxxxxxxxxxxxxxxx
iwconfig ath0 ap any
# or: iwconfig ath0 ap 00:02:2D:61:CC:94
iwconfig ath0 channel 6
iwconfig ath0 essid domanig
iwpriv ath0 mode 2
iwpriv ath0 authmode 2
ifconfig ath0 up
# iwconfig ath0
ath0      IEEE 802.11g  ESSID:"domanig"
          Mode:Managed  Frequency:2.437 GHz  Access Point: Invalid
          Bit Rate:1 Mb/s   Tx-Power:15 dBm   Sensitivity=0/3
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xx   Security mode:restricted
          Power Management:off
          Link Quality=49/94  Signal level=-46 dBm  Noise level=-95 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Scanning shows the following output:

# wlanconfig ath0 list scan
SSID            BSSID              CHAN RATE  S:N   INT CAPS
domanig         00:02:2d:61:cc:94    6   11M 48:0   100 EP
0...            00:02:2d:61:cc:94    6   11M 49:0   100 EP

# iwlist ath0 scan
ath0      Scan completed :
          Cell 01 - Address: 00:02:2D:61:CC:94
                    Frequency:2.437 GHz (Channel 6)
                    Quality=52/94  Signal level=-43 dBm  Noise level=-95 dBm
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s
          Cell 02 - Address: 00:02:2D:61:CC:94
                    Frequency:2.437 GHz (Channel 6)
                    Quality=52/94  Signal level=-43 dBm  Noise level=-95 dBm
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s

The output of athdebug and 80211debug is attached, as well as additional info. I hope it contains some useful parts.

Let me know if you need more information.




madwifi-debug.txt (20.3 kB) - added by on 05/28/06 12:52:11.
Output of athdebug and 80211debug
madwifi-additional-info.txt (1.3 kB) - added by on 05/28/06 12:57:06.
athstats and additional info
iwconfig_ap.patch (1.6 kB) - added by on 05/31/06 04:38:53.
patch for handling of "iwconfig ath0 ap any" and "iwconfig ath0 ap off"
madwifi-debug2.txt (27.8 kB) - added by on 06/02/06 20:54:26.
new debugging info (1.0 kB) - added by on 06/06/06 05:20:11.
Script to reproduce this problem, or something like it.
kern.log (58.2 kB) - added by on 06/26/06 22:11:42.
Kernel Log of
kern_16072006.log (240.8 kB) - added by on 07/16/06 20:50:45.
Scan of r1686
0.9.2.iwconfig-wep.patch (0.7 kB) - added by schmidt@ on 07/28/06 07:41:58.
Patch for 0.9.2 to set auth scheme depending on privacy status

Change History

05/28/06 12:52:11 changed by

  • attachment madwifi-debug.txt added.

Output of athdebug and 80211debug

05/28/06 12:57:06 changed by

  • attachment madwifi-additional-info.txt added.

athstats and additional info

05/28/06 12:58:36 changed by anonymous

  • patch_attached deleted.

05/29/06 03:09:48 changed by anonymous

  • cc changed from to,

05/31/06 04:38:53 changed by

  • attachment iwconfig_ap.patch added.

patch for handling of "iwconfig ath0 ap any" and "iwconfig ath0 ap off"

05/31/06 04:43:22 changed by

Nicely written problem report, this was easy to track down.

The problem was that madwifi was interpreting the "iwconfig ath0 ap any" command as an attempt to find an AP with MAC address ff:ff:ff:ff:ff:ff. This was contrary both to the documentation for the iwconfig command, and to good sense.

As a workaround, you can use "iwconfig ath0 ap off", which will do what you want it to do. Or you can apply this patch.

Signed-Off-By: Brian Eaton <>

05/31/06 23:46:12 changed by

Hi! Thanks for your help! Unfortunately using "iwconfig ath0 ap off" doesn't fix it. Even specifying the Mac-address of the AP as commented out in my original report doesn't work.

ath0      IEEE 802.11b  ESSID:"domanig"
          Mode:Managed  Frequency:2.437 GHz  Access Point: Not-Associated
          Bit Rate:1 Mb/s   Tx-Power:17 dBm   Sensitivity=0/3
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:9246-BF85-65E9-4DE6-089B-E70E-F6   Security mode:restricted
          Power Management:off
          Link Quality=42/94  Signal level=-53 dBm  Noise level=-95 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

(This is the output when using "iwconfig ath0 ap off".) The attachment "madwifi-debug.txt" above contains debugging output captured when using "iwconfig ath0 ap 00:02:2D:61:CC:94". Please tell me if I should provide additional info.


06/01/06 23:50:19 changed by mentor

  • status changed from new to assigned.
  • owner set to mentor.

06/02/06 04:07:05 changed by

Interesting that this still doesn't work. I can't reproduce what you are seeing. There are a few odd things you could investigate.

Your scan appears to show two APs with the same address but different SSIDs. That's a little strange.

The madwifi debug output logs an assoc_resp packet from the AP that seems bad. The packet looks reasonable up through 82 84 0b 16, which indicates supported rates of 1, 2, 5.5 and 11 Mbit/sec, then the remaining 20 bytes don't look like anything ethereal recognizes as normal. If you add '+elemid' to your 80211debug command, I think madwifi will spit out errors saying the packet is too short. Actually, the packet is too long. It's like it had garbage tacked on the end.

If you can capture traffic of another driver successfully associating with this AP, I'd like to see it.

06/02/06 13:10:26 changed by mentor

  • version set to trunk.
  • milestone set to version 0.9.x - progressive release candidate phase.

What he said; plus could we get a debug output with 80211debug set to:

+output +input +auth +assoc +dot1x +dot1xsm +state +crypto +scan +roam


06/02/06 20:54:26 changed by

  • attachment madwifi-debug2.txt added.

new debugging info

06/02/06 21:27:19 changed by

How can I capture the traffic of another station associating? I tried to do it using

modprobe ath_pci autocreate=none
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
iwpriv ath0 mode 2
iwconfig ath0 mode monitor channel 6
ifconfig ath0 up

... and capturing an association via ethereal (promiscous mode) but this shows only 3 broadcasted 'Probe Request's.


06/03/06 01:15:38 changed by mentor

Yeah, I think you're hitting some poor information element handling. Could you try with the code from subversion?

06/03/06 12:38:03 changed by

I've upgraded to the current madwifi rpms from Axel Thimm ( and friends) which unfortunately doesn't fix it.

I believe this must be rev.1594.

I couldn't find any more recent commit in the revision log that looks like a fix for my problem. Do you think upgrading those few revisions could be worth the trouble or is 0.9.0 recent enough?



06/06/06 04:40:01 changed by

I can sometimes, sort of, nearly reproduce this.

Sometimes my card is slower to associate with the AP than it should be. If I look in the logs produced from 80211debug +recv +recv_desc, I can see what looks like broken packets being received from the AP. When this happens, the driver ignores the packet, and eventually the association or the authentication times out.

Then the driver rescans, finds the same AP, and the process repeats. The timeout appears to be five seconds. Sometimes several attempts are necessary before the association succeeds.

Leo - what happens if you wait for 60 seconds after you run your association script? Does it work then? If so, maybe I am seeing the same problem you are seeing.

I'm going to do some more tests to try to pin down whether my AP is actually sending broken packets, or if madwifi is damaging the packets after reception.

06/06/06 05:18:10 changed by

The problem isn't the AP, it's either the card or the driver. I verified this by comparing the packets captured by another card with the packets madwifi logged to kern.log. The madwifi version of the packet has 4 extra bytes tacked on the end.

While figuring that out, I noticed some other strange behavior.

Occasionally the message "ath_rx_tasklet: short packet 14"

On tests when the association works immediately, a madwifi monitor mode vap is able to capture packets.

On tests when the association fails at first, a madwifi monitor mode vap fails to capture any packets.

I'll attach my test script in a minute.

06/06/06 05:20:11 changed by

  • attachment added.

Script to reproduce this problem, or something like it.

06/08/06 22:07:47 changed by

Fascinating. Maybe related to this issue?

06/09/06 07:19:50 changed by mrenzmann

  • patch_attached set to 1.

06/17/06 23:59:47 changed by brian

My analysis of the captured data was way off base. I was misled by the format of the captured packets. The "+recv" debugging output was appending an extra 4 bytes to every frame, containing the frame checksum. The ethereal packet decoders were not expecting the frame checksum, and so reported a bogus packet. (I submitted a fix to madwifi a few days ago so that the frame checksums are not logged any longer.)

I looked at your packet captures again, this time stripping off the extra 4 bytes before asking ethereal to decode the packet. This is what tethereal shows:

IEEE 802.11
    Type/Subtype: Authentication (11)
    Frame Control: 0x00B0 (Normal)
        Version: 0
        Type: Management frame (0)
        Subtype: 11
        Flags: 0x0
            DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    Duration: 258
    Destination address: PhilipsC_4c:a0:97 (00:05:4e:4c:a0:97)
    Source address: Agere_61:cc:94 (00:02:2d:61:cc:94)
    BSS Id: Agere_61:cc:94 (00:02:2d:61:cc:94)
    Fragment number: 0
    Sequence number: 2651
IEEE 802.11 wireless LAN management frame
    Fixed parameters (6 bytes)
        Authentication Algorithm: Unknown (20717)
        Authentication SEQ: 0x0004
        Status code: Authentication rejected because of challenge failure (0x000f)

I know you wrote that you have this working with madwifi-old, but is it possible that your script is specifying the wrong WEP key?

06/18/06 18:11:30 changed by

I just reverified that the WEP-key is correct. (I did also compare the "Encryption key" output by iwconfig to the wep-key on another box that is associated, it also matches the correct key.)

If you told me how to capture the packets, I could provide a dump of another station associating to the AP. (Using ethereal in monitor mode as described above didn't work.)


06/18/06 23:34:46 changed by

Your original capture steps were nearly correct, but you need to omit the "iwpriv ath0 mode 2" command:

modprobe ath_pci autocreate=none
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
iwconfig ath0 mode monitor channel 6
ifconfig ath0 up

If you want to do the capture from the command line, you can use

tcpdump -i ath0 -s 0 -w ath0.cap

06/26/06 22:11:42 changed by

  • attachment kern.log added.

Kernel Log of

06/26/06 22:18:27 changed by

I have exactly the same problem here. Driver is version 0.9.1 released as of today. My access point is a Draytek Vigor 2600G DSL Router. My Card is a no name Atheros AR5212 Mini PCI Card.

I've ran the provided script. Unfortunatly the tcpdump of ath1 is empty. But not the kern.log, so I attached it.

An older pre-0.9 driver runs fine with the same configuration. Below is the output of this older driver version: ath_hal: (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413) wlan: (EXPERIMENTAL) ath_rate_sample: 1.2 ath_pci: (EXPERIMENTAL) ACPI: PCI Interrupt Link [LNKH] enabled at IRQ 11 ACPI: PCI Interrupt 0000:02:0a.0[A] -> Link [LNKH] -> GSI 11 (level, low) -> IRQ 1 1 Build date: Jan 21 2006 Debugging version (IEEE80211) ath0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbp s 48Mbps 54Mbps ath0: turboG rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps ath0: H/W encryption support: WEP AES AES_CCM TKIP ath0: mac 5.9 phy 4.3 radio 3.6 ath0: Use hw queue 1 for WME_AC_BE traffic ath0: Use hw queue 0 for WME_AC_BK traffic ath0: Use hw queue 2 for WME_AC_VI traffic ath0: Use hw queue 3 for WME_AC_VO traffic ath0: Use hw queue 8 for CAB traffic ath0: Use hw queue 9 for beacons Debugging version (ATH) ath0: Atheros 5212: mem=0xff9e0000, irq=11 ACPI: PCI Interrupt 0000:00:1f.5[B] -> Link [LNKB] -> GSI 11 (level, low) -> IRQ 1 1 PCI: Setting latency timer of device 0000:00:1f.5 to 64

07/02/06 01:52:32 changed by mentor

I believe this must be rev.1594.

Kinda sucks; the changeset I was thinking of was r1595. I had to go look it up though.

07/14/06 02:42:14 changed by mentor

Have you tried with a later version yet?

07/16/06 13:12:59 changed by

Tried r1686, with no success. The driver even recognizes the right frequency. It stops on the preferred ap frequency, but doesn't associate.

07/16/06 15:13:39 changed by mentor

Is there any change in the symptoms of the problems?

07/16/06 19:24:33 changed by

No. But in some rare circumstances, the association works. Not reproducible though. I've tried and tried. It works until the next AP reboot or sometimes the next client reboot. Most of the time, the association just doesn't work.

Even if I try to disable my hidden cell here, the situation doesn't improve. Sorry.

07/16/06 19:32:16 changed by mentor

@tom: In your case the problem seems to be with the ESSID matching. Could you provide the output of a scan for access points?

07/16/06 20:50:45 changed by

  • attachment kern_16072006.log added.

Scan of r1686

07/16/06 20:52:56 changed by

I've already attached the file kern.log from the 0.9.1 version. But here we go again with kern_16072006.log from the r1686 revision. Hope it helps.

07/17/06 10:12:42 changed by ignuss

I've had similar problems - card scanned for AP , found proper frequency , stopped on that for a while and then started scanning again. It seems that i have sorted that cases by turning diversity off and specifying rxantenna and txantenna. Try that, maybe it will help you.

07/17/06 22:33:03 changed by

Tried changing diversity, but no improvement. Still reception is good at any given time. If it would only associate.

07/28/06 07:38:05 changed by

I'm seeing the same with my Access Points. After debugging I came to the conclusion that the following is the reason for the problems: - when setting the WEP key using iwconfig, the key is stored and the privacy flag is set - the authentication behaviour is unchanged - my access point insists on shared-key auth, while the driver insists on open auth The result is a continued authentication failure. It seems to me there are two possible solutions: 1. change ieee80211_ioctl_siwencode (ieee80211_wireless.c) to set the authentication method. 2. change ieee80211_send_mgmt (ieee80211_output.c) to do shared key auth if the AP requests it depending on (vap->iv_flags & IEEE80211_F_PRIVACY) rather than vap->iv_bss->ni_authmode. I'll attach a patch that is working for me which does the first. If it is currently working this means the patch might break existing setups, so the second might be better as it alows for both.

07/28/06 07:41:58 changed by schmidt@

  • attachment 0.9.2.iwconfig-wep.patch added.

Patch for 0.9.2 to set auth scheme depending on privacy status

07/28/06 08:15:09 changed by

Just found out (too late) about iwpriv to set the authmode (shame on me). Sadly I couldn't find it when I was using google to research my "can't connect with WEP enabled" problem. After all, it was PEBKAC for me, though other cards don't need it and apparently switch automatically. Anyway, with the bad documentation of your regular AP, how would you be supposed to know that you have to enable shared key auth? A kernel message pointing to this might be helpful for people like me.

07/29/06 03:23:22 changed by kelmo

Patches to MadWifi are welcome ;-)

09/01/06 14:06:04 changed by

Hi, I just googled for solution of this problem, I compiled version 0.9.2 and the same as leo unable to athentificate AP. So I tried to use last patch (0.9.2.iwconfig-wep.patch) but it seems to be the same. In case of need you can contact me on icq 66792780 or skype name "piranhaman"

09/04/06 15:17:21 changed by

Sorry it was my mistake, I had wpa_supplicant installed but it was stopped... After starting everything seems to work, great!

09/05/06 03:23:40 changed by mentor

Tom: The reason that your attempts are failing is that the driver is receiving an authentication sequence packet with invalid data (specifically an invalud algorithm number). Can you confirm with a packet capture that this is the actual data on the air, rather than the data being corrupted in hardware or in the driver?

09/05/06 03:43:54 changed by mentor

Sorry, that was @leo.

09/05/06 19:43:01 changed by

How do I confirm with a packet capture that this is the actual data on the air? Any help for configuring that?

BTW, I have this problem with two different AR5212 based cards. One is from D-Link with an 5db ext antenna and the other is a laptop mini pci card. The trace comes from the mini pci card, although the symptoms are the same on both cards.

09/24/06 23:41:46 changed by

Hi! Sorry for the late reply... I've tried to capture a (successful) association of another box on air using the following commands:

modprobe ath_pci autocreate=none
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
# doesn't work: iwconfig ath0 mode monitor channel 6
iwconfig ath0 channel 6
iwpriv ath0 mode 2
ifconfig ath0 up

... but unfortunately tcpdump doesn't show any packets while associating with the other box.

It looks like the commands ...

iwconfig ath0 channel 6
iwpriv ath0 mode 2

... don't have any effect, iwconfig shows that the card is still scanning all channels.

Any hints?

09/29/06 03:43:53 changed by


I'm having a similar problem, I and thought I'd offer some info on my case (in hopes of fixing it quickly).

When I try to connect to the certain APs I log the message saying "[ath0:00:01:f4:74:f7:cc] discard assoc_resp frame, ie too short", which states the problem plain and simple - AP agrees to associate but driver thinks the frame is too short. This is probably the driver's issue, although it could be non-compliance to the standards by the certain APs (I don't know wifi standards too well). In either case it'd be nice to have it fixed (or worked around). Same card works fine under Windows.

I have a full debug output if you want it. I have the packet capture too. However, for some strange reason it didn't capture any packets to/from that particular AP. This is probably my screw up though, I was doing it pretty fast and carelessly, and only noticed that when writing this, so I'll try again later and see what happens.

I was running latest stable release of madwifi on 2.6.17 kernel. svn modules didn't load (was complaining about unresolved symbols).

Hope that helps. Contact me if you need anything else.


11/01/06 14:51:28 changed by

I'm running madwifi-ng-r1784-20061027 and I see the same problem.

I applied the patch, and it didn't make a difference.
I enabled the athdebug and ieee802debug.
The last message from ath0: is 'ieee80211_scan_assoc_success',
after that, the only debug messages are beacons from the AP.

03/04/07 13:25:21 changed by


after some time debugging this, I've came up with a solution for me. I'm currently using version r2169 from the devel snapshots. Associating with my Draytek Vigor 2600G Router, failed because the madwifi is unable to handle the Element Payloads IEEE80211_ELEMID_HOP_PARAMS = 8 and IEEE80211_ELEMID_HOP_TABLE = 9. When receiving a Type 8 Frame, it recognizes it as too short and discards it.

I've changed the driver, to handle such Frames like the AGERE Elements by adding:

if ((*frm == IEEE80211_ELEMID_AGERE1) ||
   (*frm == IEEE80211_ELEMID_AGERE2) ||
+  (*frm == IEEE80211_ELEMID_HOP_PARAMS)) {
    frm = efrm;

This works at least for me. But it's a hack. Can anyone come up with a better solution?

03/16/07 17:51:31 changed by vilos


I had similar problem with my notebook (Acer 5103WLMi) with Atheros 5005 compatible chip and router Draytek Vigor 2600Ge. It wasn't able to associate with router's AP. I think problem is with packet length, so i applied modified patch from Ticket #428 (len-check.diff): I made this changes: - while (frm < efrm) { - IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); + while (frm < efrm && frm[1] < efrm - frm) { and - (frm > efrm) - return; in all occurrences in file net80211/ieee80211_input.c.

Now it works perfectly, always associating with my AP and with no delays! :)

03/16/07 17:58:04 changed by vilos

sorry for bad formatting; I made this changes:

- while (frm < efrm) {
-  IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
+ while (frm < efrm && frm[1] < efrm - frm) {
- (frm > efrm)
-  return;