# WPA SUPPLICANT - /var/log/messagess is getting really big!

## elpek

Hello everyone!

What I come for help with today is wpa_supplicant. It's not about to get it working because I've already done so ... there's one more SERIOUS problem. I use WPA-TKIP to connect to my wireless network and after (at present) 30 minutes of work my /var/log/messages is 16 MB ... imagine how big it would get after like 3 days of continious work ... actually like two or three days ago I realized that it took all of the 92 GB I have set up as rootfs on my desktop machine ...  The system logger is syslog-ng. What I would need your help with are:

1. To get messages concerning TKIP decrypt to be logged to a separate file eg. /var/log/wpa... because of the TKIP messy stuff gettng anything else out of /var/log/messages is practically not possible.

2. To reduce the amount of logs ... the speed they are growing bigger and bigger with makes me completely surprised.

If you want to take a look at any of the config files that would help solving the issue just let me know and I'll post them here.

I appreciate any of your help!  :Smile: 

----------

## slackline

You can use logrotate to compress and archive log-files, just emerge it and then see man logrotate to define the files to be archived.

Not sure how you'd get some of the output related to the specific messages to a given file though.

----------

## d2_racing

Do you have any idea what can of message do you have inside this file ?

----------

## elpek

 *d2_racing wrote:*   

> Do you have any idea what can of message do you have inside this file ?

 

Actually I was trying to find out but had no luck with that ....

The contents of /var/log/messages are something like the following:

```
TKIP decrypt: data(len=68) 1d 3d 56 20 28 00 00 00 2b 6a ec 4e 6e f1 8a d1 53 06 0d 06 2f 1c 3c a7 4b d4 ca 3a f4 28 bc 13 4c c6 7a a2 9d 03 58 5b 24 cc 26 8d b8 4f c5 df 2c a8 db 12 d0 da 49 d0 f1 e1 3d 44 bd 02 16 9f 15 d0 ee 0a

TKIP decrypt: iv16=1d56 iv32=00000028

TKIP decrypt: Phase2 rc4key=1d 3d 56 c1 22 47 ec e7 62 79 7d fd f4 ff fc a7

phy0: TX to low-level driver (len=232) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

```

After around 12h uptime the file got up to a size of 3,6 Gb ... big, ha?

----------

## d2_racing

Hi, what kind of network card do you have ?

Also, did you try WPA2 with the CCMP algo, just in case that the WPA with TKIP has a problem on your box.

For my concern, I think that there is something that is in verbose mode on your box.

I have no idea.

----------

## elpek

 *d2_racing wrote:*   

> Hi, what kind of network card do you have ?
> 
> Also, did you try WPA2 with the CCMP algo, just in case that the WPA with TKIP has a problem on your box.
> 
> For my concern, I think that there is something that is in verbose mode on your box.
> ...

 

I've got Intel Pro Wireless 3945 running on iwl drivers. Actually there's no problem with an algorythm on my box as far as it seems to work. I haven't tried any other algorythm yet ... think I should?

----------

## d2_racing

If you have the same problem with WPA2 + CCMP, then your problem is on your box.

And if not, then stick with the WPA2 and yyour problem will be gone.

----------

## elpek

Doing a little research on my router's features I would say that the device doesn't support WPA2 +  CCMP algo.

----------

## d2_racing

On your router, maybe it's the AES algo.

AES and CCMP are the same kind of sort.

----------

## elpek

What should I go with:

WPA2 Pre-Shared-Key-Only or WPA2 Pre-Shared-Key-Mixed? 

I'm not really into these encryption algorithms.

----------

## d2_racing

WPA2 Pre-Shared-Key-Only.

----------

## jeanfrancis

Actually CCMP is based on AES, your router may show CCMP/AES, or nothing at all (WPA2 should use CCMP by default).

The security of WPA2/CCMP is the better for now, so if it gets you rid of your /var/log/messages, that's a good "work around". However, it's not normal that you get all those messages  :Wink: 

----------

## d2_racing

I  have an idea, can you test the latest Ubuntu LiveCD, because it has the iwl3945 driver out of the box and you could see if your /var/log/messages gets flood by this liveCD also.

----------

## elpek

Ok, as it was recommended by you guys I switched to WPA2 AES. My wpa_supplicant.conf file looks as the following:

```
network={

        scan_ssid=1

        ssid="Network"

        proto=WPA2

        key_mgmt=WPA-PSK

        pairwise=CCMP

        group=CCMP TKIP WEP104 WEP40

        psk=d77ab0406643e56139baa06aa0160250636d14e0c865ccf7e2ab3653abe79121

        priority=8

        }

```

Situation changed to better but not quite best yet. I mean I think my /var/log/messagess file gets less flooded for now - within 30 minuts it is only around 10 Mbs and there is no "decrypt" output any more but now it's being flooded with information similar to these:

```

(...)

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

phy0: TX to low-level driver (len=100) FC=0x4108 DUR=0x002c A1=00:40:10:20:00:03 A2=00:13:02:a6:da:f7 A3=00:40:10:20:00:01

(...)

```

Still verbosity of wpa_supplicant is too much more than I expect it to be. I became interested in syslog-ng to use that to filter wpa_supplicant output to a different file but I can't really match the above with the output type for syslog-ng.

I will try that Ubuntu-live to see if there is as much mess in system logs using live.

----------

