1diff -ur ../madwifi-cvs-20050707/ath/if_ath.c ./ath/if_ath.c
2--- ../madwifi-cvs-20050707/ath/if_ath.c	2005-06-25 02:35:12.000000000 +0200
3+++ ./ath/if_ath.c	2005-07-30 00:27:46.000000000 +0200
4@@ -1117,7 +1117,8 @@
5 	/*
6 	 * Encapsulate the packet for transmission.
7 	 */
8-	skb = ieee80211_encap(ic, skb, &ni);
9+	if (ic->ic_opmode != IEEE80211_M_MONITOR)
10+		skb = ieee80211_encap(ic, skb, &ni);
11 	if (skb == NULL) {
12 		DPRINTF(sc, ATH_DEBUG_XMIT,
13 			"%s: discard, encapsulation failure\n", __func__);
14@@ -2830,7 +2831,7 @@
15 	struct ieee80211com *ic = &sc->sc_ic;
16 	struct ath_hal *ah = sc->sc_ah;
17 	int iswep, ismcast, keyix, hdrlen, pktlen, try0;
18-	u_int8_t rix, txrate, ctsrate;
19+	u_int8_t rix = 0, txrate, ctsrate;
20 	u_int8_t cix = 0xff;		/* NB: silence compiler */
21 	struct ath_desc *ds;
22 	struct ath_txq *txq;
23@@ -2847,7 +2848,7 @@
24 	hdrlen = ieee80211_anyhdrsize(wh);
25 	pktlen = skb->len;
26
27-	if (iswep) {
28+	if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) {
29 		const struct ieee80211_cipher *cip;
30 		struct ieee80211_key *k;
31
32@@ -2909,7 +2910,7 @@
33 	 * use short preamble based on the current mode and
34 	 * negotiated parameters.
35 	 */
36-	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
37+	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && ni != NULL &&
38 	    (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
39 		shortPreamble = AH_TRUE;
40 		sc->sc_stats.ast_tx_shortpre++;
41@@ -2924,6 +2925,11 @@
42 	 */
43 	switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
44 	case IEEE80211_FC0_TYPE_MGT:
45+		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
46+			atype = HAL_PKT_TYPE_NORMAL;
47+			txq = sc->sc_ac2q[skb->priority];
48+			break;
49+		}
50 		subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
51 		if (subtype == IEEE80211_FC0_SUBTYPE_BEACON)
52 			atype = HAL_PKT_TYPE_BEACON;
53@@ -2943,6 +2949,11 @@
54 		txq = sc->sc_ac2q[WME_AC_VO];
55 		break;
56 	case IEEE80211_FC0_TYPE_CTL:
57+		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
58+			atype = HAL_PKT_TYPE_NORMAL;
59+			txq = sc->sc_ac2q[skb->priority];
60+			break;
61+		}
62 		atype = HAL_PKT_TYPE_PSPOLL;	/* stop setting of duration */
63 		rix = 0;			/* XXX lowest rate */
64 		try0 = ATH_TXMAXTRY;
65@@ -2958,8 +2969,9 @@
66 		/*
67 		 * Data frames; consult the rate control module.
68 		 */
69-		ath_rate_findrate(sc, an, shortPreamble, skb->len,
70-			&rix, &try0, &txrate);
71+		if (ic->ic_opmode != IEEE80211_M_MONITOR)
72+			ath_rate_findrate(sc, an, shortPreamble, skb->len,
73+					  &rix, &try0, &txrate);
74 		/*
75 		 * Default all non-QoS traffic to the background queue.
76 		 */
77@@ -2970,6 +2982,11 @@
78 			txq = sc->sc_ac2q[WME_AC_BK];
79 		break;
80 	default:
81+		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
82+			atype = HAL_PKT_TYPE_NORMAL;
83+			txq = sc->sc_ac2q[skb->priority];
84+			break;
85+		}
86 		printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
87 			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
88 		/* XXX statistic */
89@@ -3092,6 +3109,17 @@
90 		txq->axq_intrcnt = 0;
91 	}
92
93+	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
94+		int i;
95+		try0 = 1;   /* no retransmissions */
96+		txrate = 0;
97+		rt = sc->sc_rates[IEEE80211_MODE_11G];
98+                for (i = 0; i < rt->rateCount; i++) {
99+                        if (rt->info[i].rateKbps == ic->inject_rate)
100+                                txrate = rt->info[i].rateCode;
101+                }
102+	}
103+
104 	/*
105 	 * Formulate first tx descriptor with tx controls.
106 	 */
107@@ -3100,7 +3128,7 @@
108 		, pktlen		/* packet length */
109 		, hdrlen		/* header length */
110 		, atype			/* Atheros packet type */
111-		, MIN(ni->ni_txpower,60)/* txpower */
112+		, 60                    /* txpower */
113 		, txrate, try0		/* series 0 rate/tries */
114 		, keyix			/* key cache index */
115 		, sc->sc_txantenna	/* antenna mode */
116@@ -3115,7 +3143,7 @@
117 	 * when the hardware supports multi-rate retry and
118 	 * we don't use it.
119 	 */
120-	if (try0 != ATH_TXMAXTRY)
121+	if (try0 != ATH_TXMAXTRY && ic->ic_opmode != IEEE80211_M_MONITOR)
122 		ath_rate_setupxtxdesc(sc, an, ds, shortPreamble, rix);
123
124 	ds->ds_link = 0;
125Only in ./ath: if_ath.c.orig
126diff -ur ../madwifi-cvs-20050707/net80211/ieee80211_var.h ./net80211/ieee80211_var.h
127--- ../madwifi-cvs-20050707/net80211/ieee80211_var.h	2005-02-16 17:09:03.000000000 +0100
128+++ ./net80211/ieee80211_var.h	2005-07-29 22:43:08.000000000 +0200
129@@ -307,6 +307,8 @@
130 	 */
131 	const struct ieee80211_aclator *ic_acl;
132 	void			*ic_as;
133+
134+	int inject_rate;	/* injection rate in Monitor mode */
135 };
136
137 #define	IEEE80211_ADDR_EQ(a1,a2)	(memcmp(a1,a2,IEEE80211_ADDR_LEN) == 0)
138diff -ur ../madwifi-cvs-20050707/net80211/ieee80211_wireless.c ./net80211/ieee80211_wireless.c
139--- ../madwifi-cvs-20050707/net80211/ieee80211_wireless.c	2005-03-07 17:35:09.000000000 +0100
140+++ ./net80211/ieee80211_wireless.c	2005-07-29 22:50:42.000000000 +0200
141@@ -328,6 +328,18 @@
142 	struct ifreq ifr;
143 	int rate;
144
145+	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
146+		rate = rrq->value / 1000;
147+		if (rate !=  1000 && rate !=  2000 && rate !=  5500 &&
148+		    rate != 11000 && rate !=  6000 && rate !=  9000 &&
149+		    rate != 12000 && rate != 18000 && rate != 24000 &&
150+		    rate != 36000 && rate != 48000 && rate != 54000 )
151+		    return -EINVAL;
152+		printk(KERN_DEBUG "setting xmit rate to %d\n", rate);
153+		ic->inject_rate = rate;
154+		return 0;
155+	}
156+
157 	if (!ic->ic_media.ifm_cur)
158 		return -EINVAL;
159 	memset(&ifr, 0, sizeof(ifr));
160@@ -354,6 +366,11 @@
161 	struct ifmediareq imr;
162 	int rate;
163
164+	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
165+		rrq->value = ic->inject_rate * 1000;
166+		return 0;
167+	}
168+
169 	memset(&imr, 0, sizeof(imr));
170 	(*ic->ic_media.ifm_status)(ic->ic_dev, &imr);
171
172@@ -782,6 +799,7 @@
173 #if WIRELESS_EXT >= 15
174 	case IW_MODE_MONITOR:
175 		ifr.ifr_media |= IFM_IEEE80211_MONITOR;
176+		ic->inject_rate = 5500; /* default = 5.5M DSSS */
177 		break;
178 #endif
179 	default:
180