2 \page ctrl_iface_page %wpa_supplicant control interface
4 %wpa_supplicant implements a control interface that can be used by
5 external programs to control the operations of the %wpa_supplicant
6 daemon and to get status information and event notifications. There is
7 a small C library, in a form of a single C file, wpa_ctrl.c, that
8 provides helper functions to facilitate the use of the control
9 interface. External programs can link this file into them and then use
10 the library functions documented in wpa_ctrl.h to interact with
11 %wpa_supplicant. This library can also be used with C++. wpa_cli.c and
12 wpa_gui are example programs using this library.
14 There are multiple mechanisms for inter-process communication. For
15 example, Linux version of %wpa_supplicant is using UNIX domain sockets
16 for the control interface and Windows version UDP sockets. The use of
17 the functions defined in wpa_ctrl.h can be used to hide the details of
18 the used IPC from external programs.
21 \section using_ctrl_iface Using the control interface
23 External programs, e.g., a GUI or a configuration utility, that need to
24 communicate with %wpa_supplicant should link in wpa_ctrl.c. This
25 allows them to use helper functions to open connection to the control
26 interface with wpa_ctrl_open() and to send commands with
29 %wpa_supplicant uses the control interface for two types of communication:
30 commands and unsolicited event messages. Commands are a pair of
31 messages, a request from the external program and a response from
32 %wpa_supplicant. These can be executed using wpa_ctrl_request().
33 Unsolicited event messages are sent by %wpa_supplicant to the control
34 interface connection without specific request from the external program
35 for receiving each message. However, the external program needs to
36 attach to the control interface with wpa_ctrl_attach() to receive these
39 If the control interface connection is used both for commands and
40 unsolicited event messages, there is potential for receiving an
41 unsolicited message between the command request and response.
42 wpa_ctrl_request() caller will need to supply a callback, msg_cb,
43 for processing these messages. Often it is easier to open two
44 control interface connections by calling wpa_ctrl_open() twice and
45 then use one of the connections for commands and the other one for
46 unsolicited messages. This way command request/response pairs will
47 not be broken by unsolicited messages. wpa_cli is an example of how
48 to use only one connection for both purposes and wpa_gui demonstrates
49 how to use two separate connections.
51 Once the control interface connection is not needed anymore, it should
52 be closed by calling wpa_ctrl_close(). If the connection was used for
53 unsolicited event messages, it should be first detached by calling
57 \section ctrl_iface_cmds Control interface commands
59 Following commands can be used with wpa_ctrl_request():
61 \subsection ctrl_iface_PING PING
63 This command can be used to test whether %wpa_supplicant is replying
64 to the control interface commands. The expected reply is \c PONG if the
65 connection is open and %wpa_supplicant is processing commands.
68 \subsection ctrl_iface_MIB MIB
70 Request a list of MIB variables (dot1x, dot11). The output is a text
71 block with each line in \c variable=value format. For example:
74 dot11RSNAOptionImplemented=TRUE
75 dot11RSNAPreauthenticationImplemented=TRUE
76 dot11RSNAEnabled=FALSE
77 dot11RSNAPreauthenticationEnabled=FALSE
78 dot11RSNAConfigVersion=1
79 dot11RSNAConfigPairwiseKeysSupported=5
80 dot11RSNAConfigGroupCipherSize=128
81 dot11RSNAConfigPMKLifetime=43200
82 dot11RSNAConfigPMKReauthThreshold=70
83 dot11RSNAConfigNumberOfPTKSAReplayCounters=1
84 dot11RSNAConfigSATimeout=60
85 dot11RSNAAuthenticationSuiteSelected=00-50-f2-2
86 dot11RSNAPairwiseCipherSelected=00-50-f2-4
87 dot11RSNAGroupCipherSelected=00-50-f2-4
89 dot11RSNAAuthenticationSuiteRequested=00-50-f2-2
90 dot11RSNAPairwiseCipherRequested=00-50-f2-4
91 dot11RSNAGroupCipherRequested=00-50-f2-4
92 dot11RSNAConfigNumberOfGTKSAReplayCounters=0
93 dot11RSNA4WayHandshakeFailures=0
95 dot1xSuppHeldPeriod=60
96 dot1xSuppAuthPeriod=30
97 dot1xSuppStartPeriod=30
99 dot1xSuppSuppControlledPortStatus=Authorized
100 dot1xSuppBackendPaeState=2
101 dot1xSuppEapolFramesRx=0
102 dot1xSuppEapolFramesTx=440
103 dot1xSuppEapolStartFramesTx=2
104 dot1xSuppEapolLogoffFramesTx=0
105 dot1xSuppEapolRespFramesTx=0
106 dot1xSuppEapolReqIdFramesRx=0
107 dot1xSuppEapolReqFramesRx=0
108 dot1xSuppInvalidEapolFramesRx=0
109 dot1xSuppEapLengthErrorFramesRx=0
110 dot1xSuppLastEapolFrameVersion=0
111 dot1xSuppLastEapolFrameSource=00:00:00:00:00:00
115 \subsection ctrl_iface_STATUS STATUS
117 Request current WPA/EAPOL/EAP status information. The output is a text
118 block with each line in \c variable=value format. For example:
121 bssid=02:00:01:02:03:04
127 ip_address=192.168.1.21
128 Supplicant PAE state=AUTHENTICATED
129 suppPortStatus=Authorized
134 \subsection ctrl_iface_STATUS-VERBOSE STATUS-VERBOSE
136 Same as STATUS, but with more verbosity (i.e., more \c variable=value pairs).
139 bssid=02:00:01:02:03:04
146 ip_address=192.168.1.21
147 Supplicant PAE state=AUTHENTICATED
148 suppPortStatus=Authorized
154 Supplicant Backend state=IDLE
163 \subsection ctrl_iface_PMKSA PMKSA
168 Index / AA / PMKID / expiration (in seconds) / opportunistic
169 1 / 02:00:01:02:03:04 / 000102030405060708090a0b0c0d0e0f / 41362 / 0
170 2 / 02:00:01:33:55:77 / 928389281928383b34afb34ba4212345 / 362 / 1
174 \subsection ctrl_iface_SET SET <variable> <value>
181 - dot11RSNAConfigPMKLifetime
182 - dot11RSNAConfigPMKReauthThreshold
183 - dot11RSNAConfigSATimeout
187 SET EAPOL::heldPeriod 45
191 \subsection ctrl_iface_LOGON LOGON
193 IEEE 802.1X EAPOL state machine logon.
196 \subsection ctrl_iface_LOGOFF LOGOFF
198 IEEE 802.1X EAPOL state machine logoff.
201 \subsection ctrl_iface_REASSOCIATE REASSOCIATE
206 \subsection ctrl_iface_RECONNECT RECONNECT
208 Connect if disconnected (i.e., like \c REASSOCIATE, but only connect
209 if in disconnected state).
212 \subsection ctrl_iface_PREAUTH PREAUTH <BSSID>
214 Start pre-authentication with the given BSSID.
217 \subsection ctrl_iface_ATTACH ATTACH
219 Attach the connection as a monitor for unsolicited events. This can
220 be done with wpa_ctrl_attach().
223 \subsection ctrl_iface_DETACH DETACH
225 Detach the connection as a monitor for unsolicited events. This can
226 be done with wpa_ctrl_detach().
229 \subsection ctrl_iface_LEVEL LEVEL <debug level>
234 \subsection ctrl_iface_RECONFIGURE RECONFIGURE
236 Force %wpa_supplicant to re-read its configuration data.
239 \subsection ctrl_iface_TERMINATE TERMINATE
241 Terminate %wpa_supplicant process.
244 \subsection ctrl_iface_BSSID BSSID <network id> <BSSID>
246 Set preferred BSSID for a network. Network id can be received from the
247 \c LIST_NETWORKS command output.
250 \subsection ctrl_iface_LIST_NETWORKS LIST_NETWORKS
252 List configured networks.
255 network id / ssid / bssid / flags
256 0 example network any [CURRENT]
259 (note: fields are separated with tabs)
262 \subsection ctrl_iface_DISCONNECT DISCONNECT
264 Disconnect and wait for \c REASSOCIATE or \c RECONNECT command before
268 \subsection ctrl_iface_SCAN SCAN
270 Request a new BSS scan.
273 \subsection ctrl_iface_SCAN_RESULTS SCAN_RESULTS
275 Get the latest scan results.
278 bssid / frequency / signal level / flags / ssid
279 00:09:5b:95:e0:4e 2412 208 [WPA-PSK-CCMP] jkm private
280 02:55:24:33:77:a3 2462 187 [WPA-PSK-TKIP] testing
281 00:09:5b:95:e0:4f 2412 209 jkm guest
284 (note: fields are separated with tabs)
287 \subsection ctrl_iface_BSS BSS
289 Get detailed per-BSS scan results. \c BSS command can be used to
290 iterate through scan results one BSS at a time and to fetch all
291 information from the found BSSes. This provides access to the same
292 data that is available through \c SCAN_RESULTS but in a way that
293 avoids problems with large number of scan results not fitting in the
296 There are two options for selecting the BSS with the \c BSS command:
297 "BSS <idx>" requests information for the BSS identified by the index
298 (0 .. size-1) in the scan results table and "BSS <BSSID>" requests
299 information for the given BSS (based on BSSID in 00:01:02:03:04:05
302 BSS information is presented in following format. Please note that new
303 fields may be added to this field=value data, so the ctrl_iface user
304 should be prepared to ignore values it does not understand.
307 bssid=00:09:5b:95:e0:4e
315 ie=000b6a6b6d2070726976617465010180dd180050f20101000050f20401000050f20401000050f2020000
321 \subsection ctrl_iface_SELECT_NETWORK SELECT_NETWORK <network id>
323 Select a network (disable others). Network id can be received from the
324 \c LIST_NETWORKS command output.
327 \subsection ctrl_iface_ENABLE_NETWORK ENABLE_NETWORK <network id>
329 Enable a network. Network id can be received from the
330 \c LIST_NETWORKS command output. Special network id \c all can be
331 used to enable all network.
334 \subsection ctrl_iface_DISABLE_NETWORK DISABLE_NETWORK <network id>
336 Disable a network. Network id can be received from the
337 \c LIST_NETWORKS command output. Special network id \c all can be
338 used to disable all network.
341 \subsection ctrl_iface_ADD_NETWORK ADD_NETWORK
343 Add a new network. This command creates a new network with empty
344 configuration. The new network is disabled and once it has been
345 configured it can be enabled with \c ENABLE_NETWORK command. \c ADD_NETWORK
346 returns the network id of the new network or FAIL on failure.
349 \subsection ctrl_iface_REMOVE_NETWORK REMOVE_NETWORK <network id>
351 Remove a network. Network id can be received from the
352 \c LIST_NETWORKS command output. Special network id \c all can be
353 used to remove all network.
356 \subsection ctrl_iface_SET_NETWORK SET_NETWORK <network id> <variable> <value>
358 Set network variables. Network id can be received from the
359 \c LIST_NETWORKS command output.
361 This command uses the same variables and data formats as the
362 configuration file. See example wpa_supplicant.conf for more details.
364 - ssid (network name, SSID)
365 - psk (WPA passphrase or pre-shared key)
366 - key_mgmt (key management protocol)
367 - identity (EAP identity)
368 - password (EAP password)
372 \subsection ctrl_iface_GET_NETWORK GET_NETWORK <network id> <variable>
374 Get network variables. Network id can be received from the
375 \c LIST_NETWORKS command output.
378 \subsection ctrl_iface_SAVE_CONFIG SAVE_CONFIG
380 Save the current configuration.
383 \section ctrl_iface_interactive Interactive requests
385 If %wpa_supplicant needs additional information during authentication
386 (e.g., password), it will use a specific prefix, \c CTRL-REQ-
387 (\a WPA_CTRL_REQ macro) in an unsolicited event message. An external
388 program, e.g., a GUI, can provide such information by using
389 \c CTRL-RSP- (\a WPA_CTRL_RSP macro) prefix in a command with matching
392 The following fields can be requested in this way from the user:
393 - IDENTITY (EAP identity/user name)
394 - PASSWORD (EAP password)
395 - NEW_PASSWORD (New password if the server is requesting password change)
396 - PIN (PIN code for accessing a SIM or smartcard)
397 - OTP (one-time password; like password, but the value is used only once)
398 - PASSPHRASE (passphrase for a private key file)
401 CTRL-REQ-<field name>-<network id>-<human readable text>
402 CTRL-RSP-<field name>-<network id>-<value>
405 For example, request from %wpa_supplicant:
407 CTRL-REQ-PASSWORD-1-Password needed for SSID test-network
410 And a matching reply from the GUI:
412 CTRL-RSP-PASSWORD-1-secret
416 \subsection ctrl_iface_GET_CAPABILITY GET_CAPABILITY <option> [strict]
418 Get list of supported functionality (eap, pairwise, group,
419 proto). Supported functionality is shown as space separate lists of
420 values used in the same format as in %wpa_supplicant configuration.
421 If optional argument, 'strict', is added, only the values that the
422 driver claims to explicitly support are included. Without this, all
423 available capabilities are included if the driver does not provide
424 a mechanism for querying capabilities.
426 Example request/reply pairs:
430 AKA FAST GTC LEAP MD5 MSCHAPV2 OTP PAX PEAP PSK SIM TLS TTLS
434 GET_CAPABILITY pairwise
439 GET_CAPABILITY pairwise strict
444 CCMP TKIP WEP104 WEP40
448 GET_CAPABILITY key_mgmt
449 WPA-PSK WPA-EAP IEEE8021X NONE
458 GET_CAPABILITY auth_alg
463 \subsection ctrl_iface_AP_SCAN AP_SCAN <ap_scan value>
465 Change ap_scan value:
467 1 = %wpa_supplicant requests scans and uses scan results to select the AP,
468 2 = %wpa_supplicant does not use scanning and just requests driver to
469 associate and take care of AP selection
472 \subsection ctrl_iface_INTERFACES INTERFACES
474 List configured interfaces.
482 \section ctrl_iface_events Control interface events
484 %wpa_supplicant generates number messages based on events like
485 connection or a completion of a task. These are available to external
486 programs that attach to receive unsolicited messages over the control
487 interface with wpa_ctrl_attach().
489 The event messages will be delivered over the attach control interface
490 as text strings that start with the priority level of the message and
491 a fixed prefix text as defined in wpa_ctrl.h. After this, optional
492 additional information may be included depending on the event
493 message. For example, following event message is delivered when new
494 scan results are available:
497 <2>CTRL-EVENT-SCAN-RESULTS
500 Following priority levels are used:
507 By default, any priority level greater than equal to 2 (INFO) are
508 delivered over the attached control interface. LEVEL command can be
509 used to set the level of messages which will be delivered. It should
510 be noted that there are many debug messages that do not include any
511 particulat prefix and are subject to change. They may be used for
512 debug information, but can usually be ignored by external programs.
514 In most cases, the external program can skip over the priority field
515 in the beginning of the event message and then compare the following
516 text to the event strings from wpa_ctrl.h that the program is
517 interested in processing.
519 Following subsections describe the most common event notifications
520 generated by %wpa_supplicant.
522 \subsection ctrl_iface_event_CTRL_REQ CTRL-REQ-
524 WPA_CTRL_REQ: Request information from a user. See
525 \ref ctrl_iface_interactive "Interactive requests" sections for more
528 \subsection ctrl_iface_event_CONNECTED CTRL-EVENT-CONNECTED
530 WPA_EVENT_CONNECTED: Indicate successfully completed authentication
531 and that the data connection is now enabled.
533 \subsection ctrl_iface_event_DISCONNECTED CTRL-EVENT-DISCONNECTED
535 WPA_EVENT_DISCONNECTED: Disconnected, data connection is not available
537 \subsection ctrl_iface_event_TERMINATING CTRL-EVENT-TERMINATING
539 WPA_EVENT_TERMINATING: %wpa_supplicant is exiting
541 \subsection ctrl_iface_event_PASSWORD_CHANGED CTRL-EVENT-PASSWORD-CHANGED
543 WPA_EVENT_PASSWORD_CHANGED: Password change was completed successfully
545 \subsection ctrl_iface_event_EAP_NOTIFICATION CTRL-EVENT-EAP-NOTIFICATION
547 WPA_EVENT_EAP_NOTIFICATION: EAP-Request/Notification received
549 \subsection ctrl_iface_event_EAP_STARTED CTRL-EVENT-EAP-STARTED
551 WPA_EVENT_EAP_STARTED: EAP authentication started (EAP-Request/Identity
554 \subsection ctrl_iface_event_EAP_METHOD CTRL-EVENT-EAP-METHOD
556 WPA_EVENT_EAP_METHOD: EAP method selected
558 \subsection ctrl_iface_event_EAP_SUCCESS CTRL-EVENT-EAP-SUCCESS
560 WPA_EVENT_EAP_SUCCESS: EAP authentication completed successfully
562 \subsection ctrl_iface_event_EAP_FAILURE CTRL-EVENT-EAP-FAILURE
564 WPA_EVENT_EAP_FAILURE: EAP authentication failed (EAP-Failure received)
566 \subsection ctrl_iface_event_SCAN_RESULTS CTRL-EVENT-SCAN-RESULTS
568 WPA_EVENT_SCAN_RESULTS: New scan results available
570 \subsection ctrl_iface_event_BSS_ADDED CTRL-EVENT-BSS-ADDED
572 WPA_EVENT_BSS_ADDED: A new BSS entry was added. The event prefix is
573 followed by the BSS entry id and BSSID.
576 CTRL-EVENT-BSS-ADDED 34 00:11:22:33:44:55
579 \subsection ctrl_iface_event_BSS_REMOVED CTRL-EVENT-BSS-REMOVED
581 WPA_EVENT_BSS_REMOVED: A BSS entry was removed. The event prefix is
582 followed by BSS entry id and BSSID.
585 CTRL-EVENT-BSS-REMOVED 34 00:11:22:33:44:55
588 \subsection ctrl_iface_event_WPS_OVERLAP_DETECTED WPS-OVERLAP-DETECTED
590 WPS_EVENT_OVERLAP: WPS overlap detected in PBC mode
592 \subsection ctrl_iface_event_WPS_AP_AVAILABLE_PBC WPS-AP-AVAILABLE-PBC
594 WPS_EVENT_AP_AVAILABLE_PBC: Available WPS AP with active PBC found in
597 \subsection ctrl_iface_event_WPS_AP_AVAILABLE_PIN WPS-AP-AVAILABLE-PIN
599 WPS_EVENT_AP_AVAILABLE_PIN: Available WPS AP with recently selected PIN
600 registrar found in scan results.
602 \subsection ctrl_iface_event_WPS_AP_AVAILABLE WPS-AP-AVAILABLE
604 WPS_EVENT_AP_AVAILABLE: Available WPS AP found in scan results
606 \subsection ctrl_iface_event_WPS_CRED_RECEIVED WPS-CRED-RECEIVED
608 WPS_EVENT_CRED_RECEIVED: A new credential received
610 \subsection ctrl_iface_event_WPS_M2D WPS-M2D
612 WPS_EVENT_M2D: M2D received
614 \subsection ctrl_iface_event_WPS_FAIL
616 WPS_EVENT_FAIL: WPS registration failed after M2/M2D
618 \subsection ctrl_iface_event_WPS_SUCCESS WPS-SUCCESS
620 WPS_EVENT_SUCCESS: WPS registration completed successfully
622 \subsection ctrl_iface_event_WPS_TIMEOUT WPS-TIMEOUT
624 WPS_EVENT_TIMEOUT: WPS enrollment attempt timed out and was terminated
626 \subsection ctrl_iface_event_WPS_ENROLLEE_SEEN WPS-ENROLLEE-SEEN
628 WPS_EVENT_ENROLLEE_SEEN: WPS Enrollee was detected (used in AP mode).
629 The event prefix is followed by MAC addr, UUID-E, pri dev type,
630 config methods, dev passwd id, request type, [dev name].
633 WPS-ENROLLEE-SEEN 02:00:00:00:01:00
634 572cf82f-c957-5653-9b16-b5cfb298abf1 1-0050F204-1 0x80 4 1
638 \subsection ctrl_iface_event_WPS_ER_AP_ADD WPS-ER-AP-ADD
640 WPS_EVENT_ER_AP_ADD: WPS ER discovered an AP
643 WPS-ER-AP-ADD 87654321-9abc-def0-1234-56789abc0002 02:11:22:33:44:55
644 pri_dev_type=6-0050F204-1 wps_state=1 |Very friendly name|Company|
645 Long description of the model|WAP|http://w1.fi/|http://w1.fi/hostapd/
648 \subsection ctrl_iface_event_WPS_ER_AP_REMOVE WPS-ER-AP-REMOVE
650 WPS_EVENT_ER_AP_REMOVE: WPS ER removed an AP entry
653 WPS-ER-AP-REMOVE 87654321-9abc-def0-1234-56789abc0002
656 \subsection ctrl_iface_event_WPS_ER_ENROLLEE_ADD WPS-ER-ENROLLEE-ADD
658 WPS_EVENT_ER_ENROLLEE_ADD: WPS ER discovered a new Enrollee
661 WPS-ER-ENROLLEE-ADD 2b7093f1-d6fb-5108-adbb-bea66bb87333
662 02:66:a0:ee:17:27 M1=1 config_methods=0x14d dev_passwd_id=0
663 pri_dev_type=1-0050F204-1
664 |Wireless Client|Company|cmodel|123|12345|
667 \subsection ctrl_iface_event_WPS_ER_ENROLLEE_REMOVE WPS-ER-ENROLLEE-REMOVE
669 WPS_EVENT_ER_ENROLLEE_REMOVE: WPS ER removed an Enrollee entry
672 WPS-ER-ENROLLEE-REMOVE 2b7093f1-d6fb-5108-adbb-bea66bb87333
676 \subsection ctrl_iface_event_WPS_PIN_NEEDED WPS-PIN-NEEDED
678 WPS_EVENT_PIN_NEEDED: PIN is needed to complete provisioning with an
679 Enrollee. This is followed by information about the Enrollee (UUID,
680 MAC address, device name, manufacturer, model name, model number,
681 serial number, primary device type).
683 WPS-PIN-NEEDED 5a02a5fa-9199-5e7c-bc46-e183d3cb32f7 02:2a:c4:18:5b:f3
684 [Wireless Client|Company|cmodel|123|12345|1-0050F204-1]
687 \subsection ctrl_iface_event_WPS_NEW_AP_SETTINGS WPS-NEW-AP-SETTINGS
689 WPS_EVENT_NEW_AP_SETTINGS: New AP settings were received
691 \subsection ctrl_iface_event_WPS_REG_SUCCESS WPS-REG-SUCCESS
693 WPS_EVENT_REG_SUCCESS: WPS provisioning was completed successfully
696 \subsection ctrl_iface_event_WPS_AP_SETUP_LOCKED WPS-AP-SETUP-LOCKED
698 WPS_EVENT_AP_SETUP_LOCKED: AP changed into setup locked state due to
699 multiple failed configuration attempts using the AP PIN.
701 \subsection ctrl_iface_event_AP_STA_CONNECTED AP-STA-CONNECTED
703 AP_STA_CONNECTED: A station associated with us (AP mode event). The
704 event prefix is followed by the MAC address of the station.
707 AP-STA-CONNECTED 02:2a:c4:18:5b:f3
710 \subsection ctrl_iface_event_AP_STA_DISCONNECTED AP-STA-DISCONNECTED
712 AP_STA_DISCONNECTED: A station disassociated (AP mode event)
715 AP-STA-DISCONNECTED 02:2a:c4:18:5b:f3