tcpdump mailing list archives
tcpdump - prism headers
From: axi <gustave.flaubert () gmail com>
Date: Wed, 22 Feb 2006 03:42:29 +0100
Hi to all, this is my first message to the list, first excuse because my english and other mistakes. I'm developing a decoder of 802.11 packets for Snort, and the first is to watch how that is maded in other tools, like Kismet, Ethereal/Tethereal, and tcpdump. Now, I'm making probes with tcpdump, I use my 802.11 cards in monitor mode, (RFMON), and I receive all administration, control and data packets from all networks that transmit in a card channel. When I capture with Ethereal or Tethereal, all works fine. But when I try with tcpdump I have some problems. OK, let's go with the problem, I probe with a hostap, madwifi and acx100 drivers with acx100, atheros and prism 2.5 cards, but the result is the same. When tcpdump receives a packet with prism headers recognized as above : " listening on ath0, link-type PRISM_HEADER (802.11 plus Prism header), capture size 96 bytes" always prints "[|802.11]", with data, control or administration packets. The size of packet result from pcap capture seems to be 96 bytes, but when I capture the same packet with Ethereal, is 240bytes, 96 bytes + 144 bytes of Prism Headers. So, it seems that libpcap cut prism headers, and tcpdump print always "[|802.11]" in condition below. Line 1177 of print-802_11.c in prism_if_print function : if (caplen < PRISM_HDR_LEN) { /* True because caplen = 96 bytes, and PRISM_HDR_LEN =144 bytes */ printf("[|802.11]"); return caplen; } When I capture packets with Ethereal, and then replay with Tcpdump, all works fine, but when i read from a interface libpcap removes PRISM headers, anyone know why is this ? it's a bug, or I'm making a mistake? Thanks to all, Asier - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump - prism headers axi (Feb 21)
- Re: tcpdump - prism headers Guy Harris (Feb 21)
- Re: tcpdump - prism headers axi (Feb 21)
- Re: tcpdump - prism headers David Young (Feb 21)
- Re: tcpdump - prism headers Guy Harris (Feb 22)
- Re: tcpdump - prism headers Guy Harris (Feb 21)