Re: problem while examinate 802.11-packets

[Christian Stålp <christian.stalp () gmx de>]

Guy Harris wrote:
> Note that this means that your filter expression "wlan[0:2] & 0xF1 != 
> 0" will be checking the first two octets of the destination MAC 
> address, as that's what the first two octets of the link-layer header 
> are.  (Yes, you said "wlan", but "wlan" is just another name for 
> "link" in that case, just as "ether" is, and "link[0:2]" - and thus 
> "ether[0:2]", "wlan[0:2]", "fddi[0:2]", etc. - refers to the first two 
> octets of the link-layer header, regardless of whether it's an 
> Ethernet header or an 802.11 header or an FDDI header or a ppp header 
> or....)
>
> There is no way to check the frame control field of incoming packets 
> unless the incoming packets have 802.11 headers rather than Ethernet 
> headers...

Argh, thats are very very sad news. That dumps all my ideas. My project 
was to track the retry field and in case of a dramitical increase switch 
over to the monitor mode, and see what wrong. Maybe you see some 
pattern, some events? My idea was to obserse which station in the bss 
has the most troubble while transmission.

Is there really now way to track these information from the fake 
ethernet-frames? I allready checked the functions of iwlib but these are 
just related to the local interface.
<http://dict.leo.org/ende?lp=ende&p=eL4jU.&search=increase>
> ...and with most Linux 802.11 drivers the *ONLY* way to get 802.11 
> headers, as far as I know, is to capture in monitor mode.  (The 
> Atheros driver you're using might be different - it's already 
> different in that
>
>     1) it doesn't call the device "eth0", it calls it "ath0"
yes this confused me also the first time. But the real target of my 
project is the broadcom-chip. This means this is thought to become a 
daemon on a openwrt-AP. And now that become more complex that I thought. 
If I consider how laborious it is to send atheros (madwifi) into monitor 
modus. This is not done with simple "iwconfig ath0 mode monitor", no you 
have to  create a monitor VAP first. I hope this is not something I need 
with broadcom. I don't know how to manage this with functions of the 
iwlib. I hope this will work.*

***
> and
>
>     2) it appears to advertise a *second* device, the "wifi0" device, 
> for capturing in monitor mode.)
This seems to be something like virtual AP, I don't know exactly the 
purpose of that interface and why its created by default. But its the 
only interface which I can select with wireshark witout hanging.

Gruss Christian

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.