Re: capturing on both interfaces simultaneously

[Guy Harris <guy () alum mit edu>]

On Dec 11, 2011, at 4:10 PM, abhinav narain wrote:

> > It sniffs for beacons by using bpf filter and keeps a per AP record of
> > > packet count etc in a table.
> >
> > So if that's all you're doing, you presumably don't have your own buffer
> > for packets; when you say "I already have 15% RAM being eaten by the
> > program, so I can't actually increase the buffer size to save packets in
> > between select switches.", are you referring to the buffer in libpcap
> > itself, as specified by pcap_set_buffer_size()?
> Yes, I havent user the pcap_set_buffer_size(), but in open_live() , i give the buffersize as BUFSIZ,


There is no buffer size option in pcap_open_live(), so you *can't* give the buffer size in a pcap_open_live() call.


> > One way to identify a beacon frame from an 802.11n-capable AP is to look
> > for the HT Capabilities Info field; see "7.3.2.56.2 HT Capabilities Info
> > field" in the 802.11 spec.
> Is this is information in the radiotap header

No.

> or the mac header ?

No.

It's in the management frame body.  See sections 7.1, 7.2, and 7.3 of the 802.11 standard:

        http://standards.ieee.org/getieee802/download/802.11-2007.pdf

and of the 802.11n standard:

        http://standards.ieee.org/getieee802/download/802.11n-2009.pdf

> I looked at wireshark code which is the only tool i came across giving some
> information on N protocol, but its code is more complicated than
> pcap,tcpdump,kismet,horst i went through before.
> Is there any other tool i can see how to code it.

None that I know of.

> I am parsing till the 31st bit on radiotap header bitmap.
> Any code base where I can see how they do it ?

None of this is in the radiotap header!  It's in the body of a management frame.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.