tcpdump mailing list archives
Re: Strange wireless frames
From: Guy Harris <gharris () sonic net>
Date: Sat, 14 Jun 2003 13:12:46 -0700
On Sat, Jun 14, 2003 at 11:46:47AM -0400, Greg Stark wrote:
I'm running tcpdump on a wlan0 interface using the hostap drivers. I'm seeing some strange looking packets. They look to me like four-address inter-AP packets but I'm not really sure what they should look like or how tcpdump is supposed to display these. I've never done anything with wireless before. The reason I say they look like four-address inter-AP packets is because I know 0030 bd60 5e6b is the MAC address for a station on this network, and tcpdump is showing that in the payload of the packets. Is this type of packet supposed to be parsed by tcpdump and it's failing to recognize it somehow? or is it behaving as expected and some code needs to be written? Or is there something wrong with these packets?
Well, for one thing
15:23:22.529791 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 60:
is what tcpdump prints for Ethernet frames, so it thinks it's seeing
Ethernet frames, not 802.11 frames - i.e., the driver (I assume this is
the Linux hostap driver from
http://hostap.epitest.fi/
) is returning an ARPHRD_ value of ARPHRD_ETHER, not one of the
ARPHRD_IEEE80211 values.
From looking at that driver source, it looks as if the
"hostap_monitor_mode_disable()" routine sets the type to ARPHRD_ETHER,
and presumably turns monitor mode off.
It might be that the driver supplies raw 802.11 packets, or some other
type of packet that doesn't start with a 14-byte Ethernet header, even
if monitor mode is off. If so, then there's a bug in the driver - it
should either supply an Ethernet header (perhaps synthesizing it from
whatever header it receives), or should supply an ARPHRD_ type that
correctly reflects what the headers are.
There's a program that comes with Ethereal called "editcap" that can be
used to, among other things, read a libpcap-format capture file and
write it out with a different link-layer type (but leave the actual
packet data alone). You might try capturing to a file, and then using
"editcap" to change the link-layer type to "ieee-802-11" or "prism" (I'd
try them in that order), and see whether the resulting file is correctly
dissected by tcpdump; if you find one that works, send a bug report to
the hostap driver developers mentioning this problem and suggesting an
ARPHRD type of:
ieee-802-11: ARPHRD_IEEE80211
prism: ARPHRD_IEEE80211_PRISM
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Strange wireless frames Greg Stark (Jun 14)
- Re: Strange wireless frames Guy Harris (Jun 14)
- Re: Strange wireless frames Greg Stark (Jun 15)
- Re: Strange wireless frames Hannes Gredler (Jun 14)
- Re: Strange wireless frames Greg Stark (Jun 15)
- Re: Strange wireless frames Guy Harris (Jun 14)