tcpdump mailing list archives

Re: Strange wireless frames

From: Greg Stark <gsstark () mit edu>
Date: 15 Jun 2003 02:36:23 -0400

Guy Harris <gharris () sonic net> writes:

is what tcpdump prints for Ethernet frames, so it thinks it's seeing
Ethernet frames, not 802.11 frames - i.e., the driver (I assume this is
the Linux hostap driver from

      http://hostap.epitest.fi/


Yup, that one.

) is returning an ARPHRD_ value of ARPHRD_ETHER, not one of the
ARPHRD_IEEE80211 values.

From looking at that driver source, it looks as if the

"hostap_monitor_mode_disable()" routine sets the type to ARPHRD_ETHER,
and presumably turns monitor mode off.


This makes perfect sense. The interface is currently up and actively being an
access point. I think, though I haven't been able to confirm this clearly,
that monitor mode and AP mode are mutually exclusive.

It might be that the driver supplies raw 802.11 packets, or some other
type of packet that doesn't start with a 14-byte Ethernet header, even
if monitor mode is off.  If so, then there's a bug in the driver - it
should either supply an Ethernet header (perhaps synthesizing it from
whatever header it receives), or should supply an ARPHRD_ type that
correctly reflects what the headers are.


But is it possible to return a different link type for each packet? Or does
the driver interface require it to report a particular link type and then
return all packets according to that type? I was under the impression it was
the latter. In which case there's a problem, because as you see below there
are normal ethernet frames present in addition to the magic 802.11 type
frames.

There's a program that comes with Ethereal called "editcap" that can be
used to, among other things, read a libpcap-format capture file and
write it out with a different link-layer type (but leave the actual
packet data alone).  You might try capturing to a file, and then using
"editcap" to change the link-layer type to "ieee-802-11" or "prism" (I'd
try them in that order), and see whether the resulting file is correctly
dissected by tcpdump; if you find one that works, send a bug report to
the hostap driver developers mentioning this problem and suggesting an
ARPHRD type of:

      ieee-802-11: ARPHRD_IEEE80211
      prism: ARPHRD_IEEE80211_PRISM


These are all the same packets with the three different link types. The
ieee-802-11 link type seems the most reasonable, but only for these
four-address frames. And even then it just says "Assoc Request()". I'm not
sure if there is normally more data present than that or not.

But the 802.11 link type doesn't work for the normal frames.

[The presence of the PPPOE frames weird me out a lot; I wasn't seeing that
before. Windows must be pretty messed up if it's getting confused about which
ethernet device its pppoe session is on. I use pppoe with linux but I checked,
these are definitely not mine, the session id is wrong]

bash-2.05b$ tcpdump -e -r capture-ieee-802-11
reading from file capture-ieee-802-11, link-type 105
00:17:00.405144 BSSID:00:00:00:30:bd:60 DA:00:00:01:00:00:00 SA:00:00:0e:00:b0:00 Assoc Request ()
00:17:00.409633 BSSID:00:00:00:30:bd:60 DA:00:00:02:00:00:00 SA:00:00:0e:00:10:00 Assoc Request ()
00:17:00.839308 BSSID:00:00:00:30:bd:60 DA:00:00:01:00:00:00 SA:00:00:0e:00:b0:00 Assoc Request ()
00:17:00.849824 BSSID:00:00:00:30:bd:60 DA:00:00:02:00:00:00 SA:00:00:0e:00:10:00 Assoc Request ()
00:17:26.386658 BSSID:35:f2:00:16:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request ()
00:17:27.870277 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:27.870961 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:32.872141 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:32.872810 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:41.878718 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:41.879380 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:57.879741 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:17:57.880361 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:18:27.432575 BSSID:35:f2:00:16:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request ()
00:19:28.494305 BSSID:35:f2:00:16:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request ()
00:20:06.435984 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:20:06.436622 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:20:29.586816 BSSID:35:f2:00:12:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request ()
00:20:31.557745 BSSID:35:f2:00:12:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request ()
00:20:35.151368 BSSID:00:28:07:cc:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request ()
00:20:35.151940 BSSID:00:28:07:cc:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request ()
00:20:35.506042 BSSID:00:28:07:cd:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request ()
00:20:35.506548 BSSID:00:28:07:cd:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request ()
00:20:35.830684 BSSID:00:a1:07:ce:00:00 DA:ff:fa:00:30:bd:60 SA:5e:6b:08:00:45:00 Assoc Request ()
00:20:35.831246 BSSID:00:a1:07:ce:00:00 DA:ff:fa:00:30:bd:60 SA:5e:6b:08:00:45:00 Assoc Request ()
00:20:36.310162 BSSID:00:28:07:d0:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request ()
00:20:36.310579 BSSID:00:28:07:d0:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request ()
00:20:36.707780 [|802.11]
00:20:38.835666 BSSID:00:a1:07:d1:00:00 DA:ff:fa:00:30:bd:60 SA:5e:6b:08:00:45:00 Assoc Request ()


bash-2.05b$ tcpdump -r capture-prism
reading from file capture-prism, link-type 119
00:17:00.405144 [|802.11]
00:17:00.409633 [|802.11]
00:17:00.839308 [|802.11]
00:17:00.849824 [|802.11]
00:17:26.386658 [|802.11]
00:17:27.870277 Assoc Request ()
00:17:27.870961 Assoc Request ()
00:17:32.872141 Assoc Request ()
00:17:32.872810 Assoc Request ()
00:17:41.878718 Assoc Request ()
00:17:41.879380 Assoc Request ()
00:17:57.879741 Assoc Request ()
00:17:57.880361 Assoc Request ()
00:18:27.432575 [|802.11]
00:19:28.494305 [|802.11]
00:20:06.435984 Assoc Request () [0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Mbit]
00:20:06.436622 Assoc Request () [0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Mbit]
00:20:29.586816 [|802.11]
00:20:31.557745 [|802.11]
00:20:35.151368 [|802.11]
00:20:35.151940 [|802.11]
00:20:35.506042 [|802.11]
00:20:35.506548 [|802.11]
00:20:35.830684 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:20:35.831246 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)
00:20:36.310162 [|802.11]
00:20:36.310579 [|802.11]
00:20:36.707780 [|802.11]
00:20:38.835666 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 
frame type (3)


bash-2.05b$ tcpdump -e -r capture 
reading from file capture, link-type 1
00:17:00.405144 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: 
                         b000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0600
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0200 0000
00:17:00.409633 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 
                         1000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0c00
                         0000 0000 0000 0000 0000 0000 0000 0100
                         0000 01c0 0104 8284 0b16
00:17:00.839308 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: 
                         b000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0600
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0200 0000
00:17:00.849824 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 
                         1000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0c00
                         0000 0000 0000 0000 0000 0000 0000 0100
                         0000 01c0 0104 8284 0b16
00:17:26.386658 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 42: PPPoE  [ses 0x35f2] PPP-LCP 
(0xc021), length 22: LCP, Echo-Request, id 24, Magic-Num 0x3342690b, length 20
00:17:27.870277 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:27.870961 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:32.872141 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:32.872810 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:41.878718 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:41.879380 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:57.879741 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:17:57.880361 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300
00:18:27.432575 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 42: PPPoE  [ses 0x35f2] PPP-LCP 
(0xc021), length 22: LCP, Echo-Request, id 25, Magic-Num 0x3342690b, length 20
00:19:28.494305 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 42: PPPoE  [ses 0x35f2] PPP-LCP 
(0xc021), length 22: LCP, Echo-Request, id 26, Magic-Num 0x3342690b, length 20
00:20:06.435984 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 246: IP 169.254.6.207.netbios-dgm > 
169.254.255.255.netbios-dgm: udp 204
00:20:06.436622 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 246: IP 169.254.6.207.netbios-dgm > 
169.254.255.255.netbios-dgm: udp 204
00:20:29.586816 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 38: PPPoE  [ses 0x35f2] PPP-LCP 
(0xc021), length 18: LCP, Term-Request, id 27, length 16
00:20:31.557745 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 38: PPPoE  [ses 0x35f2] PPP-LCP 
(0xc021), length 18: LCP, Term-Request, id 28, length 16
00:20:35.151368 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: 
igmp v3 report, 1 group record(s)
00:20:35.151940 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: 
igmp v3 report, 1 group record(s)
00:20:35.506042 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: 
igmp v3 report, 1 group record(s)
00:20:35.506548 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: 
igmp v3 report, 1 group record(s)
00:20:35.830684 00:30:bd:60:5e:6b > 01:00:5e:7f:ff:fa, ethertype IPv4, length 175: IP 169.254.6.207.3086 > 
239.255.255.250.1900: udp 133
00:20:35.831246 00:30:bd:60:5e:6b > 01:00:5e:7f:ff:fa, ethertype IPv4, length 175: IP 169.254.6.207.3086 > 
239.255.255.250.1900: udp 133
00:20:36.310162 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: 
igmp v3 report, 1 group record(s)
00:20:36.310579 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: 
igmp v3 report, 1 group record(s)
00:20:36.707780 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE D, length 20: PPPoE PADT [ses 0x35f2]
00:20:38.835666 00:30:bd:60:5e:6b > 01:00:5e:7f:ff:fa, ethertype IPv4, length 175: IP 169.254.6.207.3086 > 
239.255.255.250.1900: udp 133


-- 
greg

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Strange wireless frames Greg Stark (Jun 14)
- Re: Strange wireless frames Guy Harris (Jun 14)
  - Re: Strange wireless frames Greg Stark (Jun 15)
- Re: Strange wireless frames Hannes Gredler (Jun 14)
  - Re: Strange wireless frames Greg Stark (Jun 15)