Re: 802.11 frame format

[Guy Harris <guy () alum mit edu>]

On Fri, Jul 23, 2004 at 06:09:39PM -0800, Tejas Kokje wrote:
> In /usr/include/linux/802_11.h 802.11 header is given as
>
> struct ieee_802_11_header {
>       u16     frame_control;// needs to be subtyped
>       u16     duration;
>       u8      mac1[6];
>       u8      mac2[6];
>       u8      mac3[6];
>       u16     SeqCtl;
>       u8      mac4[6];
>       u16     gapLen;
>       u8      gap[8];
> };
>
> Now I don't understand the meaning of last two fields. Those fields
> don't appear in 802.11 MAC frame specification.

They look like the last two fields in the header of packets supplied by
a Cisco Aironet card to the host if the Aironet card is configured to
supply 802.11 frames, rather than fake Ethernet frames, to the host.

I don't know why the Linux structure in question has that in there.  A
search through the 2.6.0-test9 kernel I have the source for (for
reference; my machines mainly run either FreeBSD or the BSD from
Cupertino) doesn't find any references to it, just the definition.

> How can I scrape out IP header on 802.11 LAN.

If you are capturing on a device that has a link-layer type of
DLT_IEEE802_11, you would:

        1) look at the frame control field to see whether it's a data
           frame or not;

        2) if it isn't, ignore it (it's not going to be an IP packet),
           and if it is, look at the frame control frame to see whether
           it's a 3-address or 4-address frame and if it's a QoS frame
           (I think that's an 802.11e feature) and:

                if it's a 3-address frame, set the header length to 24;

                if it's a 4-address frame, set the header length to 30;

           and if it's a QoS frame, add 2 to the length;

        3) skip that number of bytes past the beginning of the frame to
           get to the 802.11 payload, i.e. to the 802.2 header;

        4) check whether the DSAP and SSAP fields of the 802.2 header
           are both 0xAA (for SNAP), the control field is 0x03, the next
           3 bytes after it (the SNAP OUI) are 0x00 0x00 0x00, and the
           next two bytes after that are 0x0800 (for IPv4) or 0x86dd
           (for IPv6);

        5) if it's IPv4 or IPv6, skip over the 3-byte 802.2 header and
           the 5-byte SNAP header to get to the 802.2+SNAP payload, i.e.
           to the IP header.

> Do libpcap have functions to directly get IP header in 802.11 frame.

No - libpcap doesn't include code to dissect packets; that's left up to
the application using it.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.