Re: 802.11 + radio headers question...

[Mike Kershaw <dragorn () nerv-un net>]

On Tue, Apr 14, 2009 at 09:58:31AM -0700, Guy Harris wrote:
> On Apr 14, 2009, at 9:24 AM, David Young wrote:
>
> > On Tue, Apr 14, 2009 at 11:54:50AM -0400, Eddie Harari wrote:
> > > so when i "sniff" a packet from my "monitor" mode intel chipset based 
> > > wifi
> > > card ,
> > > how do i know which radio info is preceding the 802.11 header ?
> >
> > The DLT that you have set determines the radio header.
>
> ...if you've selected one.  On some platforms (Linux and Mac OS X 10.4), 
> you (currently) can't choose a header using libpcap (and will never be able 
> to do so on Mac OS X 10.4, as the OS doesn't support it); however, with 
> libpcap 1.0 or later, if you request monitor mode by using pcap_create(), 
> pcap_set_rfmon(p, 1), and pcap_activate(p), libpcap will attempt to get 
> some form of radio header if it can.

Correct, though in (most) cases fetching the DLT is valid;  On linux you
will most likely get the radiotap header with any mac80211 based card
(note: some drivers return invalid data, namely 2.6.27-28 range ath5k
returns data 2 bytes short on some packet types).  On madwifi-ng you'll
get either radiotap, prism2avs, or none, depending on the setting in
/sys.  pre-mac80211 drivers will give you some variable range of
headers.  PPI is used almost exclusively by the 11n airpcap device on
windows, but Kismet can now leverage it as a platform-neutral
padding-neutral log format to rewrite all the radio header data from the
other formats.

http://802.11ninja.net/lorcon/browser/trunk/lorcon_decode.c

is some basic code to strip various headers off dot11 packets.

-m

-- 
Mike Kershaw/Dragorn <dragorn () kismetwireless net>
GPG Fingerprint: 3546 89DF 3C9D ED80 3381  A661 D7B2 8822 738B BDB1

"You can't engineer away stupid."

Attachment: _bin
Description: