Re: 802.11 + radio headers question...

[Guy Harris <guy () alum mit edu>]

On Apr 15, 2009, at 2:41 AM, Eddie Harari wrote:

> My data link type is 802.11_RADIO,

If you mean DLT_IEEE802_11_RADIO, then that means that the raw packet  
data begins with a radiotap header, not an 802.11 header, and the  
802.11 header follows the radiotap header.

> when i sniff the packet and manipulate
> the data i got on it i see that the IP header is 22 bytes away from  
> the
> DST_MAC.
>
> my question is:
>
> The IP header is 8 bytes into the body part of the 802.11 frame.  
> 802.2 has
> 3 byte and snap is 5 byte long.
>
> the DST MAC is 4 byte into the 802.11 header (after FC and DURATION- 
> ID ).

That's true *if* neither the "To DS" nor the "From DS" flag is set in  
the packet.  According to "7.2.2 Data frames" in IEEE 802.11-2007:

	if neither "To DS" nor "From DS" are set, Address 1 is the  
destination, Address 2 is the source, and Address 3 is the BSSID;

	if "To DS" isn't set and "From DS" is set, Address 1 is the  
destination, Address 2 is the BSSID, and Address 3 is the source;

	if "To DS" is set and "From DS" isn't set, Address 1 is the BSSID,  
Address 2 is the source, and Address 3 is the destination;

	if both "To DS" and "From DS" are set, Address 1 is the receiving  
address, Address 2 is the transmitting address, Address 3 is the  
destination, and Address 4 is the source.

> the 802.11 header should be 24byte or 30byte ( 3 or 4 addresses ).

...or 26 bytes or 32 bytes (3 or 4 addresses + QoS) if the frame type  
indicates that the frame has a QoS subfield in the header.

> so the gap between the 802.11 header and the ip header should have  
> been 29 /
> 35 byte.
> in my case it is 26 byte offset.

With an 8-byte 802.2+SNAP header, the gap between the beginning of the  
802.11 header and the IP header would be:

        32 bytes for 3 addresses and no QoS;

        38 bytes for 4 addresses and no QoS;

        34 bytes for 3 addresses + QoS;

        40 bytes for 4 addresses + QoS.

For a frame with neither "To DS" nor "From DS", the gap between the  
destination address and the IP header would be:

        22 bytes with no QoS, 24 bytes with QoS.

For a frame with "To DS" not set and "From DS" set, the gap between  
the destination address and the IP header would be:

        22 bytes with no QoS, 24 bytes with QoS.

For a frame with "To DS" set and "From DS" not set, the gap between  
the destination address and the IP header would be:

        10 bytes with no QoS, 12 bytes with QoS.

For a frame with both "To DS" set and "From DS set, the gap between  
the destination address and the IP header would be:

        16 bytes with no QoS, 18 bytes with QoS.

However, if you're capturing on an Atheros adapter, apparently the  
card puts in some padding between the 802.11 header and the 802.11  
payload.  If you're capturing with a radiotap header, there is a  
special flag in the radiotap information indicating that the frame is  
padded.  What type of 802.11 adapter do you have?

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.