tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: regarding wireless data frames

From: abhinav narain <abhinavnarain10 () gmail com>
Date: Thu, 8 Mar 2012 21:53:10 -0500


No, it's not based on the type of interface, or the mode of the interface.
 It's based on whether the 802.11 payload has been decrypted or not; if
you're capturing in monitor mode most frames are probably encrypted, but if
you're not capturing in monitor mode and seeing only frames to or from your
machine, they're probably decrypted.

Got you !



What the decrypted data (if the frame was encrypted) or the unencrypted
data (if the frame wasn't encrypted) is then depends on the type and
subtype fields.


According to my knowledge, I assume if the control frame bit with
Is it an llc header with a general format :
struct llc_hdr {
 uint8 dsap;
 uint8 ssap;
 struct {
   uint8 ui;
   uint8 org_code[3];
   uint16 ether_type;
 } snap;
};


Since I am capturing every frame in monitor mode, I would like to see the

packet type : arp/ip ... and is it tcp/udp type.
But when I do the following, I don't get any output

// f is ieee80211_hdr
 if( subtype== IEEE80211_STYPE_DATA ){
      struct llc_hdr* llc = (struct llc_hdr*)(((uchar*)f) + hdrlen);
      int llc_type = ntohs(llc->snap.ether_type);
      if (llc_type == ETHERTYPE_ARP) {
       printf("ethernet type \n");
      } else if (llc_type == ETHERTYPE_IP) {
        if (jh->caplen_ < hdrlen + sizeof(*llc) + sizeof(struct iphdr))
          return;
       struct  iphdr* ih = (struct iphdr*)(llc+1);
        if (ih->protocol == IPPROTO_TCP)
        printf("tcp \n");
        else if (ih->protocol == IPPROTO_UDP)
        printf("udp \n");
        else if (ih->protocol == IPPROTO_ICMP)
        printf("icmp \n");

   }else if(subtype ==  IEEE80211_STYPE_NULLFUNC ){
        printf("no data\n");
   }





Well, if the type is a data frame, then the payload, *once it's been
decrypted if it was encrypted*, begins with an 802.2 LLC header.  That's
not determined by a single bit, but by a 2-byte type field (and a 4-byte
subtype field, as some data frames have no data).


As you can notice, I am using a 2 byte field to check the subtype field.



802.2 headers don't necessarily have an organization code or protocol ID
field - that's the case only for SNAP frames, where the DSAP and SSAP are
0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only
if the organization code is 00:00:00.

Shall i use some other llc struct to find out the data packet is of which

transport layer protocol

Abhinav Narain



-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: