tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: regarding wireless data frames

From: Guy Harris <guy () alum mit edu>
Date: Fri, 9 Mar 2012 10:28:56 -0800

On Mar 8, 2012, at 6:53 PM, abhinav narain wrote:


Since I am capturing every frame in monitor mode, I would like to see the
packet type : arp/ip ... and is it tcp/udp type.
But when I do the following, I don't get any output


You *won't* get any output if the packets are encrypted, and, if you're capturing in monitor mode on a network using 
WEP or WPA/WPA2, the packets will be encrypted.

With an encrypted packet, what you capture "over the air" won't have something that looks as if it begins with an 802.2 
LLC header, you'll have something that looks as if it begins with random data.  You would have to decrypt the payload 
following the 802.11 header in order to see, for example, an 802.2 LLC header, followed by a SNAP header, followed by 
an IPv4 header, etc. for an IPv4 packet.


Well, if the type is a data frame, then the payload, *once it's been
decrypted if it was encrypted*, begins with an 802.2 LLC header.  That's
not determined by a single bit, but by a 2-byte type field (and a 4-byte
subtype field, as some data frames have no data).


As you can notice, I am using a 2 byte field to check the subtype field.


Sorry, I meant "2-*bit* type field" and "4-*bit* subtype field", not "2-*byte* ..." and "4-*byte* ...".  Presumably 
that's what you're checking for.


802.2 headers don't necessarily have an organization code or protocol ID
field - that's the case only for SNAP frames, where the DSAP and SSAP are
0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only
if the organization code is 00:00:00.


Shall i use some other llc struct to find out the data packet is of which transport layer protocol


No, what you need to do, *once you've decrypted the packet if it's encrypted* - you check the Protected Frame bit in 
the 802.11 header to check for encrypted packets - is to check whether the 802.2 header contains 0xAA 0xAA 0x03, so 
you're checking whether it's a SNAP packet and an Unnumbered Information packet, and then check the 5-byte SNAP header 
following the 3-byte 802.2 header to see whether the first 3 bytes, which are the OUI field in the SNAP header, are all 
zero.  If so, then the protocol id field, in the remaining 2 bytes, is an Ethernet type; it's a big-endian field.  
Check it against ETHERTYPE_IP to look for an IPv4 packet, ETHERTYPE_ARP for an ARP packet, ETHERTYPE_IPv6 for an IPv6 
packet, etc..-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: