tcpdump mailing list archives
Re: Strange wireless frames
From: Greg Stark <gsstark () mit edu>
Date: 15 Jun 2003 02:36:23 -0400
Guy Harris <gharris () sonic net> writes:
is what tcpdump prints for Ethernet frames, so it thinks it's seeing Ethernet frames, not 802.11 frames - i.e., the driver (I assume this is the Linux hostap driver from http://hostap.epitest.fi/
Yup, that one.
) is returning an ARPHRD_ value of ARPHRD_ETHER, not one of the ARPHRD_IEEE80211 values.From looking at that driver source, it looks as if the"hostap_monitor_mode_disable()" routine sets the type to ARPHRD_ETHER, and presumably turns monitor mode off.
This makes perfect sense. The interface is currently up and actively being an access point. I think, though I haven't been able to confirm this clearly, that monitor mode and AP mode are mutually exclusive.
It might be that the driver supplies raw 802.11 packets, or some other type of packet that doesn't start with a 14-byte Ethernet header, even if monitor mode is off. If so, then there's a bug in the driver - it should either supply an Ethernet header (perhaps synthesizing it from whatever header it receives), or should supply an ARPHRD_ type that correctly reflects what the headers are.
But is it possible to return a different link type for each packet? Or does the driver interface require it to report a particular link type and then return all packets according to that type? I was under the impression it was the latter. In which case there's a problem, because as you see below there are normal ethernet frames present in addition to the magic 802.11 type frames.
There's a program that comes with Ethereal called "editcap" that can be used to, among other things, read a libpcap-format capture file and write it out with a different link-layer type (but leave the actual packet data alone). You might try capturing to a file, and then using "editcap" to change the link-layer type to "ieee-802-11" or "prism" (I'd try them in that order), and see whether the resulting file is correctly dissected by tcpdump; if you find one that works, send a bug report to the hostap driver developers mentioning this problem and suggesting an ARPHRD type of: ieee-802-11: ARPHRD_IEEE80211 prism: ARPHRD_IEEE80211_PRISM
These are all the same packets with the three different link types. The ieee-802-11 link type seems the most reasonable, but only for these four-address frames. And even then it just says "Assoc Request()". I'm not sure if there is normally more data present than that or not. But the 802.11 link type doesn't work for the normal frames. [The presence of the PPPOE frames weird me out a lot; I wasn't seeing that before. Windows must be pretty messed up if it's getting confused about which ethernet device its pppoe session is on. I use pppoe with linux but I checked, these are definitely not mine, the session id is wrong] bash-2.05b$ tcpdump -e -r capture-ieee-802-11 reading from file capture-ieee-802-11, link-type 105 00:17:00.405144 BSSID:00:00:00:30:bd:60 DA:00:00:01:00:00:00 SA:00:00:0e:00:b0:00 Assoc Request () 00:17:00.409633 BSSID:00:00:00:30:bd:60 DA:00:00:02:00:00:00 SA:00:00:0e:00:10:00 Assoc Request () 00:17:00.839308 BSSID:00:00:00:30:bd:60 DA:00:00:01:00:00:00 SA:00:00:0e:00:b0:00 Assoc Request () 00:17:00.849824 BSSID:00:00:00:30:bd:60 DA:00:00:02:00:00:00 SA:00:00:0e:00:10:00 Assoc Request () 00:17:26.386658 BSSID:35:f2:00:16:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request () 00:17:27.870277 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:27.870961 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:32.872141 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:32.872810 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:41.878718 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:41.879380 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:57.879741 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:17:57.880361 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:18:27.432575 BSSID:35:f2:00:16:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request () 00:19:28.494305 BSSID:35:f2:00:16:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request () 00:20:06.435984 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:20:06.436622 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:20:29.586816 BSSID:35:f2:00:12:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request () 00:20:31.557745 BSSID:35:f2:00:12:c0:21 DA:bd:94:00:30:bd:60 SA:5e:6b:88:64:11:00 Assoc Request () 00:20:35.151368 BSSID:00:28:07:cc:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request () 00:20:35.151940 BSSID:00:28:07:cc:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request () 00:20:35.506042 BSSID:00:28:07:cd:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request () 00:20:35.506548 BSSID:00:28:07:cd:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request () 00:20:35.830684 BSSID:00:a1:07:ce:00:00 DA:ff:fa:00:30:bd:60 SA:5e:6b:08:00:45:00 Assoc Request () 00:20:35.831246 BSSID:00:a1:07:ce:00:00 DA:ff:fa:00:30:bd:60 SA:5e:6b:08:00:45:00 Assoc Request () 00:20:36.310162 BSSID:00:28:07:d0:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request () 00:20:36.310579 BSSID:00:28:07:d0:00:00 DA:00:16:00:30:bd:60 SA:5e:6b:08:00:46:00 Assoc Request () 00:20:36.707780 [|802.11] 00:20:38.835666 BSSID:00:a1:07:d1:00:00 DA:ff:fa:00:30:bd:60 SA:5e:6b:08:00:45:00 Assoc Request () bash-2.05b$ tcpdump -r capture-prism reading from file capture-prism, link-type 119 00:17:00.405144 [|802.11] 00:17:00.409633 [|802.11] 00:17:00.839308 [|802.11] 00:17:00.849824 [|802.11] 00:17:26.386658 [|802.11] 00:17:27.870277 Assoc Request () 00:17:27.870961 Assoc Request () 00:17:32.872141 Assoc Request () 00:17:32.872810 Assoc Request () 00:17:41.878718 Assoc Request () 00:17:41.879380 Assoc Request () 00:17:57.879741 Assoc Request () 00:17:57.880361 Assoc Request () 00:18:27.432575 [|802.11] 00:19:28.494305 [|802.11] 00:20:06.435984 Assoc Request () [0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Mbit] 00:20:06.436622 Assoc Request () [0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Mbit] 00:20:29.586816 [|802.11] 00:20:31.557745 [|802.11] 00:20:35.151368 [|802.11] 00:20:35.151940 [|802.11] 00:20:35.506042 [|802.11] 00:20:35.506548 [|802.11] 00:20:35.830684 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:20:35.831246 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) 00:20:36.310162 [|802.11] 00:20:36.310579 [|802.11] 00:20:36.707780 [|802.11] 00:20:38.835666 unknown IEEE802.11 frame type (3)(header) unknown IEEE802.11 frame type (3)(body) unhandled IEEE802.11 frame type (3) bash-2.05b$ tcpdump -e -r capture reading from file capture, link-type 1 00:17:00.405144 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: b000 0000 0030 bd60 5e6b 0006 25a7 432b 0006 25a7 432b 0000 0000 0000 0000 0600 0000 0000 0000 0000 0000 0000 0000 0000 0200 0000 00:17:00.409633 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 1000 0000 0030 bd60 5e6b 0006 25a7 432b 0006 25a7 432b 0000 0000 0000 0000 0c00 0000 0000 0000 0000 0000 0000 0000 0100 0000 01c0 0104 8284 0b16 00:17:00.839308 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: b000 0000 0030 bd60 5e6b 0006 25a7 432b 0006 25a7 432b 0000 0000 0000 0000 0600 0000 0000 0000 0000 0000 0000 0000 0000 0200 0000 00:17:00.849824 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 1000 0000 0030 bd60 5e6b 0006 25a7 432b 0006 25a7 432b 0000 0000 0000 0000 0c00 0000 0000 0000 0000 0000 0000 0000 0100 0000 01c0 0104 8284 0b16 00:17:26.386658 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 42: PPPoE [ses 0x35f2] PPP-LCP (0xc021), length 22: LCP, Echo-Request, id 24, Magic-Num 0x3342690b, length 20 00:17:27.870277 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:27.870961 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:32.872141 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:32.872810 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:41.878718 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:41.879380 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:57.879741 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:17:57.880361 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 342: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:30:bd:60:5e:6b, length: 300 00:18:27.432575 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 42: PPPoE [ses 0x35f2] PPP-LCP (0xc021), length 22: LCP, Echo-Request, id 25, Magic-Num 0x3342690b, length 20 00:19:28.494305 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 42: PPPoE [ses 0x35f2] PPP-LCP (0xc021), length 22: LCP, Echo-Request, id 26, Magic-Num 0x3342690b, length 20 00:20:06.435984 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 246: IP 169.254.6.207.netbios-dgm > 169.254.255.255.netbios-dgm: udp 204 00:20:06.436622 00:30:bd:60:5e:6b > Broadcast, ethertype IPv4, length 246: IP 169.254.6.207.netbios-dgm > 169.254.255.255.netbios-dgm: udp 204 00:20:29.586816 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 38: PPPoE [ses 0x35f2] PPP-LCP (0xc021), length 18: LCP, Term-Request, id 27, length 16 00:20:31.557745 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE S, length 38: PPPoE [ses 0x35f2] PPP-LCP (0xc021), length 18: LCP, Term-Request, id 28, length 16 00:20:35.151368 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s) 00:20:35.151940 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s) 00:20:35.506042 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s) 00:20:35.506548 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s) 00:20:35.830684 00:30:bd:60:5e:6b > 01:00:5e:7f:ff:fa, ethertype IPv4, length 175: IP 169.254.6.207.3086 > 239.255.255.250.1900: udp 133 00:20:35.831246 00:30:bd:60:5e:6b > 01:00:5e:7f:ff:fa, ethertype IPv4, length 175: IP 169.254.6.207.3086 > 239.255.255.250.1900: udp 133 00:20:36.310162 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s) 00:20:36.310579 00:30:bd:60:5e:6b > 01:00:5e:00:00:16, ethertype IPv4, length 54: IP 169.254.6.207 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s) 00:20:36.707780 00:30:bd:60:5e:6b > 00:02:3b:01:bd:94, ethertype PPPoE D, length 20: PPPoE PADT [ses 0x35f2] 00:20:38.835666 00:30:bd:60:5e:6b > 01:00:5e:7f:ff:fa, ethertype IPv4, length 175: IP 169.254.6.207.3086 > 239.255.255.250.1900: udp 133 -- greg - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Strange wireless frames Greg Stark (Jun 14)
- Re: Strange wireless frames Guy Harris (Jun 14)
- Re: Strange wireless frames Greg Stark (Jun 15)
- Re: Strange wireless frames Hannes Gredler (Jun 14)
- Re: Strange wireless frames Greg Stark (Jun 15)
- Re: Strange wireless frames Guy Harris (Jun 14)