tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capturing WLAN packets with libpcap

From: Guy Harris <guy () alum mit edu>
Date: Sat, 09 Dec 2006 14:49:42 -0800
David Lopez wrote:


I'm developing a small sniffer for my project. I'm using libpcap


It appears, from your program, that you're using WinPcap (the Windows
port of libpcap).

Are you doing this on Windows (in which case you're using WinPcap) or
on some other OS (in which case you're using libpcap)?


I built a sniffer for capturing ethernet packets on the cable and it is
working fine.

Now, I would like to use this sniffer for capturing 802.11 WLAN packets.


When I use this sniffer for capturing  802.11 WLAN packets on my
adapter, it looks ok, but when I try to get the MAC and IP addresses,
they are wrong.

I supposse that I should eliminate first the WLAN envelopment or
something like tath


I would like to know if you can give a clue or if you have some example
code.


Here you have my code:


...which assumes that the packets have Ethernet headers.  That will
only be true if pcap_datalink() returns DLT_EN10MB; if it's not doing
that, your code won't work.

Note that on 802.11 interfaces you might still get packets with
Ethernet headers, because the 802.11 adapter, or its driver, might
turn the native 802.11 plus 802.2 plus SNAP headers on packets into
fake Ethernet headers.  If that's the case, pcap_datalink() will
return DLT_EN10MB; if it's not the case, it'll return some other
value, such as DLT_IEEE802_11.

What does the line


 printf("\nDatalink=%s\n\n", pcap_datalink_val_to_name(datalink));


print?  If it doesn't print

        Datalink=Ethernet

then your program won't work; you will have to modify it to check the
value of "datalink", and only treat the packet as beginning with an
Ethernet header if it's DLT_EN10MB, and have it do whatever is
appropriate for the *other* type of link-layer header for values other
than DLT_EN10MB.  (Take a look at tcpdump to see what's involved with
that, and why, to handle the general case, a lot is involved; in
particular, note how many entries the "printers[]" table has.)

If you're running on Windows, it'll probably report
"Datalink=Ethernet" on 802.11 interfaces.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: