tcpdump mailing list archives
Re: regarding wireless data frames
From: Guy Harris <guy () alum mit edu>
Date: Fri, 9 Mar 2012 10:28:56 -0800
On Mar 8, 2012, at 6:53 PM, abhinav narain wrote:
Since I am capturing every frame in monitor mode, I would like to see the packet type : arp/ip ... and is it tcp/udp type. But when I do the following, I don't get any output
You *won't* get any output if the packets are encrypted, and, if you're capturing in monitor mode on a network using WEP or WPA/WPA2, the packets will be encrypted. With an encrypted packet, what you capture "over the air" won't have something that looks as if it begins with an 802.2 LLC header, you'll have something that looks as if it begins with random data. You would have to decrypt the payload following the 802.11 header in order to see, for example, an 802.2 LLC header, followed by a SNAP header, followed by an IPv4 header, etc. for an IPv4 packet.
Well, if the type is a data frame, then the payload, *once it's been decrypted if it was encrypted*, begins with an 802.2 LLC header. That's not determined by a single bit, but by a 2-byte type field (and a 4-byte subtype field, as some data frames have no data).As you can notice, I am using a 2 byte field to check the subtype field.
Sorry, I meant "2-*bit* type field" and "4-*bit* subtype field", not "2-*byte* ..." and "4-*byte* ...". Presumably that's what you're checking for.
802.2 headers don't necessarily have an organization code or protocol ID field - that's the case only for SNAP frames, where the DSAP and SSAP are 0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only if the organization code is 00:00:00.Shall i use some other llc struct to find out the data packet is of which transport layer protocol
No, what you need to do, *once you've decrypted the packet if it's encrypted* - you check the Protected Frame bit in the 802.11 header to check for encrypted packets - is to check whether the 802.2 header contains 0xAA 0xAA 0x03, so you're checking whether it's a SNAP packet and an Unnumbered Information packet, and then check the 5-byte SNAP header following the 3-byte 802.2 header to see whether the first 3 bytes, which are the OUI field in the SNAP header, are all zero. If so, then the protocol id field, in the remaining 2 bytes, is an Ethernet type; it's a big-endian field. Check it against ETHERTYPE_IP to look for an IPv4 packet, ETHERTYPE_ARP for an ARP packet, ETHERTYPE_IPv6 for an IPv6 packet, etc..- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- regarding wireless data frames abhinav narain (Mar 08)
- Re: regarding wireless data frames Guy Harris (Mar 08)
- Re: regarding wireless data frames Guy Harris (Mar 08)
- Re: regarding wireless data frames abhinav narain (Mar 08)
- Re: regarding wireless data frames abhinav narain (Mar 08)
- Re: regarding wireless data frames Guy Harris (Mar 09)
- Re: regarding wireless data frames Guy Harris (Mar 08)
- Re: regarding wireless data frames Mike Kershaw (Mar 09)
- Re: regarding wireless data frames Guy Harris (Mar 09)
- Re: regarding wireless data frames abhinav narain (Mar 10)
- Re: regarding wireless data frames Guy Harris (Mar 10)
- Re: regarding wireless data frames abhinav narain (Mar 10)
- Re: regarding wireless data frames Guy Harris (Mar 08)