Re: regarding wireless data frames

[Guy Harris <guy () alum mit edu>]

On Mar 8, 2012, at 4:47 PM, abhinav narain wrote:

> hi,
> I have seen tcpdump,wireshark both just print packet contents till mac
> header in monitor mode.
> In case of normal wireless interfaces (wlan0), they follow a different
> execution path.
> Can someone tell me what should I expect in the the frame after
> ieee80211_hdr (which comes after the radiotap header)  ?
> According to my knowledge, I assume if the control frame bit with
> Is it an llc header with a general format :
> struct llc_hdr {
>  uint8 dsap;
>  uint8 ssap;
>  struct {
>    uint8 ui;
>    uint8 org_code[3];
>    uint16 ether_type;
>  } snap;
> };
> so that i can jump it and get the ip header ?

Oh, and one more thing:

Some network adapters, when running in a mode where they supply an 802.11 header (such as monitor mode), put some 
padding in between the 802.11 header and the payload, so the 802.2 LLC header in a data frame might not immediately 
follow the 802.11 header (regardless of whether the payload is encrypted or not).  The radiotap header includes a flag 
for that - it's the 0x20 flag bit in the Flags field:

        http://www.radiotap.org/defined-fields/Flags

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.