Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to find out encapsulated protocol inside IEEE802.11 Frame?

Tags:

c

linux

wifi

network-programming

raw-sockets

I'm developing a IEEE802.11 frame parser program using libpcap inside Linux with raw C. I can parse RadioTap and IEEE802.11 headers easily but I can't find out the protocol name which is encapsulated inside the IEEE802.11 MPDU. Unfortunatly there isn't any field in IEEE802.11 header indicating the encapsulated protocol (like protocol field in Ethernet header).

Any solution?

like image 336
SuB Avatar asked Mar 16 '17 13:03

SuB

2 Answers

For 802.11 frames that are encapsulating data, the header type/subtype will be between 0x20 and 0x2F (although the frame is usually 0x20 (Data) or 0x28 (QoS-Data)). There will be a 5-byte SNAP header which will contain the type of payload (as mentioned in this answer). If the OID (first three bytes of the SNAP header) is 0x000000, then the next two bytes are the Ethernet Type.

The Ethernet Type would be 0x888e for EAPoL (source). That is the field you would inspect to know the encapsulated protocol (0x0800 for IP, 0x0806 for ARP, etc.).

Here is a good Cisco doc on Ethernet types and how you can use them to filter certain protocols: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ibm/vol1/command/reference/fibm_r1/br1fethc.pdf.

Here is a good Cisco doc on wireless sniffer traces that include a description of the 802.11 type/subtype fields: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces.

like image 189
Greg Schmit Avatar answered Oct 02 '22 05:10

Greg Schmit

Data of IEEE802.11 data packets is encapsulated in a LLC header (See here):

An 802.11 frame should contain an LLC header if, and only if, it's a Data frame. The frame type and subtype are part of the Frame Control field in the MAC header; Data is one of the frame type values (the others are Control and Management). The subtype doesn't matter - all Data frames should contain an LLC header, and no other frames should.

There are two kinds of LLC header: 3 bytes, 8 bytes . IEEE 802.11 uses the second one (See here). In that one, the two last bytes of LLC header is equivalent to Ether Type field in Ethernet protocol. So 0x800 for this field means IPv4 for example.

like image 39
SuB Avatar answered Oct 02 '22 04:10

SuB
Sign in to Comment

Related questions

Linux syscall, libc, VDSO and implementation dissection
How can I create a bootable CD image with my kernel?
Discrete Fourier transform giving incorrect results
Curl command line works, C++ curl library does not
The realisticity of writing a full operating system as an UEFI application [closed]
GSL eigenvalues order
How to implement DRY principle in C for looping over matrices
unexpected results for memory allocation with c malloc function
What is the appropriate library for linking Postgres server-side C functions
How to handle UnsafeMutablePointer correctly
Does source code amalgamation really increase the performances of a C or C++ program? [closed]
FFmpeg AVFrame Audio Data Modification
Three.JS | PerObject-Blur, What techniques can I use for GLSL/C to optimize code?
XChangeProperty without effect after client exits
Linux RCU and double linked list
Emulating the Python `random.random()` functionality in C
Embed Python 3.5 with tkinter support on Windows
Cross-compile a gnulib based project to MinGW
sizeof compound literal array
character string literal and string literal in standard?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!