[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] 802.11 link headers?
From:       Dan Klinedinst <dklinedinst () lbl ! gov>
Date:       2011-08-02 18:00:09
Message-ID: CAPLBpB6-cfQu0EPB_zyXFfCkaG4jterWkBEmfk=L_FJenyKNcQ () mail ! gmail ! com
[Download RAW message or body]

Gregor,
Thanks for reminding me - I forgot that the header size will, at a
minimum, change if you use WEP/WPA*.  I'll take a look at this some
more and see if I can write a patch to cover all the cases (at least
without the radio headers).

Dan

On Tue, Aug 2, 2011 at 1:11 PM, Gregor Maier <gregor@icir.org> wrote:
> On 8/1/11 22:01 , Dan Klinedinst wrote:
>> It turns out that if you force tcpdump to output IEEE802_11 (without
>> the _RADIO), you get a standard, fixed-length 802.11 header of 32
>> bytes.  I added an entry for that in get_link_header_size() in
>> PktSrc.cc and now Bro works like a charm on live WiFi traffic.  I'll
>> submit a patch tomorrow.
>
>
> Cool!
> Note however that libpcap's filter code generation treats both IEEE802_11
> and IEEE802_11_RADIO as having a variable length header. It might well be
> that the variable part only varies between drivers, so it might be a
> constant 32 bytes with your NIC but not necessarily with others. (I might be
> wrong though. I didn't find a specification for these DLT's just guessing
> from glancing at libpcap)
>
> cu
> gregor
> --
> Gregor Maier
> <gregor@icir.org>  <gregor@icsi.berkeley.edu>
> Int. Computer Science Institute (ICSI)
> 1947 Center St., Ste. 600
> Berkeley, CA 94704, USA
> http://www.icir.org/gregor/
>



-- 
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst@lbl.gov


[prev in list] [next in list] [prev in thread] [next in thread]