On Tue, Apr 14, 2009 at 09:58:31AM -0700, Guy Harris wrote: > > On Apr 14, 2009, at 9:24 AM, David Young wrote: > >> On Tue, Apr 14, 2009 at 11:54:50AM -0400, Eddie Harari wrote: >>> so when i "sniff" a packet from my "monitor" mode intel chipset based >>> wifi >>> card , >>> how do i know which radio info is preceding the 802.11 header ? >> >> The DLT that you have set determines the radio header. > > ...if you've selected one. On some platforms (Linux and Mac OS X 10.4), > you (currently) can't choose a header using libpcap (and will never be able > to do so on Mac OS X 10.4, as the OS doesn't support it); however, with > libpcap 1.0 or later, if you request monitor mode by using pcap_create(), > pcap_set_rfmon(p, 1), and pcap_activate(p), libpcap will attempt to get > some form of radio header if it can.
Correct, though in (most) cases fetching the DLT is valid; On linux you will most likely get the radiotap header with any mac80211 based card (note: some drivers return invalid data, namely 2.6.27-28 range ath5k returns data 2 bytes short on some packet types). On madwifi-ng you'll get either radiotap, prism2avs, or none, depending on the setting in /sys. pre-mac80211 drivers will give you some variable range of headers. PPI is used almost exclusively by the 11n airpcap device on windows, but Kismet can now leverage it as a platform-neutral padding-neutral log format to rewrite all the radio header data from the other formats. http://802.11ninja.net/lorcon/browser/trunk/lorcon_decode.c is some basic code to strip various headers off dot11 packets. -m -- Mike Kershaw/Dragorn <drag...@kismetwireless.net> GPG Fingerprint: 3546 89DF 3C9D ED80 3381 A661 D7B2 8822 738B BDB1 "You can't engineer away stupid."
pgpjU682PMnDt.pgp
Description: PGP signature
