[Bro] 802.11 link headers?

Gregor Maier gregor at icir.org
Mon Aug 1 17:40:26 PDT 2011


the IEEE802_11_RADIO linktype adds a bunch of information from the radio 
before the actual ethernet header and it appears that this info is 
variable length. The problem is that Bro doesn't have support for this 
linktype and so Bro doesn't know where the IP header starts. Since this 
linktype adds a variable length header it's not straight forward to add 
support for it (although it's probably not too hard either). (For fixed 
length headers one would just add an appropriate case to 
get_link_header_size() in PktSrc.cc)

I've added a feature request to Bro's tracker for that though.

If you can capture new traces and depending on your OS and tcpdump 
version, so can run tcpdump *without* the "-I" option or with a "-y 
EN10MB" option. The tcpdump records plain old ethernet only headers that 
Bro can deal with.

Unfortunately, I don't know of a tool that can convert from 
IEEE802_11_RADIO to EN10MB :-(


On 8/1/11 16:56 , Dan Klinedinst wrote:
> All,
> I dumped a bunch of packets off a wireless network to a pcap file.
> tcpdump says the link-type is .  If I try to run Bro
> against the file, I get "unknown data link type 0x7f".  I assume this
> means Bro doesn't understand the link layer data, since it's not
> Ethernet.
> [Error is from PktSrc.cc PktSrc::SetHdrSize()]
> So, is there a way to tell Bro to just ignore the link layer?  Or
> would it then not know where the layer 3 data starts?  And if there is
> not, anyone know a tool that will strip the 802.11 headers and replace
> them with fake Ethernet headers so I can use Bro on the traffic??
> Thanks
> Dan

Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

More information about the Bro mailing list