[Bro] 802.11 link headers?
gregor at icir.org
Mon Aug 1 17:40:26 PDT 2011
the IEEE802_11_RADIO linktype adds a bunch of information from the radio
before the actual ethernet header and it appears that this info is
variable length. The problem is that Bro doesn't have support for this
linktype and so Bro doesn't know where the IP header starts. Since this
linktype adds a variable length header it's not straight forward to add
support for it (although it's probably not too hard either). (For fixed
length headers one would just add an appropriate case to
get_link_header_size() in PktSrc.cc)
I've added a feature request to Bro's tracker for that though.
If you can capture new traces and depending on your OS and tcpdump
version, so can run tcpdump *without* the "-I" option or with a "-y
EN10MB" option. The tcpdump records plain old ethernet only headers that
Bro can deal with.
Unfortunately, I don't know of a tool that can convert from
IEEE802_11_RADIO to EN10MB :-(
On 8/1/11 16:56 , Dan Klinedinst wrote:
> I dumped a bunch of packets off a wireless network to a pcap file.
> tcpdump says the link-type is . If I try to run Bro
> against the file, I get "unknown data link type 0x7f". I assume this
> means Bro doesn't understand the link layer data, since it's not
> [Error is from PktSrc.cc PktSrc::SetHdrSize()]
> So, is there a way to tell Bro to just ignore the link layer? Or
> would it then not know where the layer 3 data starts? And if there is
> not, anyone know a tool that will strip the 802.11 headers and replace
> them with fake Ethernet headers so I can use Bro on the traffic??
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
More information about the Bro