[Bro] 802.11 link headers?

Gregor Maier gregor at icir.org
Tue Aug 2 10:11:00 PDT 2011


On 8/1/11 22:01 , Dan Klinedinst wrote:
 > It turns out that if you force tcpdump to output IEEE802_11 (without
 > the _RADIO), you get a standard, fixed-length 802.11 header of 32
 > bytes.  I added an entry for that in get_link_header_size() in
 > PktSrc.cc and now Bro works like a charm on live WiFi traffic.  I'll
 > submit a patch tomorrow.


Cool!
Note however that libpcap's filter code generation treats both 
IEEE802_11 and IEEE802_11_RADIO as having a variable length header. It 
might well be that the variable part only varies between drivers, so it 
might be a constant 32 bytes with your NIC but not necessarily with 
others. (I might be wrong though. I didn't find a specification for 
these DLT's just guessing from glancing at libpcap)

cu
gregor
-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/



More information about the Bro mailing list