[Bro] 802.11 link headers?

Dan Klinedinst dklinedinst at lbl.gov
Tue Aug 2 11:00:09 PDT 2011


Gregor,
Thanks for reminding me - I forgot that the header size will, at a
minimum, change if you use WEP/WPA*.  I'll take a look at this some
more and see if I can write a patch to cover all the cases (at least
without the radio headers).

Dan

On Tue, Aug 2, 2011 at 1:11 PM, Gregor Maier <gregor at icir.org> wrote:
> On 8/1/11 22:01 , Dan Klinedinst wrote:
>> It turns out that if you force tcpdump to output IEEE802_11 (without
>> the _RADIO), you get a standard, fixed-length 802.11 header of 32
>> bytes.  I added an entry for that in get_link_header_size() in
>> PktSrc.cc and now Bro works like a charm on live WiFi traffic.  I'll
>> submit a patch tomorrow.
>
>
> Cool!
> Note however that libpcap's filter code generation treats both IEEE802_11
> and IEEE802_11_RADIO as having a variable length header. It might well be
> that the variable part only varies between drivers, so it might be a
> constant 32 bytes with your NIC but not necessarily with others. (I might be
> wrong though. I didn't find a specification for these DLT's just guessing
> from glancing at libpcap)
>
> cu
> gregor
> --
> Gregor Maier
> <gregor at icir.org>  <gregor at icsi.berkeley.edu>
> Int. Computer Science Institute (ICSI)
> 1947 Center St., Ste. 600
> Berkeley, CA 94704, USA
> http://www.icir.org/gregor/
>



-- 
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst at lbl.gov




More information about the Bro mailing list