[Bro] 802.11 link headers?

Dan Klinedinst dklinedinst at lbl.gov
Mon Aug 1 22:01:03 PDT 2011 

All,
It turns out that if you force tcpdump to output IEEE802_11 (without
the _RADIO), you get a standard, fixed-length 802.11 header of 32
bytes.  I added an entry for that in get_link_header_size() in
PktSrc.cc and now Bro works like a charm on live WiFi traffic.  I'll
submit a patch tomorrow.

Dan

On Mon, Aug 1, 2011 at 8:40 PM, Gregor Maier <gregor at icir.org> wrote:
> Hi,
>
> the IEEE802_11_RADIO linktype adds a bunch of information from the radio
> before the actual ethernet header and it appears that this info is variable
> length. The problem is that Bro doesn't have support for this linktype and
> so Bro doesn't know where the IP header starts. Since this linktype adds a
> variable length header it's not straight forward to add support for it
> (although it's probably not too hard either). (For fixed length headers one
> would just add an appropriate case to get_link_header_size() in PktSrc.cc)
>
> I've added a feature request to Bro's tracker for that though.
>
> If you can capture new traces and depending on your OS and tcpdump version,
> so can run tcpdump *without* the "-I" option or with a "-y EN10MB" option.
> The tcpdump records plain old ethernet only headers that Bro can deal with.
>
> Unfortunately, I don't know of a tool that can convert from IEEE802_11_RADIO
> to EN10MB :-(
>
>
> cu
> Gregor
>
> On 8/1/11 16:56 , Dan Klinedinst wrote:
>>
>> All,
>> I dumped a bunch of packets off a wireless network to a pcap file.
>> tcpdump says the link-type is .  If I try to run Bro
>> against the file, I get "unknown data link type 0x7f".  I assume this
>> means Bro doesn't understand the link layer data, since it's not
>> Ethernet.
>>
>> [Error is from PktSrc.cc PktSrc::SetHdrSize()]
>>
>> So, is there a way to tell Bro to just ignore the link layer?  Or
>> would it then not know where the layer 3 data starts?  And if there is
>> not, anyone know a tool that will strip the 802.11 headers and replace
>> them with fake Ethernet headers so I can use Bro on the traffic??
>>
>> Thanks
>> Dan
>>
>
>
> --
> Gregor Maier
> <gregor at icir.org>  <gregor at icsi.berkeley.edu>
> Int. Computer Science Institute (ICSI)
> 1947 Center St., Ste. 600
> Berkeley, CA 94704, USA
> http://www.icir.org/gregor/
>



-- 
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst at lbl.gov

More information about the Bro mailing list