[Zeek] 802.11 frames

Martin Arlitt marlitt at ucalgary.ca
Fri Feb 28 15:33:38 PST 2020


hi Karel

The ethertype in an EAPOL frame should be 0x888e (https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/).

In a pcap file it would be possible to distinguish EAPOL frames from other frames.

I'm not sure if zeek will process EAPOL frames (however, I'm not an expert on this matter). In the past I had to modify the source code in order to process frames that weren't IPv4, IPv6 or ARP ethertypes.

Martin

________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Karel Kuchař <karel.kuchar at dardas.cz>
Sent: Thursday, February 27, 2020 10:24 AM
To: zeek at zeek.org <zeek at zeek.org>
Subject: [Zeek] 802.11 frames

Dear Zeek Community,

I'm new to zeek but now I'm working on project and I need to solve problem with anomaly detection on Wi-Fi. Is there any possibility how to detect frames specific for 802.11 like EAPOL frame?

Thanks in advance,

Karel K.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200228/c633c78f/attachment.html 


More information about the Zeek mailing list