[Zeek] 802.11 frames
Martin Arlitt
marlitt at ucalgary.ca
Fri Feb 28 15:33:38 PST 2020
hi Karel
The ethertype in an EAPOL frame should be 0x888e (https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/).
In a pcap file it would be possible to distinguish EAPOL frames from other frames.
I'm not sure if zeek will process EAPOL frames (however, I'm not an expert on this matter). In the past I had to modify the source code in order to process frames that weren't IPv4, IPv6 or ARP ethertypes.
Martin
________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Karel Kuchař <karel.kuchar at dardas.cz>
Sent: Thursday, February 27, 2020 10:24 AM
To: zeek at zeek.org <zeek at zeek.org>
Subject: [Zeek] 802.11 frames
Dear Zeek Community,
I'm new to zeek but now I'm working on project and I need to solve problem with anomaly detection on Wi-Fi. Is there any possibility how to detect frames specific for 802.11 like EAPOL frame?
Thanks in advance,
Karel K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200228/c633c78f/attachment.html
More information about the Zeek
mailing list