[Zeek] 802.11 frames
Karel Kuchař
karel.kuchar at dardas.cz
Sat Feb 29 04:23:14 PST 2020
hi Martin,
thank you for your help. I have already tried to work with wireshark and there is easy to select only eapol frames. But I need to find theese frames within Zeek and to make some action when specific condiciton occures. I was looking for any possibility to work with ether proto and then specify 0x888e.
thank you
Karel Kuchař
________________________________
Od: Martin Arlitt <marlitt at ucalgary.ca>
Odesláno: pátek 28. února 2020 23:33
Komu: Karel Kuchař <karel.kuchar at dardas.cz>; zeek at zeek.org <zeek at zeek.org>
Předmět: Re: 802.11 frames
hi Karel
The ethertype in an EAPOL frame should be 0x888e (https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/).
In a pcap file it would be possible to distinguish EAPOL frames from other frames.
I'm not sure if zeek will process EAPOL frames (however, I'm not an expert on this matter). In the past I had to modify the source code in order to process frames that weren't IPv4, IPv6 or ARP ethertypes.
Martin
________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Karel Kuchař <karel.kuchar at dardas.cz>
Sent: Thursday, February 27, 2020 10:24 AM
To: zeek at zeek.org <zeek at zeek.org>
Subject: [Zeek] 802.11 frames
Dear Zeek Community,
I'm new to zeek but now I'm working on project and I need to solve problem with anomaly detection on Wi-Fi. Is there any possibility how to detect frames specific for 802.11 like EAPOL frame?
Thanks in advance,
Karel K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200229/8e2138c0/attachment.html
More information about the Zeek
mailing list