Geek Answers Handbook

How to find the encapsulated protocol inside an IEEE802.11 frame?

I am developing an IEEE802.11 frame parser program using libpcap inside Linux with raw C I can easily parse the headers of RadioTap and IEEE802.11 , but I cannot find out the name of the protocol that is encapsulated inside the MPDU of IEEE802.11 . Unfortunately, the IEEE802.11 header does not have a header indicating the encapsulated protocol (for example, the protocol field in the Ethernet header).

Any solution?

+7
c linux network-programming raw-sockets
source share
2 answers

IEEE802.11 data packet data is encapsulated in the LLC header (see here ):

An 802.11 frame shall contain an LLC header if and only if it is a Data Frame. The type and subtype of the frame are part of the frame control field in the MAC header; Data is one of the values โ€‹โ€‹of the frame type (others are control and management). The subtype does not matter - all Data Frames must contain the LLC header, and no other frames should.

There are two types of LLC header: 3 bytes, 8 bytes. IEEE 802.11 uses the second (see here ). In this case, the last two bytes of the LLC header are equivalent to the Ether Type field in the Ethernet protocol. So, 0x800 for this field means IPv4 , for example.

0
source share

For 802.11 frames that encapsulate data, the header type / subtype will be between 0x20 and 0x2F (although the frame is usually 0x20 (data) or 0x28 (QoS-Data)) There will be a 5-byte SNAP header that will contain the payload type (like indicated in this answer ). If the OID (first three bytes of the SNAP header) is 0x000000 , then the next two bytes are an Ethernet type.

The Ethernet type will be 0x888e for EAPoL ( source ). This is a field that you check to find out the encapsulated protocol ( 0x0800 for IP, 0x0806 for ARP, etc.).

Here is a good Cisco document on Ethernet types and how to use them to filter specific protocols: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ibm/vol1/command/reference/fibm_r1/ br1fethc.pdf .

Here is a good Cisco document on traces of a wireless sniffer that includes a description of 802.11 type / subtype fields: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces .

+2
source share

More articles:


All Articles