Re: [tcpdump-workers] What's the difference between NdisMediumBare80211 (DLT_IEEE802_11) and NdisMediumRadio80211 (DLT_IEEE802_11_RADIO)

[Yang Luo]

Hi Guy,

I wonder why this mail went to my spam.. I don't know anything about radiotap
header so I'm afraid i'm not supplying it. And I have confirmed that my
captured packets are parsed well using NdisMediumBare80211. In Wireshark it
shows "IEEE 802.11 Data". So I think I will just use this value. Thanks!


Cheers,
Yang

On Mon, Apr 4, 2016 at 3:24 PM, Guy Harris  wrote:

> On Apr 3, 2016, at 11:47 PM, Yang Luo  wrote:
>
> > I'm adding Native 802.11 capture support to Npcap and demonstrate it on
> > Wireshark. (See:
> >
> https://github.com/nmap/npcap/releases/download/v0.06-r13/npcap-nmap-0.06-r13-wifi.exe
> ).
> > I found that the there are two 802.11 related values to show the adapter
> > type: NdisMediumBare80211 and NdisMediumRadio80211
> >
> > I don't know their differences. And All I can googled out is a post on
> this
> > list 10 years before: http://seclists.org/tcpdump/2006/q3/32. So I sent
> my
> > query here:)
> >
> >
> > Packet.dll translates them based on the following code:
> >
> > case NdisMediumBare80211:
> > p->linktype = DLT_IEEE802_11;
> > break;
> >
> > case NdisMediumRadio80211:
> > p->linktype = DLT_IEEE802_11_RADIO;
> > break;
> >
> > So I want to know which value should I use for native 802.11 capturing?
>
> If you're supplying a radiotap header, so that the packet data begins with
> a radiotap header, use NdisMediumRadio80211.
>
> If you're not supplying any radio metadata, so that the packet data begins
> with an 802.11 header, use NdisMediumBare80211.
>
> If you're doing anything else, do one of the two things above instead.
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] What's the difference between NdisMediumBare80211 (DLT_IEEE802_11) and NdisMediumRadio80211 (DLT_IEEE802_11_RADIO)

[Guy Harris]

On Apr 6, 2016, at 5:41 PM, Yang Luo  wrote:

> I wonder why this mail went to my spam.. I don't know anything about radiotap 
> header so I'm afraid i'm not supplying it.

It's a way to provide "radio metadata" for packets; see

http://www.radiotap.org

for a description of it.

If you were to implement that in the future, you'd get the "Media-Specific OOB 
Data for Received 802.11 Packets":


https://msdn.microsoft.com/en-us/library/windows/hardware/ff559169(v=vs.85).aspx

in a DOT11_EXTSTA_RECV_CONTEXT structure:


https://msdn.microsoft.com/en-us/library/windows/hardware/ff548626(v=vs.85).aspx

when you receive a packet.  Then you'd provide a link-layer header type of 
DLT_IEEE802_11_RADIO, and synthesize a radiotap header.  When you open the 
device, you'd have to fetch the device's data rate mapping table with the 
OID_DOT11_DATA_RATE_MAPPING_TABLE OID:


https://msdn.microsoft.com/en-us/library/windows/hardware/ff569139(v=vs.85).aspx


https://msdn.microsoft.com/en-us/library/windows/hardware/ff547679(v=vs.85).aspx

and associate that with the private data for the pcap_t.

Then, for each received packet:

   if DOT11_RECV_FLAG_RAW_PACKET_TIMESTAMP is set in uReceiveFlags, provide a 
radiotap TSFT field with the value from the ullTimestamp field of the structure;

   provide a radiotap Flags field with 0x10 set if the frame includes the FCS 
(you'll probably have to experiment a bit to see whether you get the FCS or not 
- the answer might differ for data and management frames, based on Network 
Monitor's behavior) and with 0x40 set if DOT11_RECV_FLAG_RAW_PACKET_FCS_FAILURE 
is set in uReceiveFlags;

   provide a radiotap Rate field whose value is the result of looking up the 
ucDataRate field's value in the data rate mapping table and returning the 
usDataRateValue value from that table - if it's not found, don't provide the 
Rate field;

   provide a radiotap Channel field where the frequency value is the 
uChCenterFrequency field of the structure and the flags are derived from the 
uChCenterFrequency and uPhyId fields of the structure - assuming that the 
uPhyId value is one of the ones from


https://msdn.microsoft.com/en-us/library/windows/hardware/ff548741(v=vs.85).aspx

   then the mapping would be:

dot11_phy_type_fhss - set 0x0800 in the flags (11 legacy FHSS);

dot11_phy_type_ofdm - set 0x0040 in the flags (11a);

dot11_phy_type_hrdsss - set 0x0020 in the flags (11b);

dot11_phy_type_erp - set 0x0040 in the flags (11g, unknown whether it's 
pure or not);

   and, unless it's dot11_phy_type_irbaseband, set 0x0100 if the frequency is 
in the 5 GHz range or set 0x0080 if it's in the 2.4 GHz range;

   provide a radiotap Antenna signal field whose value is the value of the 
lRSSI field in the structure;

   if the phy is dot11_phy_type_ht, provide a radiotap MCS field where the 
known field is 0 and the other fields are also zeroed out (i.e., it's 11n, but 
we don't know anything else about it);

   if the phy is dot11_phy_type_vht, provide a radiotap VHT field where the 
known field is 0 and the other fields are also zeroed out (i.e., it's 11ac, but 
we don't know anything else about it).

> And I have confirmed that my captured packets are parsed well using 
> NdisMediumBare80211. In Wireshark it shows "IEEE 802.11 Data".

That means that you're just supplying packets that begin with an 802.11 header, 
with no form of radio information preceding it, so...

> So I think I will just use this value.

...that is exactly what you should be doing.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers