Guy Harris schrieb:
Karl Gaissmaier wrote:
There are missing CASE statements for DLT_PRISM_HEADER in
the different filter checks and a modified gen_wlanhostop
to shift the packet the prism header length, but using the
same logic as for the DLT_IEEE802_11 link layer.
It requires more than that.
I feared such quirks, what a mess.
ARPHRD_PRISM is used in Linux both for the Prism and the AVS radio
headers, so which header a packet has can be determined only by the
generated BPF program checking the header.
or the user, since he (maybe) knows the used driver and headerlength.
If he is able to count he could provide this info to the filter string,
see below.
The Prism header and the current AVS header have different lengths; this
means that the link-layer header for DLT_PRISM_HEADER is
variable-length, and libpcap currently can't generate code for
variable-length link-layer headers.
hmm, it's possible if you spend additional filter keywords like
wlan_avs or wlan_prism, ... or much better a generic offset syntax:
ether <target> <dir> offset <n>
(or any similar scheme)
then you would be able to handle all crude frame types in front
of the ethernet like data link layers.
Currently you can't use 'wlan host <mac>' but you can use
wlan[0:n] but this starts from the beginning of the PRISM
header (start of packet) and not from the beginning of the
802.11 header, this is a little bit misleading for the
unconsciously user.
Why I ask for?
I'm a network admin at ulm university with a quite big WLAN
installation. I use a linux laptop with an orinoco pcmcia
card and an external directed antenna to pinpoint the really
bad guys. It would be helpful to setup the _capture_ filter
already with the MAC address of the bad guy. I need the
radio header to pinpoint along the increasing signal
strength. I could write a filter with discrete byte offsets
and comparison logic, but especially for wlan you know, the
SA isn't always at the same offset, it depends on ....
and this logic is already done within gen_wlanhostop.
Best Regards
Charly
P.S. please don't misunderstand me: pcap, tcpdump and ethereal
are wonderful pieces of software. I would really write a patch
if I would able to do this. I'm definitely no professional C hacker.
--
please support the software patent opponents:
http://www.nosoftwarepatents.com/
Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany
Email:[EMAIL PROTECTED] Service Group Network
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
