On Dec 11, 2011, at 2:42 PM, abhinav narain wrote: > It sniffs for beacons by using bpf filter and keeps a per AP record of > packet count etc in a table.
So if that's all you're doing, you presumably don't have your own buffer for packets; when you say "I already have 15% RAM being eaten by the program, so I can't actually increase the buffer size to save packets in between select switches.", are you referring to the buffer in libpcap itself, as specified by pcap_set_buffer_size()? > Is poll() better than select ? If you only have two file descriptors on which you're selecting, a poll() call probably involves less copying of data into and out of the kernel than a select() call. If you're only going to run this code on Linux, an epoll() call will involve even less copying of data into and out of the kernel, as it keeps the set-of-file-descriptors in the kernel, so it doesn't have to be copied in on every "wait for an event" call. > I can only see A,B,G in beacons in tcpdump code, reading the radiotap > header.. > How can I infer an AP is N ? What do you mean by "reading the radiotap header"? One way to identify a beacon frame from an 802.11n-capable AP is to look for the HT Capabilities Info field; see "7.3.2.56.2 HT Capabilities Info field" in the 802.11 spec. A beacon frame is an announcement of the existence of, and capabilities of, an AP; I say "802.11n-capable AP" rather than "802.11n AP" because an 802.11n-capable AP may well support stations that use 802.11b or 802.11g, so the only reason for an AP to send beacons as other than 802.11b packets would be if it were incapable of supporting 802.11b stations. I just now ran a capture on my machine, and the beacons from our 802.11n-capable AP are, according to the radiotap header, sent at a data rate of 1Mb/s, so, by reading the radiotap header, there's no indication that the AP is 802.11n-capable; however, if you look at the tagged parameters in the beacon frame, you see the HT Capabilities information element. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
