Hi
I've done some work on getting a Scruby EAPOL dissector working but
to do that I've also had to write a basic radiotap dissector as well.
I've had a couple of issues in doing it, my LLC packet is different
to the one Scruby is currently expecting, mine has an extra two
parameters so I've created an LLCx dissector which nearly works for
my packets except a small problem I've commented in the code.
I tried sending this to Sylvain but he is too busy to look at it at
the moment so suggested I forward it to the list. Hopefully this is
useful to someone else out there. It does the job I needed but I know
that it is a long way from finished so hopefully someone can take it
and do something more with it or if I get time I'll try to improve it.
Robin
diff -Naur ../../scruby/new/scruby-0.3/scruby/dissector.rb ./dissector.rb
--- ../../scruby/new/scruby-0.3/scruby/dissector.rb 2008-03-06 01:19:11.000000000 +0000
+++ ./dissector.rb 2008-03-16 04:00:25.000000000 +0000
@@ -287,6 +287,47 @@
end
+class RadioTap<Layer
+
+attr_accessor :Revision, :Pad, :Length, :Header
+
+def init
+ @protocol = 'RadioTap'
+ @fields_desc = [ ByteField('Revision', 0),
+ ByteField('Pad', 0),
+ FieldLenField('Length', '', 'Header', 'v'),
+ RadioTapLenField('Header','', 'Length')]
+end
+
+end
+
+class EAPOL<Layer
+
+attr_accessor :Version, :Type, :Length
+#attr_accessor :Version, :Type, :Length, :DescriptorType, :KeyInfo, :KeyLength, :ReplayCounter, :Nonce, :IV, :RSC, :ID, :MIC, :ExtraLength, :Extra
+
+def init
+ @protocol = 'EAPOL'
+ @fields_desc = [
+ ByteField('Version',0),
+ ByteField('Type', 0),
+ FieldLenField('Length', '', 'data', 'n'),
+# ByteField('DescriptorType', 0),
+# StrFixedLenField('KeyInfo', '', 2),
+# StrFixedLenField('KeyLength', '', 2),
+# StrFixedLenField('ReplayCounter', '', 8),
+# StrFixedLenField('Nonce', '', 32),
+# StrFixedLenField('IV', '', 16),
+# StrFixedLenField('RSC', '', 8),
+# StrFixedLenField('ID', '', 8),
+# StrFixedLenField('MIC', '', 16),
+# FieldLenField('ExtraLength', '', 'Extra', 'n'),
+# StrLenField('Extra', '', 'ExraLength'),
+ ]
+end
+
+end
+
class Dot11QoS<Layer
attr_accessor :TID, :EOSP, :AckPolicy, :Reserved, :TXOP
@@ -446,6 +487,26 @@
end
+class LLCx<Layer
+
+attr_accessor :dsap, :ssap, :ctrl, :orgCode, :type
+
+# The orgCode should be 3 bytes followed by 2 bytes of type but if I set it this way
+# it doesn't process the bytes
+def init
+ @protocol = 'LLCx'
+ @fields_desc = [ XByteField('dsap', 0), XByteField('ssap', 0), ByteField('ctrl', 0), StrFixedLenField('orgCode', ' ', 4), ByteField('type', 1)]
+ # this should work but doesn't
+ @xfields_desc = [ XByteField('dsap', 0),
+ XByteField('ssap', 0),
+ ByteField('ctrl', 0),
+ StrFixedLenField('orgCode', '', 3),
+ StrFixedLenField('type', '', 2) ]
+
+end
+
+end
+
class LLC<Layer
attr_accessor :dsap, :ssap, :ctrl
@@ -468,7 +529,7 @@
],
'Dot11' => [
- ['type', 2, LLC],
+ ['type', 2, LLCx],
['subtype', 0, Dot11AssoReq],
['subtype', 1, Dot11AssoResp],
['subtype', 2, Dot11ReassoReq],
@@ -482,6 +543,12 @@
['subtype', 12, Dot11Deauth],
],
+'RadioTap' => [
+ ['Revision', 0, Dot11],
+ ],
+'LLCx' => [
+ [BIND_ALWAYS, BIND_ALWAYS, EAPOL],
+ ],
'Dot11QoS' => [
[BIND_ALWAYS, BIND_ALWAYS, LLC]
],
@@ -531,8 +598,8 @@
# One day, this will be processed automatically :)
DISSECTORS_LIST = [Ether, ARP, IP, ICMP, Raw, TCP, UDP, ClassicBSDLoopback,
OpenBSDLoopback, RIFF, ANI,
- Dot11, Dot11QoS, Dot11Beacon, Dot11Elt, Dot11ATIM, Dot11Disas,
+ Dot11, RadioTap, EAPOL, Dot11QoS, Dot11Beacon, Dot11Elt, Dot11ATIM, Dot11Disas,
Dot11AssoReq, Dot11AssoResp, Dot11ReassoReq, Dot11ReassoResp,
Dot11ProbeReq, Dot11ProbeResp, Dot11Auth, Dot11Deauth, Dot11WEP,
- LLC]
+ LLC, LLCx]
end
diff -Naur ../../scruby/new/scruby-0.3/scruby/field.rb ./field.rb
--- ../../scruby/new/scruby-0.3/scruby/field.rb 2008-03-07 22:10:50.000000000 +0000
+++ ./field.rb 2008-03-16 04:00:23.000000000 +0000
@@ -944,6 +944,28 @@
end
+# The third and fourth bytes hold the length of the whole header so this will give
+# the length of the rest of the header -4 bytes for the revision, pad and length
+class RadioTapLenField<StrLenField
+def pre_build
+ @size = @@[EMAIL PROTECTED] - 4
+ @format = 'a' + @size.to_s
+end
+
+def to_net(value)
+ @size = @@[EMAIL PROTECTED] - 4
+ @format = 'a' + @size.to_s
+
+ # By default, value is ''
+ if value
+ return value[0, @size].to_s
+ else
+ return ''
+ end
+end
+
+
+end
# NB for Dot11* fields:
# These functions have different 'is_applicable?' methods, to build different
# kinds of packets with the same dissector, depending on its type.
@@ -998,7 +1020,7 @@
end
# One day, this will be processed automatically :)
-FIELD_LIST = [StrField, StrFixedLenField, StrLenField, FieldLenField,
+FIELD_LIST = [RadioTapLenField, StrField, StrFixedLenField, StrLenField, FieldLenField,
BitField, BitEnumField, FlagsField,
ByteField, XByteField, ByteEnumField, XByteEnumField,
ShortField, XShortField, ShortEnumField, XShortEnumField,
diff -Naur ../../scruby/new/scruby-0.3/scruby/func.rb ./func.rb
--- ../../scruby/new/scruby-0.3/scruby/func.rb 2008-03-07 22:52:18.000000000 +0000
+++ ./func.rb 2008-03-16 01:15:25.000000000 +0000
@@ -125,6 +125,9 @@
puts date_time + Dot11(packet).to_s
puts
+ elsif linktype == Pcap::DLT_IEEE802_11_RADIO
+ puts date_time + RadioTap(packet).to_s
+
# Unknown link type
else
puts "Unknown link type: #{linktype}"
_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers
