>
>
> No, it's not based on the type of interface, or the mode of the interface.
> It's based on whether the 802.11 payload has been decrypted or not; if
> you're capturing in monitor mode most frames are probably encrypted, but if
> you're not capturing in monitor mode and seeing only frames to or from your
> machine, they're probably decrypted.
>
> Got you !
> What the decrypted data (if the frame was encrypted) or the unencrypted
> data (if the frame wasn't encrypted) is then depends on the type and
> subtype fields.
>
> > According to my knowledge, I assume if the control frame bit with
> > Is it an llc header with a general format :
> > struct llc_hdr {
> > uint8 dsap;
> > uint8 ssap;
> > struct {
> > uint8 ui;
> > uint8 org_code[3];
> > uint16 ether_type;
> > } snap;
> > };
>
> Since I am capturing every frame in monitor mode, I would like to see the
packet type : arp/ip ... and is it tcp/udp type.
But when I do the following, I don't get any output
// f is ieee80211_hdr
if( subtype== IEEE80211_STYPE_DATA ){
struct llc_hdr* llc = (struct llc_hdr*)(((uchar*)f) + hdrlen);
int llc_type = ntohs(llc->snap.ether_type);
if (llc_type == ETHERTYPE_ARP) {
printf("ethernet type \n");
} else if (llc_type == ETHERTYPE_IP) {
if (jh->caplen_ < hdrlen + sizeof(*llc) + sizeof(struct iphdr))
return;
struct iphdr* ih = (struct iphdr*)(llc+1);
if (ih->protocol == IPPROTO_TCP)
printf("tcp \n");
else if (ih->protocol == IPPROTO_UDP)
printf("udp \n");
else if (ih->protocol == IPPROTO_ICMP)
printf("icmp \n");
}else if(subtype == IEEE80211_STYPE_NULLFUNC ){
printf("no data\n");
}
> Well, if the type is a data frame, then the payload, *once it's been
> decrypted if it was encrypted*, begins with an 802.2 LLC header. That's
> not determined by a single bit, but by a 2-byte type field (and a 4-byte
> subtype field, as some data frames have no data).
As you can notice, I am using a 2 byte field to check the subtype field.
> 802.2 headers don't necessarily have an organization code or protocol ID
> field - that's the case only for SNAP frames, where the DSAP and SSAP are
> 0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only
> if the organization code is 00:00:00.
>
> Shall i use some other llc struct to find out the data packet is of which
transport layer protocol
Abhinav Narain
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
