0

How can I detect the presence or absence of the radiotap data in the raw bytes of a pcap file? I am not using libpcap but rather examining the payload myself. It seems to me that I can create a new file with tcpdump that includes this feature but if I'm given a file that may or may not have this feature then it is impossible to determine whether the raw bytes include it or not. The only thing that occurs to me is looking for a difference in the number of bytes in incl_len and orig_len in the pcap data.

Flan
  • 31
  • 5

2 Answers2

0

By checking the link-layer header type in the pcap file header; if it's 127, then you have radiotap headers followed by 802.11 headers.

The link-layer header type in the pcap file header (and the link-layer header type in an Interface Description Block in a pcap-ng file) has a value that's one of the values given in the tcpdump.org list of link-layer header type values.

0

The data link type is included in the pcap file header.

From WireShark Doc, you see that the data link type is found in bytes 21-24

typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;

Here's an example of a pcap file header with a radio tap header 

0xd4 0xc3 0xb2 0xa1 
0x02 0x00 0x04 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 
0xff 0xff 0x00 0x00 
0x7f 0x00 0x00 0x00   --> 0x7f = 127 = LINKTYPE_IEEE802_11_RADIOTAP
0x0d 0x06 0x5c 0x4a 
0xee 0x1a 0x02 0x00 
0xac 0x00 0x00 0x00 
0xac 0x00 0x00 0x00

while in the other example below, we have another link layer type

0xd4 0xc3 0xb2 0xa1 
0x02 0x00 0x04 0x00 
0x00 0x00 0x00 0x00 
0x00 0x00 0x00 0x00 
0xff 0xff 0x00 0x00 
0x69 0x00 0x00 0x00   --> 0x69 = 105 = LINKTYPE_IEEE802_11
0x3a 0xcb 0x38 0x56 
0xc5 0x73 0x00 0x00 
0xd4 0x00 0x00 0x00 
0xd4 0x00 0x00 0x00

Keeping track of our endianness of course :)

niCk cAMel
  • 869
  • 1
  • 10
  • 26