0

I am using a filter string to catch only the probe-request frames from my wifi router working in monitor/Promisc mode.

the same string i.e. "type mgt subtype probe-req" is working when i am running my code on a laptop but on my linksys WRT54g its giving error that

cannot pcap_compile() function is not working.

To be more explanatory, I am using OpenWRT White Russian 0.9 firmware on my router and its equivalent SDK to build package for it. The program uses Libpcap library to capture raw packets from the network.

So I want to know that is there any change in the string format while working on embedded devices like a router. If yes can you suggest me where I can find the documentation for it. If no that what's wrong I am doing.

Bhavesh Odedra
  • 10,990
  • 12
  • 33
  • 58
Jango
  • 119
  • 1
  • 1
  • 10

1 Answers1

0

The filter strings that are allowed depend on:

  • the version of libpcap/WinPcap in use;
  • the link-layer header type being captured on the device.

That particular filter would be allowed if libpcap 1.0 or later is being used and if the adapter is supplying packets with 802.11 headers. Note that, on most OSes, an 802.11 adapter will supply packets with 802.11 headers only if the adapter is running in monitor mode; otherwise, it'll supply packets with Ethernet headers, and will only supply data frames, not management or control frames.

The program uses Libpcap library to capture raw packets from the network.

Whatever the program is, it should be doing a better job of reporting errors from pcap_compile(). It should include, in the error message, the text returned by pcap_geterr() when pcap_geterr() is handed the pcap_t * that you passed to pcap_compile(); that way, you will know more information about why the error occurred, and therefore will know more information about what you need to do to fix it.

  • Thanks Harris, I appreciate your help. I used the pcap_geterr() function to get what went wrong and it prints "Syntax Error". The Same string works fine on my laptop running linux. Can you please guide me from where I can know that what sort of string should I use for a router that works on Openwrt White russian 0.9, as I am using libpcap_0.9.4-1_mipsel.ipk which is available for download at their website under the package subdirectory. – Jango Mar 10 '14 at 05:33
  • Just to add some more information, Router is running in monitor/promisc mode and the packets I am getting without using the filter are encapsulated under the 144 bytes prism header where as on linux laptop using its wlan card , i am getting Radiotap header above the 802.11 frame. Paring both the frames till now goes fine but just this filter is hindering me.. – Jango Mar 10 '14 at 05:47
  • if I want to use the same library which I have now ie libpcap_0.9.4-1_mipsel.ipk what filter should i use to parse only the probe request frames – Jango Mar 10 '14 at 06:32
  • Use `link[0] & 0xfc == 0x40`. –  Mar 10 '14 at 06:59