2

I'm attempting to capture a probe request using libpcap.

To my understanding a probe request is a management frame. I can capture these with the filter type mgt subtype probe-req.

But within pcap_next() what struct do I need to pass in? Do I need to pass a complete 802.11 header structure? And if so, where are these structs defined? I don't want to create my own if they're already defined elsewhere.

I’ve tried to include radiotap.h and add the path to the library in gcc with -I but I end up getting linking errors for asm/linkage.h and everything just gets messy from there.

My question is though, where are the standard headers defined? There seems to be very little info on this when using Google.

I'm using Yosemite by the way. I also have a Debian machine. Any answers for either platform would suffice.

James Jeffery
  • 12,093
  • 19
  • 74
  • 108

1 Answers1

0

To my understanding a probe request is a management frame.

Yes.

But within pcap_next() what struct do I need to pass in?

To quote the pcap_next man page:

   const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);

      ...

   pcap_next() returns a pointer to the packet data on  success,  and
   returns  NULL if an error occured, or if no packets were read from
   a live capture (if, for example, they were discarded because  they
   didn't  pass the packet filter, or if, on platforms that support a
   read timeout that starts before any packets  arrive,  the  timeout
   expires  before  any packets arrive, or if the file descriptor for
   the capture device is in non-blocking mode  and  no  packets  were
   available  to  be  read), or if no more packets are available in a
   ``savefile.''  Unfortunately, there is no way to determine whether
   an error occured or not.

So what you need to pass in is:

  1. a pointer to a pcap_t, which you've gotten by using pcap_create(), pcap_set_rfmon() to arrange that you will be capturing in monitor mode, and pcap_activate();
  2. a pointer to a struct pcap_pkthdr - that structure type is declared in pcap.h, so you'll want to do something such as struct pcap_pkthdr hdr; and pass &hdr as the second argument;

and you will receive, as the return value, either NULL on an error (or a timeout, so do not treat NULL as an indication that something failed; you really want to use pcap_next_ex() here) or a pointer to a buffer containing the raw packet data.

After pcap_activate() returns, if it succeeds, you will need to call pcap_datalink() on the pcap_t * to see what format the raw packet data has. If it's equal to DLT_IEEE802_11_RADIO, then the raw packet data begins with a radiotap header, and there's an 802.11 header following the radiotap header.

My question is though, where are the standard headers defined?

The 802.11 headers are defined in IEEE Std 802.11-2012. Whether your OS happens to have a C header for those headers and, if it does, where the headers are, depends on the OS. You might not have any such header.

You really might want to consider just grabbing the tcpdump source and hacking it to do what you need, rather than reinventing all the parsing it does.

  • I've seen you reply on a number of topics you seem to know your stuff. I'm facing other issues ontop of this, for example pcap_datalink is always returning 1 (Ethernet), when the device I'm using is an 802.11 device. Is there any mailgroup or IRC channel for discussing this stuff other than SO? – James Jeffery Sep 02 '15 at 11:55
  • "I'm facing other issues ontop of this, for example pcap_datalink is always returning 1 (Ethernet), when the device I'm using is an 802.11 device." On most OSes, when capturing on 802.11 devices you can only get 802.11 headers if you're capturing in monitor mode. Otherwise, you get "fake Ethernet" headers, so the return value of `pcap_datalink()` will be `DLT_EN10MB`, which is #defined as 1. –  Sep 02 '15 at 20:38
  • "Is there any mailgroup or IRC channel for discussing this stuff other than SO?" Try [tcpdump-workers@lists.tcpdump.org](http://www.tcpdump.org/#mailing-lists); the name nonwithstanding, it's a list for discussing libpcap as well as tcpdump. –  Sep 02 '15 at 20:40