Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Doug Ambrisko <ambrisko@xxxxxxxxxxxx>
Date: Wed, 12 Jun 2002 09:55:12 -0700 (PDT)
Guy Harris writes:
| On Mon, Jun 10, 2002 at 08:34:57AM -0700, Doug Ambrisko wrote:
| > Also note that with the Cisco card you do not get the WEP keys in the
| > "raw" 802.11 packet (so is it really 802.11 monitor mode ... not really).
| > It is speculated that the WEP HW engine removes this.  I've been able
| > to decrypt and view the payload correctly when I enabled WEP on the
| > card and set the keuys then in Ethereal dissector I have it skip
| > the WEP part of the packet and then Ethereal disects the rest of the
| > packet correctly (ie. follow HTTP streams etc.).
| 
| I.e., the card delivers *decrypted* WEP packets, but leaves the WEP flag
| set in the header, so that any analyzer that takes the WEP flag
| seriously gets confused?
| 
| By "skip the WEP part of the packet" do you mean you skip the first 4
| bytes after the header (i.e., the stuff dissected by the
| 
|   if (IS_WEP(COOK_FLAGS(fcf)))
|     {
|       int pkt_len = tvb_reported_length (tvb); 
|       int cap_len = tvb_length (tvb);
| 
| 		...
| 
|     }
| 
| code in "dissect_ieee80211_common()"), and then, instead of calling
| "call_dissector()", with "data_handle" as the handle argument, to
| dissect the payload (minus the WEP header and the WEP CRC), you just
| dissect that part of the frame as if it were unencrypted data?

I got my laptop back and this is the "hack" I did:

Index: packet-ieee80211.c
===================================================================
RCS file: /cvsroot/ethereal/packet-ieee80211.c,v
retrieving revision 1.53
diff -c -r1.53 packet-ieee80211.c
*** packet-ieee80211.c	2002/04/08 09:09:47	1.53
--- packet-ieee80211.c	2002/06/12 16:51:00
***************
*** 1521,1527 ****
  	  if (cap_len > 0 && pkt_len > 0)
  	    call_dissector(data_handle,tvb_new_subset(tvb, hdr_len + 4, -1,tvb_reported_length_remaining(tvb,hdr_len + 4)),pinfo, tree);
  	}
- 	return;
      }
  
    /*
--- 1521,1526 ----

I did it a long time ago.  Basically I just let it fall into the part
that does:
	Now dissect the body of a non-WEP-encrypted frame.
and life is good if I set the WEP key on the card.  Of course this
is for WEP enscrypted packets.

Doug A.