Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Solomon Peachy <solomon@xxxxxxxxxxxxxx>
Date: Thu, 13 Jun 2002 10:52:06 -0400
On Wed, Jun 12, 2002 at 11:05:35PM -0700, Guy Harris wrote:
> Solomon Peachy said, in another message, that one change he'd made to
> the 802.11 dissector was to make it
> 
>   3) Properly identify the FCS at the end of an 802.11 frame.             
>      - actually, this will require it to be present -- according to the   
>        802.11 spec, it should be there.  Some wireless cards pass it down,
>        and if they don't, the driver is broken.  *grin*
 
> That change would presumably prevent the misdissection of junk at the
> end of the frame (the 05 04 02 03 at the end); unfortunately, it'd also
> mean that we'd throw away the last 4 bytes at the end of the AiroPeek
> and Wireless Sniffer captures.

I'll add a preference to toggle this behaivor; it'll default to assuming
the FCS is present.  It won't make much of a difference in practice unless
you're interested in de-wepping the traffic.
 
> In addition, I'm not sure what it'd do to *outgoing* packets, if any of
> the BSD or Linux drivers support networking operation while you're in
> monitor mode (or support transmission of raw packets via BPF or a
> PF_PACKET socket) so that there *are* outgoing packets while you're
> sniffing.

The linux-wlan-ng driver does support transmitting raw 802.11 frames..
but not when in monitor mode.  The hardware doesn't let you transmit
anything when in monitor mode.
 
But yeah, when you transmit the raw frame, we don't pass the FCS to the
hardware; it generates it for us. 

> If, however, not all wireless cards supply the FCS when in monitor mode
> (I presume the cards that do include the cards supported by the wlan-ng
> Prism II driver, as well as the Aironet cards; I don't know about the
> Orinoco cards, and I think the Linux Orinoco driver doesn't support
> monitor mode with the 8.0 firmware version of the Orinoco cards), that
> might require adding a new DLT_IEEE802_11_NOFCS value or something such
> as that.

Actually, the prism2/2.5/3 cards don't supply a FCS in monitor mode
either, but the driver sticks one on there for correctness; it's my
understanding that many of the newer 802.11b/802.11a chipsets do append
the FCS however.  Not that any of 'em support *nix right now... but I
digress...

A DLT_IEEE_80211_NOFCS option might be worthwile... 

 - Pizza
-- 
Solomon Peachy                        solomon@xxxxxxxxxxxxxx
AbsoluteValue Systems                 http://www.linux-wlan.com
715-D North Drive                     +1 (321) 259-0737  (office)
Melbourne, FL 32934                   +1 (321) 259-0286  (fax)

Attachment: pgpZR7hsolcCP.pgp
Description: PGP signature