Wireshark-dev: Re: [Wireshark-dev] [tcpdump-workers] regarding wireless data frames

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 9 Mar 2012 10:28:56 -0800
On Mar 8, 2012, at 6:53 PM, abhinav narain wrote:

> Since I am capturing every frame in monitor mode, I would like to see the
> packet type : arp/ip ... and is it tcp/udp type.
> But when I do the following, I don't get any output

You *won't* get any output if the packets are encrypted, and, if you're capturing in monitor mode on a network using WEP or WPA/WPA2, the packets will be encrypted.

With an encrypted packet, what you capture "over the air" won't have something that looks as if it begins with an 802.2 LLC header, you'll have something that looks as if it begins with random data.  You would have to decrypt the payload following the 802.11 header in order to see, for example, an 802.2 LLC header, followed by a SNAP header, followed by an IPv4 header, etc. for an IPv4 packet.

>> Well, if the type is a data frame, then the payload, *once it's been
>> decrypted if it was encrypted*, begins with an 802.2 LLC header.  That's
>> not determined by a single bit, but by a 2-byte type field (and a 4-byte
>> subtype field, as some data frames have no data).
> 
> As you can notice, I am using a 2 byte field to check the subtype field.

Sorry, I meant "2-*bit* type field" and "4-*bit* subtype field", not "2-*byte* ..." and "4-*byte* ...".  Presumably that's what you're checking for.

>> 802.2 headers don't necessarily have an organization code or protocol ID
>> field - that's the case only for SNAP frames, where the DSAP and SSAP are
>> 0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only
>> if the organization code is 00:00:00.
> 
> Shall i use some other llc struct to find out the data packet is of which transport layer protocol

No, what you need to do, *once you've decrypted the packet if it's encrypted* - you check the Protected Frame bit in the 802.11 header to check for encrypted packets - is to check whether the 802.2 header contains 0xAA 0xAA 0x03, so you're checking whether it's a SNAP packet and an Unnumbered Information packet, and then check the 5-byte SNAP header following the 3-byte 802.2 header to see whether the first 3 bytes, which are the OUI field in the SNAP header, are all zero.  If so, then the protocol id field, in the remaining 2 bytes, is an Ethernet type; it's a big-endian field.  Check it against ETHERTYPE_IP to look for an IPv4 packet, ETHERTYPE_ARP for an ARP packet, ETHERTYPE_IPv6 for an IPv6 packet, etc..