Oh, and one more thing:
Some network adapters, when running in a mode where they supply an 802.11 header (such as monitor mode), put some padding in between the 802.11 header and the payload, so the 802.2 LLC header in a data frame might not immediately follow the 802.11 header (regardless of whether the payload is encrypted or not). The radiotap header includes a flag for that - it's the 0x20 flag bit in the Flags field:
http://www.radiotap.org/defined-fields/Flags
I have two questions.
I believe, the data packets destined for my AP, will be decrypted by the hardware itself
In any case, when I get them in userland, they should be unencrypted. right ?
If I look at tpdump code, for each data frame, I need to check
FC_WEP(fc), if only its false, I should check further.
then get the header length.
int hdrlen = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc)))
hdrlen += 2
And then, if then jump this length to check for ether type, using the llc frame .
I hope I am not missing any detail.
As on doing the above .. i get very low frequency of arp,udp packets, but I never get tcp packets output on my screen , even though I am browsing.
Any comments ?
Abhinav