Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] [tcpdump-workers] regarding wireless data frames

From: abhinav narain <abhinavnarain10@xxxxxxxxx>
Date: Thu, 8 Mar 2012 21:53:10 -0500

No, it's not based on the type of interface, or the mode of the interface.  It's based on whether the 802.11 payload has been decrypted or not; if you're capturing in monitor mode most frames are probably encrypted, but if you're not capturing in monitor mode and seeing only frames to or from your machine, they're probably decrypted.

Got you ! 
What the decrypted data (if the frame was encrypted) or the unencrypted data (if the frame wasn't encrypted) is then depends on the type and subtype fields.

> According to my knowledge, I assume if the control frame bit with
> Is it an llc header with a general format :
> struct llc_hdr {
>  uint8 dsap;
>  uint8 ssap;
>  struct {
>    uint8 ui;
>    uint8 org_code[3];
>    uint16 ether_type;
>  } snap;
> };

Since I am capturing every frame in monitor mode, I would like to see the packet type : arp/ip ... and is it tcp/udp type. 
But when I do the following, I don't get any output 

// f is ieee80211_hdr 
 if( subtype== IEEE80211_STYPE_DATA ){
      struct llc_hdr* llc = (struct llc_hdr*)(((uchar*)f) + hdrlen);
      int llc_type = ntohs(llc->snap.ether_type);
      if (llc_type == ETHERTYPE_ARP) {
       printf("ethernet type \n");
      } else if (llc_type == ETHERTYPE_IP) {
        if (jh->caplen_ < hdrlen + sizeof(*llc) + sizeof(struct iphdr))
          return;
       struct  iphdr* ih = (struct iphdr*)(llc+1);
        if (ih->protocol == IPPROTO_TCP)
        printf("tcp \n");
        else if (ih->protocol == IPPROTO_UDP)
        printf("udp \n");
        else if (ih->protocol == IPPROTO_ICMP)
        printf("icmp \n");

   }else if(subtype ==  IEEE80211_STYPE_NULLFUNC ){
        printf("no data\n");
   }


 
Well, if the type is a data frame, then the payload, *once it's been decrypted if it was encrypted*, begins with an 802.2 LLC header.  That's not determined by a single bit, but by a 2-byte type field (and a 4-byte subtype field, as some data frames have no data).
As you can notice, I am using a 2 byte field to check the subtype field.
  
802.2 headers don't necessarily have an organization code or protocol ID field - that's the case only for SNAP frames, where the DSAP and SSAP are 0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only if the organization code is 00:00:00.

Shall i use some other llc struct to find out the data packet is of which transport layer protocol

Abhinav Narain
 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.