You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 lines
2.4 KiB
79 lines
2.4 KiB
How to use packet injection with mac80211
|
|
=========================================
|
|
|
|
mac80211 now allows arbitrary packets to be injected down any Monitor Mode
|
|
interface from userland. The packet you inject needs to be composed in the
|
|
following format:
|
|
|
|
[ radiotap header ]
|
|
[ ieee80211 header ]
|
|
[ payload ]
|
|
|
|
The radiotap format is discussed in
|
|
./Documentation/networking/radiotap-headers.txt.
|
|
|
|
Despite 13 radiotap argument types are currently defined, most only make sense
|
|
to appear on received packets. The following information is parsed from the
|
|
radiotap headers and used to control injection:
|
|
|
|
* IEEE80211_RADIOTAP_RATE
|
|
|
|
rate in 500kbps units, automatic if invalid or not present
|
|
|
|
|
|
* IEEE80211_RADIOTAP_ANTENNA
|
|
|
|
antenna to use, automatic if not present
|
|
|
|
|
|
* IEEE80211_RADIOTAP_DBM_TX_POWER
|
|
|
|
transmit power in dBm, automatic if not present
|
|
|
|
|
|
* IEEE80211_RADIOTAP_FLAGS
|
|
|
|
IEEE80211_RADIOTAP_F_FCS: FCS will be removed and recalculated
|
|
IEEE80211_RADIOTAP_F_WEP: frame will be encrypted if key available
|
|
IEEE80211_RADIOTAP_F_FRAG: frame will be fragmented if longer than the
|
|
current fragmentation threshold. Note that
|
|
this flag is only reliable when software
|
|
fragmentation is enabled)
|
|
|
|
The injection code can also skip all other currently defined radiotap fields
|
|
facilitating replay of captured radiotap headers directly.
|
|
|
|
Here is an example valid radiotap header defining these three parameters
|
|
|
|
0x00, 0x00, // <-- radiotap version
|
|
0x0b, 0x00, // <- radiotap header length
|
|
0x04, 0x0c, 0x00, 0x00, // <-- bitmap
|
|
0x6c, // <-- rate
|
|
0x0c, //<-- tx power
|
|
0x01 //<-- antenna
|
|
|
|
The ieee80211 header follows immediately afterwards, looking for example like
|
|
this:
|
|
|
|
0x08, 0x01, 0x00, 0x00,
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
|
|
0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
|
|
0x10, 0x86
|
|
|
|
Then lastly there is the payload.
|
|
|
|
After composing the packet contents, it is sent by send()-ing it to a logical
|
|
mac80211 interface that is in Monitor mode. Libpcap can also be used,
|
|
(which is easier than doing the work to bind the socket to the right
|
|
interface), along the following lines:
|
|
|
|
ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
|
|
...
|
|
r = pcap_inject(ppcap, u8aSendBuffer, nLength);
|
|
|
|
You can also find sources for a complete inject test applet here:
|
|
|
|
http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer
|
|
|
|
Andy Green <andy@warmcat.com>
|
|
|