2007-07-10 21:29:37 +04:00
|
|
|
How to use packet injection with mac80211
|
|
|
|
=========================================
|
|
|
|
|
|
|
|
mac80211 now allows arbitrary packets to be injected down any Monitor Mode
|
|
|
|
interface from userland. The packet you inject needs to be composed in the
|
|
|
|
following format:
|
|
|
|
|
|
|
|
[ radiotap header ]
|
|
|
|
[ ieee80211 header ]
|
|
|
|
[ payload ]
|
|
|
|
|
|
|
|
The radiotap format is discussed in
|
|
|
|
./Documentation/networking/radiotap-headers.txt.
|
|
|
|
|
2009-04-08 14:54:41 +04:00
|
|
|
Despite many radiotap parameters being currently defined, most only make sense
|
2007-09-26 19:53:18 +04:00
|
|
|
to appear on received packets. The following information is parsed from the
|
|
|
|
radiotap headers and used to control injection:
|
2007-07-10 21:29:37 +04:00
|
|
|
|
2007-09-26 19:53:18 +04:00
|
|
|
* IEEE80211_RADIOTAP_FLAGS
|
|
|
|
|
|
|
|
IEEE80211_RADIOTAP_F_FCS: FCS will be removed and recalculated
|
|
|
|
IEEE80211_RADIOTAP_F_WEP: frame will be encrypted if key available
|
|
|
|
IEEE80211_RADIOTAP_F_FRAG: frame will be fragmented if longer than the
|
2009-04-08 14:54:41 +04:00
|
|
|
current fragmentation threshold.
|
|
|
|
|
2007-09-26 19:53:18 +04:00
|
|
|
|
|
|
|
The injection code can also skip all other currently defined radiotap fields
|
|
|
|
facilitating replay of captured radiotap headers directly.
|
2007-07-10 21:29:37 +04:00
|
|
|
|
2009-04-08 14:54:41 +04:00
|
|
|
Here is an example valid radiotap header defining some parameters
|
2007-07-10 21:29:37 +04:00
|
|
|
|
|
|
|
0x00, 0x00, // <-- radiotap version
|
|
|
|
0x0b, 0x00, // <- radiotap header length
|
|
|
|
0x04, 0x0c, 0x00, 0x00, // <-- bitmap
|
|
|
|
0x6c, // <-- rate
|
|
|
|
0x0c, //<-- tx power
|
|
|
|
0x01 //<-- antenna
|
|
|
|
|
|
|
|
The ieee80211 header follows immediately afterwards, looking for example like
|
|
|
|
this:
|
|
|
|
|
|
|
|
0x08, 0x01, 0x00, 0x00,
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
|
|
|
|
0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
|
|
|
|
0x10, 0x86
|
|
|
|
|
|
|
|
Then lastly there is the payload.
|
|
|
|
|
|
|
|
After composing the packet contents, it is sent by send()-ing it to a logical
|
|
|
|
mac80211 interface that is in Monitor mode. Libpcap can also be used,
|
|
|
|
(which is easier than doing the work to bind the socket to the right
|
|
|
|
interface), along the following lines:
|
|
|
|
|
|
|
|
ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
|
|
|
|
...
|
|
|
|
r = pcap_inject(ppcap, u8aSendBuffer, nLength);
|
|
|
|
|
2009-04-08 14:54:41 +04:00
|
|
|
You can also find a link to a complete inject application here:
|
2007-07-10 21:29:37 +04:00
|
|
|
|
2009-04-08 14:54:41 +04:00
|
|
|
http://wireless.kernel.org/en/users/Documentation/packetspammer
|
2007-07-10 21:29:37 +04:00
|
|
|
|
|
|
|
Andy Green <andy@warmcat.com>
|