From 9a71f8aa86c623b197d8ae26c6fb8d38b297593a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 4 Feb 2015 23:33:20 -0500
Subject: [PATCH 1/3] Initial commit of RadioTap encapsulation support)

 - It works for me, but I believe that one of the headers I'm stripping
   is variable length so this is unlikely to be complete.
---
 src/iosource/PktSrc.cc | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index 527dadd393..cda5ae3f8b 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -171,6 +171,9 @@ int PktSrc::GetLinkHeaderSize(int link_type)
 	case DLT_PPP_SERIAL:	// PPP_SERIAL
 		return 4;
 
+	case DLT_IEEE802_11_RADIO:	// 802.11 plus RadioTap
+		return 59;
+
 	case DLT_RAW:
 		return 0;
 	}
@@ -376,6 +379,26 @@ void PktSrc::Process()
 			}
 		break;
 		}
+
+	case DLT_IEEE802_11_RADIO:
+		{
+		protocol = (data[57] << 8) + data[58];
+		if ( (data[54] == 0 && data[55] == 0 && data[56] == 0) &&
+		     (protocol == 0x0800 || protocol == 0x86DD) )
+			{
+			// Found an IPv4 or IPv6 packet.
+			// Skip over the RadioTap header, the IEEE QoS header,
+			// and logical link control header.
+			data += GetLinkHeaderSize(props.link_type);
+			pkt_hdr_size = 0;
+			}
+		else
+			{
+			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation", &current_packet);
+			goto done;
+			}
+		break;
+		}
 	}
 
 	if ( have_mpls )

From 1d94eadd36ab834f25dfedbff9592c5d7a7e7452 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 17 Oct 2015 03:09:12 -0400
Subject: [PATCH 2/3] Fixed RadioTap support (still "Works for Me")

---
 src/iosource/Packet.cc | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index cd5d8cb32c..931af78e72 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -256,21 +256,34 @@ void Packet::ProcessLayer2()
 
 	case DLT_IEEE802_11_RADIO:
 		{
-		protocol = (data[57] << 8) + data[58];
-		if ( (data[54] == 0 && data[55] == 0 && data[56] == 0) &&
-		     (protocol == 0x0800 || protocol == 0x86DD) )
+		//if ( ! (pdata[73] == 0 && pdata[74] == 0 && pdata[75] == 0) )
+		//	{
+		//	Weird("unknown_radiotap_packet");
+		//	return;
+		//	}
+
+		// Skip over the RadioTap header, the IEEE QoS header,
+		// and logical link control header.
+		//printf("link header size: %d\n", GetLinkHeaderSize(link_type));
+		// skip Radio Tap header.
+		pdata += (pdata[3] << 8) + pdata[2];
+		// skip QoS data header
+		pdata += 26;
+
+		int protocol = (pdata[6] << 8) + pdata[7];
+		if ( protocol == 0x0800 )
+			l3_proto = L3_IPV4;
+		else if ( protocol == 0x86DD )
+			l3_proto = L3_IPV6;
+		else 
 			{
-			// Found an IPv4 or IPv6 packet.
-			// Skip over the RadioTap header, the IEEE QoS header,
-			// and logical link control header.
-			data += GetLinkHeaderSize(props.link_type);
-			pkt_hdr_size = 0;
-			}
-		else
-			{
-			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation", &current_packet);
-			goto done;
+			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation");
+			return;
 			}
+
+		// skip logical link control header
+		pdata += 8;
+
 		break;
 		}
 

From 88f2a066ce26eea460473e1ff49338789e75df59 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 19 Jan 2016 04:10:44 -0500
Subject: [PATCH 3/3] Improved Radiotap support and a test.

Radiotap support should be fully functional now with Radiotap
packets that include IPv4 and IPv6.  Other radiotap packets are
silently ignored.  This includes a test which has 802.11 headers
both with and without QoS data.
---
 src/iosource/Packet.cc                        |  77 ++++++++++++++----
 testing/btest/Baseline/core.radiotap/conn.log |  11 +++
 testing/btest/Traces/radiotap.pcap            | Bin 0 -> 852 bytes
 testing/btest/core/radiotap.bro               |   2 +
 4 files changed, 74 insertions(+), 16 deletions(-)
 create mode 100644 testing/btest/Baseline/core.radiotap/conn.log
 create mode 100644 testing/btest/Traces/radiotap.pcap
 create mode 100644 testing/btest/core/radiotap.bro

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 931af78e72..54400befe8 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -256,21 +256,68 @@ void Packet::ProcessLayer2()
 
 	case DLT_IEEE802_11_RADIO:
 		{
-		//if ( ! (pdata[73] == 0 && pdata[74] == 0 && pdata[75] == 0) )
-		//	{
-		//	Weird("unknown_radiotap_packet");
-		//	return;
-		//	}
+		if ( pdata + 3 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		// Skip over the RadioTap header
+		int rtheader_len = (pdata[3] << 8) + pdata[2];
+		if ( pdata + rtheader_len >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		pdata += rtheader_len;
 
-		// Skip over the RadioTap header, the IEEE QoS header,
-		// and logical link control header.
-		//printf("link header size: %d\n", GetLinkHeaderSize(link_type));
-		// skip Radio Tap header.
-		pdata += (pdata[3] << 8) + pdata[2];
-		// skip QoS data header
-		pdata += 26;
+		if ( pdata + 1 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		int type_80211 = pdata[0];
+		int len_80211 = 0;
+		if ( (type_80211 >> 4) & 0x04 ) 
+			{
+			//identified a null frame (we ignore for now).  no weird.
+			return;
+			}
+		// Look for the QoS indicator bit.
+		if ( (type_80211 >> 4) & 0x08 )
+			len_80211 = 26;
+		else
+			len_80211 = 24;
 
-		int protocol = (pdata[6] << 8) + pdata[7];
+		if ( pdata + len_80211 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		// skip 802.11 data header
+		pdata += len_80211;
+
+		if ( pdata + 8 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		// Check that the DSAP, SSAP are both SNAP and that the control 
+		// field indicates that this is an unnumbered frame.
+		// The organization code (24bits) needs to also be zero to 
+		// indicate that this is encapsulated ethernet.
+		if ( pdata[0] == 0xAA && pdata[1] == 0xAA && pdata[2] == 0x03 &&
+		     pdata[3] == 0 && pdata[4] == 0 && pdata[5] == 0 )
+			{
+			pdata += 6;
+			}
+		else
+			{
+			// If this is a logical link control frame without the 
+			// possibility of having a protocol we care about, we'll
+			// just skip it for now.
+			return;
+			}
+		int protocol = (pdata[0] << 8) + pdata[1];
 		if ( protocol == 0x0800 )
 			l3_proto = L3_IPV4;
 		else if ( protocol == 0x86DD )
@@ -280,9 +327,7 @@ void Packet::ProcessLayer2()
 			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation");
 			return;
 			}
-
-		// skip logical link control header
-		pdata += 8;
+		pdata += 2;
 
 		break;
 		}
diff --git a/testing/btest/Baseline/core.radiotap/conn.log b/testing/btest/Baseline/core.radiotap/conn.log
new file mode 100644
index 0000000000..24b94f77f4
--- /dev/null
+++ b/testing/btest/Baseline/core.radiotap/conn.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-01-19-09-01-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1439902891.705224	CXWv6p3arKYeMETxOg	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)
+1439903050.580632	CjhGID4nQcgTWjvg4c	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
+#close	2016-01-19-09-01-31
diff --git a/testing/btest/Traces/radiotap.pcap b/testing/btest/Traces/radiotap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1f500f2ed7d0c9f154f7a253b56162fc9c1e8124
GIT binary patch
literal 852
zcmZ`%O=uHQ5dPloCRu6@*^*idg_hp54N2N0+n(G|TToPT=nwQ_mSl+`X%k`;(}PA(
z2|~exQp6mrEe28*_0aR8wg`eK6;BcMSm;GTdMGr`%f=ckoyUZk`Q}Z&Z{B`>^J+<e
zgnuUCIwh+Eo0IQex8Xj;+yNg_ayNeHQ&T*1VWmT3Ys>6>U{Pa?vUFb$bAWM>ti%Rz
zr^Eel=KI~8wz&5DRKHkVU2wsUYE>j$#u#w&%L1S&&mTWk%4a{0)@nabAc+3;Zxt`i
zX^wKl^lUzP#jxqwY}ycGnOP1ov3;Y$NnSIK;1><#{+Fa6O}CI-KR}Yp<z5neu;^J-
zEs`1`EhNiC5vp=-lN01b5hR+W`K5~YMv<6sH8_N%>4c5z2nWz}u*G4-6GqA?h;v3B
zrq^oKKH;d%PzTi!!5C@NQ~Io)<bCF8bB61tKXXIse7pU=9C$E)#<MwjtR~|Y)wu&*
z$jGED@!<l`+MWEFHkO$z07FAm*|nsuB<wre6EB`wLT`VK62y9y`d*O&vL^|9eUCco
zbg#vB-COQ0*1JR7yUELqO|k$BvQak1R5nh(<BbzyKFULM!W12LhIzl3%!VXAm(>Ah
zk&C#BE+w4HdnOD$cG1XP@+2dA+?LM7^fZKFpXd*U1ivc!)j>yc&ZEcUIWw|<RWPGw
z6y421uKxuQ#+sN!uNk2y@-}lj#R6or&{8QhD$)IlO!p;?f4?|xdju%=;G`|c=(IL^
I`DNeqAJgE>AOHXW

literal 0
HcmV?d00001

diff --git a/testing/btest/core/radiotap.bro b/testing/btest/core/radiotap.bro
new file mode 100644
index 0000000000..27513990f0
--- /dev/null
+++ b/testing/btest/core/radiotap.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/radiotap.pcap
+# @TEST-EXEC: btest-diff conn.log