Merge remote-tracking branch 'origin/topic/seth/radiotap'

BIT-1526 #merged

* origin/topic/seth/radiotap:
  Improved Radiotap support and a test.
  Fixed RadioTap support (still "Works for Me")
  Initial commit of RadioTap encapsulation support)

CHANGES

@@ -1,4 +1,12 @@
 
+2.4-253 | 2016-01-20 17:41:20 -0800
+
+  * Support of RadioTap encapsulation for 802.11 (Seth Hall)
+
+    Radiotap support should be fully functional with Radiotap
+    packets that include IPv4 and IPv6. Other radiotap packets are
+    silently ignored.
+
 2.4-247 | 2016-01-19 10:19:48 -0800
 
   * Fixing C++11 compiler warnings. (Seth Hall)

NEWS

@@ -23,6 +23,8 @@ New Dependencies
 New Functionality
 -----------------
 
+- Bro now supports the Radiotap header for 802.11 frames.
+
 - Bro now tracks VLAN IDs. To record them inside the connection log,
   load protocols/conn/vlan-logging.bro.
 

VERSION

@@ -1 +1 @@
-2.4-247
+2.4-253

src/iosource/Packet.cc

@@ -83,6 +83,9 @@ int Packet::GetLinkHeaderSize(int link_type)
 	case DLT_PPP_SERIAL:	// PPP_SERIAL
 		return 4;
 
+	case DLT_IEEE802_11_RADIO:	// 802.11 plus RadioTap
+		return 59;
+
 	case DLT_RAW:
 		return 0;
 	}
@@ -251,6 +254,80 @@ void Packet::ProcessLayer2()
 		break;
 		}
 
+	case DLT_IEEE802_11_RADIO:
+		{
+		if ( pdata + 3 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		// Skip over the RadioTap header
+		int rtheader_len = (pdata[3] << 8) + pdata[2];
+		if ( pdata + rtheader_len >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		pdata += rtheader_len;
+
+		int type_80211 = pdata[0];
+		int len_80211 = 0;
+		if ( (type_80211 >> 4) & 0x04 )
+			{
+			//identified a null frame (we ignore for now).  no weird.
+			return;
+			}
+		// Look for the QoS indicator bit.
+		if ( (type_80211 >> 4) & 0x08 )
+			len_80211 = 26;
+		else
+			len_80211 = 24;
+
+		if ( pdata + len_80211 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		// skip 802.11 data header
+		pdata += len_80211;
+
+		if ( pdata + 8 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+		// Check that the DSAP and SSAP are both SNAP and that the control
+		// field indicates that this is an unnumbered frame.
+		// The organization code (24bits) needs to also be zero to
+		// indicate that this is encapsulated ethernet.
+		if ( pdata[0] == 0xAA && pdata[1] == 0xAA && pdata[2] == 0x03 &&
+		     pdata[3] == 0 && pdata[4] == 0 && pdata[5] == 0 )
+			{
+			pdata += 6;
+			}
+		else
+			{
+			// If this is a logical link control frame without the
+			// possibility of having a protocol we care about, we'll
+			// just skip it for now.
+			return;
+			}
+
+		int protocol = (pdata[0] << 8) + pdata[1];
+		if ( protocol == 0x0800 )
+			l3_proto = L3_IPV4;
+		else if ( protocol == 0x86DD )
+			l3_proto = L3_IPV6;
+		else
+			{
+			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation");
+			return;
+			}
+		pdata += 2;
+
+		break;
+		}
+
 	default:
 		{
 		// Assume we're pointing at IP. Just figure out which version.

testing/btest/Baseline/core.radiotap/conn.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-01-19-09-01-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1439902891.705224	CXWv6p3arKYeMETxOg	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)
+1439903050.580632	CjhGID4nQcgTWjvg4c	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
+#close	2016-01-19-09-01-31

testing/btest/core/radiotap.bro

@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/radiotap.pcap
+# @TEST-EXEC: btest-diff conn.log