From 30c28da0463c399d469bc14236eded128b58c27b Mon Sep 17 00:00:00 2001 From: Pierre LALET Date: Tue, 15 May 2018 10:14:57 +0200 Subject: [PATCH 1/2] Support 802.11 monitor mode --- src/iosource/Packet.cc | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 91bba76ba6..fedb795885 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -86,6 +86,9 @@ int Packet::GetLinkHeaderSize(int link_type) case DLT_PPP_SERIAL: // PPP_SERIAL return 4; + case DLT_IEEE802_11: // 802.11 monitor + return 34; + case DLT_IEEE802_11_RADIO: // 802.11 plus RadioTap return 59; @@ -279,12 +282,15 @@ void Packet::ProcessLayer2() } pdata += rtheader_len; + } + case DLT_IEEE802_11: + { u_char len_80211 = 24; // minimal length of data frames if ( pdata + len_80211 >= end_of_data ) { - Weird("truncated_radiotap_header"); + Weird("truncated_802_11_header"); return; } @@ -316,7 +322,7 @@ void Packet::ProcessLayer2() if ( pdata + len_80211 >= end_of_data ) { - Weird("truncated_radiotap_header"); + Weird("truncated_802_11_header"); return; } @@ -349,7 +355,7 @@ void Packet::ProcessLayer2() if ( pdata + 8 >= end_of_data ) { - Weird("truncated_radiotap_header"); + Weird("truncated_802_11_header"); return; } // Check that the DSAP and SSAP are both SNAP and that the control @@ -374,9 +380,11 @@ void Packet::ProcessLayer2() l3_proto = L3_IPV4; else if ( protocol == 0x86DD ) l3_proto = L3_IPV6; + else if ( protocol == 0x0806 || protocol == 0x8035 ) + l3_proto = L3_ARP; else { - Weird("non_ip_packet_in_ieee802_11_radio_encapsulation"); + Weird("non_ip_packet_in_ieee802_11"); return; } pdata += 2; From dfa392bd6cd187e46178c59b2499e120bf8feae7 Mon Sep 17 00:00:00 2001 From: Pierre LALET Date: Tue, 15 May 2018 17:59:26 +0200 Subject: [PATCH 2/2] Add a test for 802.11 monitor mode --- testing/btest/Baseline/core.wlanmon/conn.log | 11 +++++++++++ testing/btest/Traces/wlanmon.pcap | Bin 0 -> 731 bytes testing/btest/core/wlanmon.bro | 2 ++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/core.wlanmon/conn.log create mode 100644 testing/btest/Traces/wlanmon.pcap create mode 100644 testing/btest/core/wlanmon.bro diff --git a/testing/btest/Baseline/core.wlanmon/conn.log b/testing/btest/Baseline/core.wlanmon/conn.log new file mode 100644 index 0000000000..c88d32480e --- /dev/null +++ b/testing/btest/Baseline/core.wlanmon/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2016-07-13-16-13-00 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1439902891.705224 CHhAvVGS1DHFjwGM9 172.17.156.76 61738 208.67.220.220 53 udp dns 0.041654 35 128 SF - - 0 Dd 1 63 1 156 - +1439903050.580632 ClEkJM2Vm5giqnMf4h fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 328 0 0 - +#close 2016-07-13-16-13-00 diff --git a/testing/btest/Traces/wlanmon.pcap b/testing/btest/Traces/wlanmon.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a940ea1046ccc37f2f8d910d770270cded7231cf GIT binary patch literal 731 zcmZ`%O=uHQ5dPloCRrqhu0)F7`vh?s*FF%W-H51tqQE?)e@Q$??ZUOY&lfv)qqu>?zJc9!{l-^`o$?d_{I1seX5 z?*ld&r&zD}C9gq{E~UlJ;MS4Y{o=3Nu66hIpL1hs_sQxI!svEYitES&XTPrkmht@I zQ=@(1)AaiK@6*U&?ETM9f&uhNij=uix37s1cbu9~%Zu|e#MHwdIudmBiiS6oCZ(k$ z5x@n|0jNch0nj!^m4Ff$8G>!CtaTFCn{=}5?jTSvijeFpm&S?xeMLm2D&|B( zT@ZD6i6GVbjH4l8j+;}8m^#Gg_&m2|o_F3W$~g!u25tD==ErvW-in-Pds#z`{8DrU zn3$lPUNF(4YItjN_QkVco|`{P6k;QWztbdz=y5gd?@)$MbpzCkZNxU%$QJGGhIGsQ zX)Mh$Y?|en$!6$3v&&hQBs)u-Bkdrbl=-UdWHs(O9EdjM9LqRni)CJeGMQ9UnXHmB)s#6Nu@~aJQgOY)Ua8`hyb_N04;uP^Ad0bmOrxb0XcLLP q9VT6Y?llHHja^S^&!bblX31xV(a;0HxPvI&f{x+fMz6j+dFe0JGPl$K literal 0 HcmV?d00001 diff --git a/testing/btest/core/wlanmon.bro b/testing/btest/core/wlanmon.bro new file mode 100644 index 0000000000..b227baf7eb --- /dev/null +++ b/testing/btest/core/wlanmon.bro @@ -0,0 +1,2 @@ +# @TEST-EXEC: bro -C -r $TRACES/wlanmon.pcap +# @TEST-EXEC: btest-diff conn.log