libpcap, save selcetive region of my packet to pcap file

StackOverflow https://stackoverflow.com/questions/20302713

  •  06-08-2022
  •  | 
  •  

Question

I captured beacon file in (Linux ubuntu, c, monitor mode) by using libpcap filter like below

char *filter = "wlan type mgt subtype beacon";
pcap_compile(pcd,&bpg,filter,-1,PCAP_NETMASK_UNKNOWN);
pcap_setfilter(pcd, &bpg);

I captured beacon frame but it include radiotap header. (pcak datalink returns IEEE_802_11_RADIO)

but I want to save only beacon frame(remove radiotap header) to pcap file. but i cannot find such kind of options in function pcap_dump()

Is there any method to save selective parts(remove radiotap part) of packet?? or Is there any filtering option that helps me to get only beacon frame without radiotap??

Was it helpful?

Solution

Is there any method to save selective parts(remove radiotap part) of packet??

Yes.

First, if you're writing to a pcap file (which I'm assuming you're doing, as you mentioned pcap_dump()), do NOT use the pcap_t you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open(), as you will NOT be writing packets with radiotap headers to the pcap file, and passing the pcap_t you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open() will mean that the file's link-layer header type will be DLT_IEEE802_11_RADIO, which means the file will be interpreted by other programs as having packets with radiotap headers.

Instead, use pcap_open_dead() to create a fake pcap_t, and use DLT_IEEE802_11 as its link-layer header type, and use that in the pcap_dump_open() call.

Then, for each packet:

First, make sure that the "on-the-network length" (the len field of the struct pcap_pkthdr for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean the packet wasn't long enough to have a full radiotap header, which probably means there's a bug in the driver.

Then, make sure that the "captured data length" (the caplen field of the struct pcap_pkthdr for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean that there isn't enough captured data for a full radiotap header, which probably means your program specified a snapshot length that was too short.

Then fetch the it_len field from the radiotap header at the beginning of the packet. Note that it's little-endian, not big-endian, so you don't need to byte-swap it on little-endian processors (such as 32-bit and 64-bit x86 processors), and you do need to byte-swap it on big-endian processors (such as PowerPC when running Linux).

Then check to make sure the len and caplen fields of the struct pcap_pkthdr for the packet are both >= the it_len value.

Then copy the struct pcap_pkthdr for the packet to a separate struct pcap_pkthdr variable, subtract it_len from that separate struct pcap_pkthdr variable's len and caplen variables, get a pointer that points it_len bytes past the beginning of the packet, and pass that pointer, and a pointer to the struct pcap_pkthdr variable from which you've subtracted it_len from the len and caplen values, to pcap_dump().

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top