Libpcap sniffing prolem for 802.11

Question

I am trying to sniff 802.11 packets on the Wi-Fi device in monitor mode. I am getting erroneous output. It is confirmed that I have to use link layer type as DLT_IEEE_802_11_RADIO (127). I am not getting the exact packet format as I have got for ethernet. I want to take MAC address and RSSI values from those packets.I am doing my code in C++. Can I know how do I access these values.

Answer 1

DLT_IEEE_802_11_RADIO

The tcpdump.org link-layer header types page says of LINKTYPE_IEEE802_11_RADIOTAP/DLT_IEEE802_11_RADIO:

LINKTYPE_IEEE802_11_RADIOTAP 127 DLT_IEEE802_11_RADIO Radiotap link-layer information followed by an 802.11 header.

The page linked to describes what the radiotap header looks like. It's somewhat complicated, so your code to handle it will be somewhat complicated, although if all you want is a signal strength indicator, that will be easier to do.

The signal strength will either be strength in dBm, i.e. decibels from 1 milliwatt, or strength in dB from some unspecified arbitrary reference point. Neither of those are "RSSI" as mentioned in the 802.11 specification, as they can be negative, but they're potentially more useful than "RSSI" as mentioned in the 802.11 specification, as all the 802.11 "RSSI" lets you do is compare whether one signal is stronger or weaker than another, you can't determine how much stronger or weaker it is or how much power the signal is.

Following the radiotap header is an 802.11 header. To find MAC addresses, see section 8 of the 802.11 standard. Note that there are more than two MAC addresses in many frames, because hosts don't necessarily send packets directly to other hosts, they might send them to an access point that forwards the packet to the destination host.