mac osx prism header pcap
https://stackoverflow.com/questions/12971444
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
i'm trying to capture packets in monitor mode on my mac for research issues. From these packets i need some special information, e.g. the rssi. Unfortunately, the linktype says DLT_IEEE802_11_RADIO, but i actually expect DLT_PRISM_HEADER, because monitor mode should be turned on. This is a problem, because the radiotap header does not provide any RSSI value or other stuff i need.
Here is my code (i leave out the callback method and so forth):
int main(int argc, char *argv[])
{
pcap_t *handle; /* Session handle */
char *dev; /* The device to sniff on */
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
struct pcap_pkthdr header; /* The header that pcap gives us */
const u_char *packet; /* The actual packet */
struct ether_header *ether; /* net/ethernet.h */
/* Define the device */
dev = pcap_lookupdev(errbuf);
if(dev == NULL) {
printf("Couldn't find default device: %s\n", errbuf);
exit(EXIT_FAILURE);
}
printf("Device: %s\n", dev);
//handle = pcap_open_live(dev, 1562, 1, 500, errbuf);
handle = pcap_create(dev, errbuf);
if(handle == NULL) {
printf("pcap_create failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
/* set monitor mode on */
if(pcap_set_rfmon(handle, 1) != 0) {
printf("monitor mode not available\n");
exit(EXIT_FAILURE);
}
pcap_set_snaplen(handle, 2048); // Set the snapshot length to 2048
pcap_set_promisc(handle, 1); // Turn promiscuous mode on
pcap_set_timeout(handle, 512); // Set the timeout to 512 milliseconds
int status = pcap_activate(handle);
if(status != 0) {
printf("activation failed: %d\n", status);
}
printf("link-type: %s\n", pcap_datalink_val_to_name(pcap_datalink(handle)));
int loop = pcap_loop(handle, 1, process_packet, NULL);
if(loop != 0) {
printf("loop terminated before exhaustion: %d\n", loop);
}
/* And close the session */
pcap_close(handle);
return(0);
}
So does anybody know, why i am receiving radiotap and not prism and how i should do instead? Again i am coding under OSX.
La solution
From these packets i need some special information, e.g. the rssi.
Then, unless the driver will let you request PPI headers rather than radiotap headers - use pcap_list_datalinks() in monitor mode after calling pcap_activate() and, if that includes DLT_PPI, set the link-layer header type to DLT_PPI with pcap_set_datalink() - you're out of luck. If you can request PPI headers, then you might be able to get RSSI values from that header; see the PPI specification.
Unfortunately, the linktype says DLT_IEEE802_11_RADIO, but i actually expect DLT_PRISM_HEADER, because monitor mode should be turned on.
There is no reason whatsoever to, on an arbitrary operating system with an arbitrary Wi-Fi device and driver, to expect that you'll get Prism headers in monitor mode. If you get radio information at all, you get whatever header the driver writer supplies. These days, drivers tend to use radiotap - Linux mac80211 drivers, most *BSD drivers, and OS X drivers do.
