Domanda
I captured beacon frame with library libpcap(Ubuntu, c)
I changed wlan mode to monitor and captured by following function calls
https://stackoverflow.com/questions/20290385
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian// 3000 is large enough number for test
pcd = pcap_open_live(dev,3000,PROMISCUOUS,-1,errbuf)
// filter with "wlan type mgt subtype beacon"
pcap_compile(pcd,&bpg,"wlan type mgt subtype beacon",1,PCAP_NETMASK_UNKNOWN)
pcap_setfilter(pcd, &bpg)
and following is packet_view
void packet_view(
unsigned char *user,
const struct pcap_pkthdr *h,
const unsigned char *p
){
int len;
len = 0;
printf("PACKET\n");
while(len < h->len) {
printf("%02x ", *(p++));
if(!(++len % 16))
printf("\n");
}
printf("\n");
return ;
}
and my got following result (just most significant 32bits)
00 00 12 00 2e 48 00 00 00 02 6c 09 a0 00 bb 01
00 00 80 00 00 00 ff ff ff ff ff ff 00 08 9f bf
but... actually beacon frame must start with bit "08" because beacon frame's protocol version = 00 type = 00 and subtype = 1000 => 00001000(08)
what is the reason that i got packet start with 00? althougt I filtered with "wlan type mgt subtype beacon" ??
Soluzione
You're missing one pcap call - a call to pcap_datalink().
Unless pcap_datalink() returns DLT_IEEE802_11, the packet does NOT begin with an 802.11 header. If, for example, it returns DLT_IEEE802_11_RADIO, the packet begins with a radiotap header, and has an 802.11 header after it; that looks like what your packet has.
See the tcpdump.org link-layer header types page for information on the values pcap_datalink() can return and the values that appear in pcap and pcap-ng files.
Altri suggerimenti
Set your filter to "link[0] == 0x80" Works for me!
Since apparently https://wiki.wireshark.org/CaptureFilters
Capture WLAN traffic without Beacons: link[0] != 0x80
