libpcap, save selcetive region of my packet to pcap file

Question

I captured beacon file in (Linux ubuntu, c, monitor mode) by using libpcap filter like below

char *filter = "wlan type mgt subtype beacon";
pcap_compile(pcd,&bpg,filter,-1,PCAP_NETMASK_UNKNOWN);
pcap_setfilter(pcd, &bpg);

I captured beacon frame but it include radiotap header. (pcak datalink returns IEEE_802_11_RADIO)

but I want to save only beacon frame(remove radiotap header) to pcap file. but i cannot find such kind of options in function pcap_dump()

Is there any method to save selective parts(remove radiotap part) of packet?? or Is there any filtering option that helps me to get only beacon frame without radiotap??

Answer 1

Is there any method to save selective parts(remove radiotap part) of packet??

Yes.

First, if you're writing to a pcap file (which I'm assuming you're doing, as you mentioned pcap_dump()), do NOT use the pcap_t you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open(), as you will NOT be writing packets with radiotap headers to the pcap file, and passing the pcap_t you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open() will mean that the file's link-layer header type will be DLT_IEEE802_11_RADIO, which means the file will be interpreted by other programs as having packets with radiotap headers.

Instead, use pcap_open_dead() to create a fake pcap_t, and use DLT_IEEE802_11 as its link-layer header type, and use that in the pcap_dump_open() call.

Then, for each packet:

First, make sure that the "on-the-network length" (the len field of the struct pcap_pkthdr for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean the packet wasn't long enough to have a full radiotap header, which probably means there's a bug in the driver.

Then, make sure that the "captured data length" (the caplen field of the struct pcap_pkthdr for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean that there isn't enough captured data for a full radiotap header, which probably means your program specified a snapshot length that was too short.

Then fetch the it_len field from the radiotap header at the beginning of the packet. Note that it's little-endian, not big-endian, so you don't need to byte-swap it on little-endian processors (such as 32-bit and 64-bit x86 processors), and you do need to byte-swap it on big-endian processors (such as PowerPC when running Linux).

Then check to make sure the len and caplen fields of the struct pcap_pkthdr for the packet are both >= the it_len value.

Then copy the struct pcap_pkthdr for the packet to a separate struct pcap_pkthdr variable, subtract it_len from that separate struct pcap_pkthdr variable's len and caplen variables, get a pointer that points it_len bytes past the beginning of the packet, and pass that pointer, and a pointer to the struct pcap_pkthdr variable from which you've subtracted it_len from the len and caplen values, to pcap_dump().