Link-Layer HeaderAdrian Granados
Link-Layer Header• Wireless drivers can return custom or pseudo-headers detailing a number of
pieces of information about the captured frames
• Pseudo-headers are not transmitted with the frame
• Information is passed from the driver to userspace applications such as tcpdump or Wireshark (or vice-versa from userspace to driver for frame injection)
• Pseudo-headers are only supplied if the adapter is put into Monitor mode
802.11 FrameBodyPseudo-Header 802.11 MAC
Header FCS
driver dependent
bytes transmitted/received
3
Link-Layer Header Example
4
Monitor Mode• Monitor (rfmon) mode allows you to capture 802.11 control,
management and data frames on a channel
• The ability to set the wireless NIC into monitor mode depends on support within the wireless driver
• Monitor mode ≠ Promiscuous mode
• Promiscuous mode: broadcast frames or unicast frames from the associated network on a particular channel
• Monitor mode: all frames, unicast and broadcast, on a particular channel, regardless of the network the frames belong to
5
Header Formats• There are many link-layer header types
• We are interested in those providing 802.11 information
• Legacy formats:
• Prism
• 802.11 plus AVS radio information
• Per-Packet Information
• 802.11 plus Radiotap
• Vendor proprietary, e.g. Airopeek/Omnipeek header
6
Legacy Headers• Prism
• Designed for use when developing drivers for the Prism II 802.11b card for Linux
• Fixed length (144 bytes) - channel, RSSI, signal, noise and other fields, but no FCS
• AVS Radio Information
• Designed to replace the Prism header format to capture information about 802.11a and 802.11g frames
• Fixed length (64 bytes) - PHY type, channel, signal, noise, etc.
7
Per-Packet Information• Extensible meta-information header
format originally developed to provide 802.11n radio information
• Header is made up of a packet header followed by zero or more fields
• Each field is a type-length-value (TLV) triplet
• 802.11-Common, 802.11n MAC Extensions, 802.11n MAC+PHY Extensions
8
Radiotap Header Format
• Allows the driver developer to specify an arbitrary number of fields
• Flexible and extendable
• Fields are strictly ordered
• Field lengths are implicit - based on field type
Common 802.11 informationderived from link-layer header
(e.g. PPI, Radiotap)9
Radiotap Present Flags
10
Common Radiotap FieldsField Definition
Channel Tx/Rx frequency in MHz
Rate Tx/Rx rate
Antenna signal RF signal power at the antenna (dBm)
Antenna noise RF noise power at the antenna (dBm)
Flags Properties of Tx/Rx frames (encryption, fragmentation, FCS, etc.)
MCS MCS rate index, also bandwidth, guard interval, HT format, etc.
A-MPDU status Frame was received as part of an A-MPDU
Antenna Index of the antenna used to transmit/receive the frame
VHT Properties of VHT frames (STBC, guard interval, beamforming, etc.)
11
Radiotap and 802.11ax
• Three new fields have been suggested:
• HE, HE-MU, HE-MU-other-user
• HE indicates frame was received or transmitted using the HE (802.11ax) PHY
Enabling Pseudo-Headers
1. Enable monitor mode2. Choose link-layer header
Wireshark Airtool
13
More Information• Resources:
• www.radiotap.org
• Per-Packet Information Specification v1.0.7
• www.adriangranados.com/blog/link-layer-header-types
• Contact:
• @adriangranados
• www.adriangranados.com
14