On Thursday 13 September 2001 13:24, you wrote:
> I want to capture the 802.11B link layer data with etherreal.
> I've read that you need to patch your libpcap for use with 802.11B
> networks.
You can capture link layer data to a certain extent with lucent cards by
simply not converting the header received by the kernel from the card to a
standard ethernet header. If you look in the sources for linux/*bsd all they
do is remove the header received from the card and use it to fill in a
ethernet header so the kernel doesn't freak out. By removing this filter from
your kernel you can receive a header similar to:
/*
* Hermes transmit/receive frame structure
*/
struct wi_frame {
u_int16_t wi_status; /* 0x00 */
u_int16_t wi_rsvd0; /* 0x02 */
u_int16_t wi_rsvd1; /* 0x04 */
u_int16_t wi_q_info; /* 0x06 */
u_int16_t wi_rsvd2; /* 0x08 */
u_int16_t wi_rsvd3; /* 0x0A */
u_int16_t wi_tx_ctl; /* 0x0C */
u_int16_t wi_frame_ctl; /* 0x0E */
u_int16_t wi_id; /* 0x10 */
u_int8_t wi_addr1[6]; /* 0x12 */
u_int8_t wi_addr2[6]; /* 0x18 */
u_int8_t wi_addr3[6]; /* 0x1E */
u_int16_t wi_seq_ctl; /* 0x24 */
u_int8_t wi_addr4[6]; /* 0x26 */
u_int16_t wi_dat_len; /* 0x2C */
u_int8_t wi_dst_addr[6]; /* 0x2E */
u_int8_t wi_src_addr[6]; /* 0x34 */
u_int16_t wi_len; /* 0x3A */
u_int16_t wi_dat[3]; /* 0x3C */ /* SNAP header */
u_int16_t wi_type; /* 0x42 */
};
I have developed patches that allow you to receive packets with these frames
still intact using libpcap/bpf for OpenBSD, NetBSD, and FreeBSD. (these
patches along with a bsd version of airsnort and a curses based wardriving
application, I will be releasing in the next couple days). Furthermore, you
don't necessarily have to have your card in monitor mode (or how it's
referred to in the wlan-ng drivers) in order to crack wep. By simply putting
your prism2 card into ad-hoc mode at the right channel you can sniff wep
packets going across the air on that channel. Using that along with the
wi_addr4 wep IV in the frame you receive off of the card, you can look for
weak keys and crack them.
> However on the tcpdump site I could not find any pointers to this
> subject.
>
> Could anybody help me out here.
>
> Also, what is so special in the PRISMII cards that airsnort only works
> with them, and can you recommend any card in particular.
Prism2 cards will spit out wep packets being sent over the wire while in
ad-hoc mode. Orinoco cards will not. The reason why airsnort only works with
Prism2 cards is because of that.. No wep packets, no crackage.
Cheers,
-David
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:15:36 PDT