linux/Documentation/networking/mac80211-injection.txt
<<
>>
Prefs
   1How to use packet injection with mac80211
   2=========================================
   3
   4mac80211 now allows arbitrary packets to be injected down any Monitor Mode
   5interface from userland.  The packet you inject needs to be composed in the
   6following format:
   7
   8 [ radiotap header  ]
   9 [ ieee80211 header ]
  10 [ payload ]
  11
  12The radiotap format is discussed in
  13./Documentation/networking/radiotap-headers.txt.
  14
  15Despite 13 radiotap argument types are currently defined, most only make sense
  16to appear on received packets.  The following information is parsed from the
  17radiotap headers and used to control injection:
  18
  19 * IEEE80211_RADIOTAP_RATE
  20
  21   rate in 500kbps units, automatic if invalid or not present
  22
  23
  24 * IEEE80211_RADIOTAP_ANTENNA
  25
  26   antenna to use, automatic if not present
  27
  28
  29 * IEEE80211_RADIOTAP_DBM_TX_POWER
  30
  31   transmit power in dBm, automatic if not present
  32
  33
  34 * IEEE80211_RADIOTAP_FLAGS
  35
  36   IEEE80211_RADIOTAP_F_FCS: FCS will be removed and recalculated
  37   IEEE80211_RADIOTAP_F_WEP: frame will be encrypted if key available
  38   IEEE80211_RADIOTAP_F_FRAG: frame will be fragmented if longer than the
  39                              current fragmentation threshold. Note that
  40                              this flag is only reliable when software
  41                              fragmentation is enabled)
  42
  43The injection code can also skip all other currently defined radiotap fields
  44facilitating replay of captured radiotap headers directly.
  45
  46Here is an example valid radiotap header defining these three parameters
  47
  48        0x00, 0x00, // <-- radiotap version
  49        0x0b, 0x00, // <- radiotap header length
  50        0x04, 0x0c, 0x00, 0x00, // <-- bitmap
  51        0x6c, // <-- rate
  52        0x0c, //<-- tx power
  53        0x01 //<-- antenna
  54
  55The ieee80211 header follows immediately afterwards, looking for example like
  56this:
  57
  58        0x08, 0x01, 0x00, 0x00,
  59        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  60        0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
  61        0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
  62        0x10, 0x86
  63
  64Then lastly there is the payload.
  65
  66After composing the packet contents, it is sent by send()-ing it to a logical
  67mac80211 interface that is in Monitor mode.  Libpcap can also be used,
  68(which is easier than doing the work to bind the socket to the right
  69interface), along the following lines:
  70
  71        ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
  72...
  73        r = pcap_inject(ppcap, u8aSendBuffer, nLength);
  74
  75You can also find sources for a complete inject test applet here:
  76
  77http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer
  78
  79Andy Green <andy@warmcat.com>
  80
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.