detect eap pakets (802.1X auth) with pcap libraries

Question

i'm writing a c sniffer with pcap (on my own recorded .cap streams). I need to detect eap packets, which carry 802.1X authentication, but i don't know how to distinguish them from other packets. Using wireshark it seems to be a field in LLC layer (value 888e), but i don't know how to find if llc is present or not.

here is an example of a eap packet

  000018006e48000000169e09a000cd8103000000000000000802d50074f06d40a6a3000cf635dfab000cf635dfab90a6aaaa03000000888e0103005f02008a001000000000000000cbd5c0958cc32b7b3ae762c43b41436059e54cb48f224d35718613838d9640644d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

thanks a lot!

Answer 1

To be precise, on Ethernet, the Ethernet type field for EAP-over-LAN (EAPOL) packets is 0x888e (as per section 7.2 "EAPOL MPDU format for use with IEEE 802.3/Ethernet" of IEEE Standard 802.1X-2004), and on networks using IEEE 802.2 LLC, such as 802.11, the LLC header for EAPOL packets has a DSAP of 0xAA, indicating SNAP, and is followed by a SNAP header with an OUI of 0x000000 (meaning "the protocol ID is an Ethernet type") and a protocol ID of 0x888e (as that's the Ethernet type value for EAPOL).

So, for packets on 802.11, check for Data frames (rather than Management or Control frames), and then look at the 802.2 LLC header following the 802.11 header (all 802.11 Data frames have an 802.2 LLC header), and then check for a DSAP of 0xAA and, if you see that, check the SNAP header following the 802.2 header for an OUI of 0x000000 and a protocol ID of 0x888e.