Reputation: 15
libpcap, save selcetive region of my packet to pcap file
I captured beacon file in (Linux ubuntu, c, monitor mode) by using libpcap filter like below
char *filter = "wlan type mgt subtype beacon";
pcap_compile(pcd,&bpg,filter,-1,PCAP_NETMASK_UNKNOWN);
pcap_setfilter(pcd, &bpg);
I captured beacon frame but it include radiotap header. (pcak datalink returns IEEE_802_11_RADIO)
but I want to save only beacon frame(remove radiotap header) to pcap file. but i cannot find such kind of options in function pcap_dump()
Is there any method to save selective parts(remove radiotap part) of packet?? or Is there any filtering option that helps me to get only beacon frame without radiotap??
Upvotes: 1
Views: 1206
Answers (1)
Reputation:
Is there any method to save selective parts(remove radiotap part) of packet??
Yes.
First, if you're writing to a pcap file (which I'm assuming you're doing, as you mentioned pcap_dump()), do NOT use the pcap_t you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open(), as you will NOT be writing packets with radiotap headers to the pcap file, and passing the pcap_t you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open() will mean that the file's link-layer header type will be DLT_IEEE802_11_RADIO, which means the file will be interpreted by other programs as having packets with radiotap headers.
Instead, use pcap_open_dead() to create a fake pcap_t, and use DLT_IEEE802_11 as its link-layer header type, and use that in the pcap_dump_open() call.
Then, for each packet:
First, make sure that the "on-the-network length" (the len field of the struct pcap_pkthdr for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean the packet wasn't long enough to have a full radiotap header, which probably means there's a bug in the driver.
Then, make sure that the "captured data length" (the caplen field of the struct pcap_pkthdr for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean that there isn't enough captured data for a full radiotap header, which probably means your program specified a snapshot length that was too short.
Then fetch the it_len field from the radiotap header at the beginning of the packet. Note that it's little-endian, not big-endian, so you don't need to byte-swap it on little-endian processors (such as 32-bit and 64-bit x86 processors), and you do need to byte-swap it on big-endian processors (such as PowerPC when running Linux).
Then check to make sure the len and caplen fields of the struct pcap_pkthdr for the packet are both >= the it_len value.
Then copy the struct pcap_pkthdr for the packet to a separate struct pcap_pkthdr variable, subtract it_len from that separate struct pcap_pkthdr variable's len and caplen variables, get a pointer that points it_len bytes past the beginning of the packet, and pass that pointer, and a pointer to the struct pcap_pkthdr variable from which you've subtracted it_len from the len and caplen values, to pcap_dump().
Upvotes: 3
Related Questions
- Python - save packets to pcapng file
- How to convert raw packet data into a PCAP file?
- create PCAP file for captured packet in c
- modify captured pcap and write back
- How to restore data from a pcap file?
- Capture Wifi packets using libpcap
- Packet is stored wrong in .pcap file
- Generating packets from pcap file in C
- How to save Ethernet frames in pcap format
- How to write PCAP capture file header?