Dear Zeek Community,
I’m new to zeek but now I’m working on project and I need to solve problem with anomaly detection on Wi-Fi. Is there any possibility how to detect frames specific for 802.11 like EAPOL frame?
Thanks in advance,
Karel K.
hi Karel
The ethertype in an EAPOL frame should be 0x888e (https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/).
In a pcap file it would be possible to distinguish EAPOL frames from other frames.
I’m not sure if zeek will process EAPOL frames (however, I’m not an expert on this matter). In the past I had to modify the source code in order to process frames that weren’t IPv4, IPv6 or ARP ethertypes.
Martin
hi Martin,
thank you for your help. I have already tried to work with wireshark and there is easy to select only eapol frames. But I need to find theese frames within Zeek and to make some action when specific condiciton occures. I was looking for any possibility to work with ether proto and then specify 0x888e.
thank you