I dumped a bunch of packets off a wireless network to a pcap file.
tcpdump says the link-type is IEEE802_11_RADIO. If I try to run Bro
against the file, I get "unknown data link type 0x7f". I assume this
means Bro doesn't understand the link layer data, since it's not
[Error is from PktSrc.cc PktSrc::SetHdrSize()]
So, is there a way to tell Bro to just ignore the link layer? Or
would it then not know where the layer 3 data starts? And if there is
not, anyone know a tool that will strip the 802.11 headers and replace
them with fake Ethernet headers so I can use Bro on the traffic??
the IEEE802_11_RADIO linktype adds a bunch of information from the radio before the actual ethernet header and it appears that this info is variable length. The problem is that Bro doesn't have support for this linktype and so Bro doesn't know where the IP header starts. Since this linktype adds a variable length header it's not straight forward to add support for it (although it's probably not too hard either). (For fixed length headers one would just add an appropriate case to get_link_header_size() in PktSrc.cc)
I've added a feature request to Bro's tracker for that though.
If you can capture new traces and depending on your OS and tcpdump version, so can run tcpdump *without* the "-I" option or with a "-y EN10MB" option. The tcpdump records plain old ethernet only headers that Bro can deal with.
Unfortunately, I don't know of a tool that can convert from IEEE802_11_RADIO to EN10MB
It turns out that if you force tcpdump to output IEEE802_11 (without
the _RADIO), you get a standard, fixed-length 802.11 header of 32
bytes. I added an entry for that in get_link_header_size() in
PktSrc.cc and now Bro works like a charm on live WiFi traffic. I'll
submit a patch tomorrow.
Note however that libpcap's filter code generation treats both IEEE802_11 and IEEE802_11_RADIO as having a variable length header. It might well be that the variable part only varies between drivers, so it might be a constant 32 bytes with your NIC but not necessarily with others. (I might be wrong though. I didn't find a specification for these DLT's just guessing from glancing at libpcap)
Thanks for reminding me - I forgot that the header size will, at a
minimum, change if you use WEP/WPA*. I'll take a look at this some
more and see if I can write a patch to cover all the cases (at least
without the radio headers).