I captured beacon file in (Linux ubuntu, c, monitor mode) by using libpcap filter like below
char *filter = "wlan type mgt subtype beacon";
pcap_compile(pcd,&bpg,filter,-1,PCAP_NETMASK_UNKNOWN);
pcap_setfilter(pcd, &bpg);
I captured beacon frame but it include radiotap header. (pcak datalink returns IEEE_802_11_RADIO)
but I want to save only beacon frame(remove radiotap header) to pcap file. but i cannot find such kind of options in function pcap_dump()
Is there any method to save selective parts(remove radiotap part) of packet?? or Is there any filtering option that helps me to get only beacon frame without radiotap??
Is there any method to save selective parts(remove radiotap part) of packet??
Yes.
First, if you're writing to a pcap file (which I'm assuming you're doing, as you mentioned pcap_dump()
), do NOT use the pcap_t
you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open()
, as you will NOT be writing packets with radiotap headers to the pcap file, and passing the pcap_t
you got when you opened the Wi-Fi adapter as the argument to pcap_dump_open()
will mean that the file's link-layer header type will be DLT_IEEE802_11_RADIO
, which means the file will be interpreted by other programs as having packets with radiotap headers.
Instead, use pcap_open_dead()
to create a fake pcap_t
, and use DLT_IEEE802_11
as its link-layer header type, and use that in the pcap_dump_open()
call.
Then, for each packet:
First, make sure that the "on-the-network length" (the len
field of the struct pcap_pkthdr
for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean the packet wasn't long enough to have a full radiotap header, which probably means there's a bug in the driver.
Then, make sure that the "captured data length" (the caplen
field of the struct pcap_pkthdr
for the packet, as provided to your program by libpcap) is >= 4 bytes and, if not, reject the packet. That would mean that there isn't enough captured data for a full radiotap header, which probably means your program specified a snapshot length that was too short.
Then fetch the it_len
field from the radiotap header at the beginning of the packet. Note that it's little-endian, not big-endian, so you don't need to byte-swap it on little-endian processors (such as 32-bit and 64-bit x86 processors), and you do need to byte-swap it on big-endian processors (such as PowerPC when running Linux).
Then check to make sure the len
and caplen
fields of the struct pcap_pkthdr
for the packet are both >= the it_len
value.
Then copy the struct pcap_pkthdr
for the packet to a separate struct pcap_pkthdr
variable, subtract it_len
from that separate struct pcap_pkthdr
variable's len
and caplen
variables, get a pointer that points it_len
bytes past the beginning of the packet, and pass that pointer, and a pointer to the struct pcap_pkthdr
variable from which you've subtracted it_len
from the len
and caplen
values, to pcap_dump()
.