I am making a sniffer using libpcap and I am getting some weird behavior. I don't know much about network, for it I am making the sniffer to learn how network really works.
Before I run the sniffer, I type ifconfig on terminal, and it returns:
eth0 Link encap:Ethernet Endereço de HW 44:87:fc:ec:63:08
endereço inet6: fe80::4687:fcff:feec:6308/64 Escopo:Link
UP BROADCASTMULTICAST MTU:1500 Métrica:1
RX packets:38398 errors:0 dropped:1 overruns:0 frame:0
TX packets:28661 errors:0 dropped:0 overruns:0 carrier:2
colisões:0 txqueuelen:1000
RX bytes:24620500 (23.4 MiB) TX bytes:6922586 (6.6 MiB)
IRQ:42
lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACKRUNNING MTU:16436 Métrica:1
RX packets:294 errors:0 dropped:0 overruns:0 frame:0
TX packets:294 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:18540 (18.1 KiB) TX bytes:18540 (18.1 KiB)
wlan0 Link encap:Ethernet Endereço de HW 00:c1:40:67:04:30
inet end.: 192.168.0.102 Bcast:192.168.0.255 Masc:255.255.255.0
endereço inet6: fe80::2c1:40ff:fe67:430/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:2115 errors:0 dropped:0 overruns:0 frame:0
TX packets:2033 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:947310 (925.1 KiB) TX bytes:571860 (558.4 KiB)
I took off the ethernet cable, so, the eth0 interface has no ip and will not work if I use it on my sniffer.
Thus, I pass the wireless network interface as parameter to the program on terminal.
#./sniffer wlan0
And a snippet code:
pcap_t* handler = NULL;
handler = pcap_open_live(argv[1], 65535, 1, 1000, errbuf);
if((datalink_value = pcap_datalink(handler)) == DLT_EN10MB)
printf("ETHERNET\n");
else if (datalink_value == DLT_IEEE802_11)
printf("WIRELESS\n");
The output is ETHERNET.
Why this is occurring and how can I fix it ? The device converts it into ethernet ? Or this is a kernel behavior ? I still don't know if the problem is my code or if I don't know well about how network and protocol works.
The wireless device that I am using is: Mini USB 150Mbps 802.11n/g/b wifi Adapter Comfast WU720N
Thanks.
On Linux, you need to capture in monitor mode in order to get 802.11 headers. If the adapter isn't in monitor mode, you will only get data frames, not management or control frames, and the 802.11 header will be turned into a fake Ethernet header by the kernel and the packet will be provided with that header.
Newer versions of libpcap have an API to request monitor mode, but, on Linux, that API only works well if libpcap was built with support for libnl. You could try using the API (use pcap_create(), followed by calls to set capture options, followed by pcap_activate(), to open the device; one of those calls should be pcap_set_rfmon() to set monitor mode). If that doesn't work, you'd have to use airmon-ng to turn on monitor mode; see this part of the Wireshark Wiki for information on how to do that.