Link-Layer HeaderAdrian Granados

Link-Layer Header• Wireless drivers can return custom or pseudo-headers detailing a number of

pieces of information about the captured frames

• Pseudo-headers are not transmitted with the frame

• Information is passed from the driver to userspace applications such as tcpdump or Wireshark (or vice-versa from userspace to driver for frame injection)

• Pseudo-headers are only supplied if the adapter is put into Monitor mode

802.11 FrameBodyPseudo-Header 802.11 MAC

Header FCS

driver dependent

bytes transmitted/received

3

Link-Layer Header Example

4

Monitor Mode• Monitor (rfmon) mode allows you to capture 802.11 control,

management and data frames on a channel

• The ability to set the wireless NIC into monitor mode depends on support within the wireless driver

• Monitor mode ≠ Promiscuous mode

• Promiscuous mode: broadcast frames or unicast frames from the associated network on a particular channel

• Monitor mode: all frames, unicast and broadcast, on a particular channel, regardless of the network the frames belong to

5

Header Formats• There are many link-layer header types

• We are interested in those providing 802.11 information

• Legacy formats:

• Prism

• 802.11 plus AVS radio information

• Per-Packet Information

• 802.11 plus Radiotap

• Vendor proprietary, e.g. Airopeek/Omnipeek header

6

Legacy Headers• Prism

• Designed for use when developing drivers for the Prism II 802.11b card for Linux

• Fixed length (144 bytes) - channel, RSSI, signal, noise and other fields, but no FCS

• AVS Radio Information

• Designed to replace the Prism header format to capture information about 802.11a and 802.11g frames

• Fixed length (64 bytes) - PHY type, channel, signal, noise, etc.

7

Per-Packet Information• Extensible meta-information header

format originally developed to provide 802.11n radio information

• Header is made up of a packet header followed by zero or more fields

• Each field is a type-length-value (TLV) triplet

• 802.11-Common, 802.11n MAC Extensions, 802.11n MAC+PHY Extensions

8

Radiotap Header Format

• Allows the driver developer to specify an arbitrary number of fields

• Flexible and extendable

• Fields are strictly ordered

• Field lengths are implicit - based on field type

Common 802.11 informationderived from link-layer header

(e.g. PPI, Radiotap)9

Radiotap Present Flags

10

Common Radiotap FieldsField Definition

Channel Tx/Rx frequency in MHz

Rate Tx/Rx rate

Antenna signal RF signal power at the antenna (dBm)

Antenna noise RF noise power at the antenna (dBm)

Flags Properties of Tx/Rx frames (encryption, fragmentation, FCS, etc.)

MCS MCS rate index, also bandwidth, guard interval, HT format, etc.

A-MPDU status Frame was received as part of an A-MPDU

Antenna Index of the antenna used to transmit/receive the frame

VHT Properties of VHT frames (STBC, guard interval, beamforming, etc.)

11

Radiotap and 802.11ax

• Three new fields have been suggested:

• HE, HE-MU, HE-MU-other-user

• HE indicates frame was received or transmitted using the HE (802.11ax) PHY

Enabling Pseudo-Headers

1. Enable monitor mode2. Choose link-layer header

Wireshark Airtool

13

More Information• Resources:

• www.radiotap.org

• Per-Packet Information Specification v1.0.7

• www.adriangranados.com/blog/link-layer-header-types

• Contact:

• @adriangranados

• www.adriangranados.com

14