Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?
Guy Harris writes:
| On Mon, Jun 10, 2002 at 08:34:57AM -0700, Doug Ambrisko wrote:
| > Also note that with the Cisco card you do not get the WEP keys in the
| > "raw" 802.11 packet (so is it really 802.11 monitor mode ... not really).
| > It is speculated that the WEP HW engine removes this. I've been able
| > to decrypt and view the payload correctly when I enabled WEP on the
| > card and set the keuys then in Ethereal dissector I have it skip
| > the WEP part of the packet and then Ethereal disects the rest of the
| > packet correctly (ie. follow HTTP streams etc.).
|
| I.e., the card delivers *decrypted* WEP packets, but leaves the WEP flag
| set in the header, so that any analyzer that takes the WEP flag
| seriously gets confused?
|
| By "skip the WEP part of the packet" do you mean you skip the first 4
| bytes after the header (i.e., the stuff dissected by the
|
| if (IS_WEP(COOK_FLAGS(fcf)))
| {
| int pkt_len = tvb_reported_length (tvb);
| int cap_len = tvb_length (tvb);
|
| ...
|
| }
|
| code in "dissect_ieee80211_common()"), and then, instead of calling
| "call_dissector()", with "data_handle" as the handle argument, to
| dissect the payload (minus the WEP header and the WEP CRC), you just
| dissect that part of the frame as if it were unencrypted data?
I got my laptop back and this is the "hack" I did:
Index: packet-ieee80211.c
===================================================================
RCS file: /cvsroot/ethereal/packet-ieee80211.c,v
retrieving revision 1.53
diff -c -r1.53 packet-ieee80211.c
*** packet-ieee80211.c 2002/04/08 09:09:47 1.53
--- packet-ieee80211.c 2002/06/12 16:51:00
***************
*** 1521,1527 ****
if (cap_len > 0 && pkt_len > 0)
call_dissector(data_handle,tvb_new_subset(tvb, hdr_len + 4, -1,tvb_reported_length_remaining(tvb,hdr_len + 4)),pinfo, tree);
}
- return;
}
/*
--- 1521,1526 ----
I did it a long time ago. Basically I just let it fall into the part
that does:
Now dissect the body of a non-WEP-encrypted frame.
and life is good if I set the WEP key on the card. Of course this
is for WEP enscrypted packets.
Doug A.