Cannot understand 802.11 Data Frame format in PcapNG file

2
votes

I have PcapNG files created by Wireshark, which I try to parse with python-pcapng.

However, I cannot figure out how to reconcile the output I receive from FileScanner's packet_payload_info with the 802.11 Data frame format: 802.11 Data frame format

This is the output I get (my code is at the bottom):

magic_number 0xa0d0d0a
SectionHeader(version_major=1, version_minor=0, section_length=-1, options=Options({'shb_userappl': [u'Dumpcap 1.12.4 (v1.12.4-0-gb4861da from master-1.12)'], 'shb_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)']}))

magic_number 0x1
InterfaceDescription(link_type=127, reserved='\x00\x00', snaplen=262144, options=Options({'if_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)'], 'if_tsresol': [6], 'if_name': [u'en1']}))

magic_number 0x6
EnhancedPacket(interface_id=0, timestamp_high=332139, timestamp_low=2801116064L, packet_payload_info=(45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12'), options=Options({}))

packet_payload_info      : (45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12') 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (bin): 00000000 00000000 00011001 00000000 01101111 00001000 00000000 00000000 01100000 01001001 10110010 00100110 00000000 00000000 00000000 00000000 00010010 00011000 01110001 00010110 01000000 00000001 10110001 10101010 00000000 10110100 00000000 10010000 00000000 11110100 00001111 00011011 10111000 01110011 01001100 01100000 10010010 00010111 00110101 00000000 00000001 11100011 11001111 00000000 00010010

Could you tell me where does the packet_payload_data fit in the 802.11 Data frame?*

  • i.e., where does its first byte fit in the frame

Python code:

#!/usr/bin/env python

from pcapng import FileScanner

def hex_str_to_num(hex_str,out_format='X'):
    if out_format.upper() == 'B':
        return ' '.join(format(ord(x), out_format).zfill(8) for x in hex_str)
    else:
        return ' '.join(format(ord(x), out_format).zfill(2) for x in hex_str)


PCAPNG = "/cygdrive/c/tmp/trace3.pcapng"
MAX = 3
ENHANCEDPACKET_ID = 6

with open(PCAPNG, "r") as pcapng_file:
    scanner = FileScanner(pcapng_file)
    counter = MAX
    for block in scanner:
        print
        print "magic_number",hex(block.magic_number)
        print block

        if block.magic_number == ENHANCEDPACKET_ID:
            print
            payload_data = block.packet_payload_info[2]
            print "packet_payload_info      :",block.packet_payload_info,"\n"
            print "packet_payload_data (hex):",hex_str_to_num(payload_data,"X"),"\n"
            print "packet_payload_data (bin):",hex_str_to_num(payload_data,"b")

        counter -= 1
        if not counter:
            break

EDIT 1:

If I print several EnhancedPacket's packet_payload_data, I notice that all of them start with 00 00 19 00 6F 08 00 00. Now, the 08 is the data frame marker, which make me suspect that the packet_payload_data isn't just the payload data, but also includes the Frame control bits. 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 49 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 09 4A B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 C0 23 FF FF FF FF FF FF FF FF 58 D0 59 5C 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 5F 51 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 B4 00 1C 1B F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 86 51 B2 26 00 00 00 00 12 6C 71 16 40 01 CA AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 EE 53 B2 26 00 00 00 00 12 6C 71 16 40 01 B1 AA 00 B4 00 74 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 15 54 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 98 56 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 AB 00 74 00 F4 0F 1B B8 73 3C E4 44 DF 67 09 14 3A 0A 24 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 C0 56 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 E8 58 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 1B 59 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 59 B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 D0 23 FF FF FF FF FF FF FF FF B0 51 F7 7B 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 A0 69 B2 26 00 00 00 00 12 6C 71 16 40 01 C6 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 17 6A B2 26 00 00 00 00 12 6C 71 16 40 01 C5 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7
1
pythonwiresharkwifipcap-ng
Could you provide a link to download your PCAP file for further investigations ?Sylvain Leroux
As requested, @Sylvain - here's a URL to a directory containing both a PcapNG file and my Python script: drive.google.com/…boardrider

1 Answers

1
votes

First of all, do not assume that, just because you captured on an 802.11 interface, the frame data begins with an 802.11 header. It might begin with a "radio metadata" header, for example, with the 802.11 header following it.

ALL programs that read pcap-ng files must:

  • read all the Interface Description Blocks, and remember, at minimum, the ordinal number of that IDB (which will be used later as the interface ID) and the LinkType value for the interface;
  • when processing a packet block, look up the LinkType value for the interface with the specified interface ID, and use that to interpret the raw packet data.

The official list of LinkType values indicates what the values are and how the packet data should be interpreted for that value. Never ever ever ever ever ever ever assume what the packet data will look like; always check the LinkType value.

(This applies to pcap files as well; always check the file's link-layer header type.)

Now, note that 00 00 19 00 6F 08 00 00 could possibly be the beginning of a radiotap header, with a version value of 0, pad byte of 0, and little-endian length of 25 bytes, with the first presence-bit word being 0x0000086F. That presence-bit word would say that the fields that are present would be TSFT (8 bytes), Flags (1 byte), Rate (1 byte), Channel (4 bytes), Antenna signal (1 byte), Antenna noise (1 byte), and Antenna (1 byte). The version, pad byte, length, and presence bit word are 8 bytes, for a total of 8+8+1+1+4+1+1+1 = 25 bytes.

So I would most definitely NOT assume that you're looking at an 802.11 header! You must check the LinkType; if it's 127 (LINKTYPE_IEEE802_11_RADIOTAP), the packets begin with a radiotap header, followed by an 802.11 header. If it's 105 (LINKTYPE_IEEE802_11), they begin with an 802.11 header.

The 802.11 header, whether it follows the radiotap (or other radio metadata) header or is at the beginning of the raw packet data, is a raw 802.11 header, so it begins with a Frame Control field, followed by Duration, and so on.