Replicate Wireshark Capture of 802.11 QoS Packet in Scapy

1
votes

I have captured some WLAN 802.11 QoS packets using Wireshark and I am trying to replicate same packets using Scapy

Here goes the screenshot of the captured packet. Please let me know if more screenshots will help.

Wireshark capture of 802.11 QoS Packet

Here is the scapy commands I used to generate a packet with 4 bytes of dummy data.

dot11=Dot11(type=2, subtype=8, addr1='11:11:11:11:11:11', addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33')
frame = RadioTap()/dot11/Dot11QoS()/"abcd"

If I use Wireshark to look into the packet using wireshark(frame) command, it identifies the packet as 802.11 QoS packet. But just above the Data field, it shows a Logical Link Control field.

On the other hand, if I send the packet on the interface using sendp(frame, iface='wlan0'), wireshark will capture the packet as LLC packet. My question is why same packet is shown differently in two different case?

Also my idea is to replicate exactly same packet to send it to an IoT device and get the response. Is it possible to forge packets for that? If it is possible, what am I missing to generate same packet using scapy?

1
wiresharkscapywifi

1 Answers

0
votes

To replicate packets, the easiest way would be to directly sniff them on Scapy. The sniff function does just that: it have two main parameters, filter and prn.

filter specifies which packets to capture according to the BPF syntax.

prn specifies which function to apply to the filtered packets.

For example:

def f(pkt):
    pkt.show()
filt="src host 1.2.3.4"
sniff(prn=f,filter=filt)

This code will capture all packets coming from the machine having the IP address 1.2.3.4 and will show their fields.

But if you absolutely want to do the sniffing via Wireshark, you can check that you replicate all the fields thanks to the scapy ls function that displays all the field names of a layer constructor:

>>> ls(ARP)
sport
dport
len
chksum

Good luck in whatever you're trying to do