[Winpcap-users] pcap 802.11 header format
Guy Harris
guy at alum.mit.edu
Thu Oct 16 21:59:57 GMT 2008
On Oct 15, 2008, at 10:57 PM, arun chhetri wrote:
> I am new to this group and also pcap programming.
> The problem is I want to parse some pcap dump file. This dump file
> contains 802.11 data. I am using pcap library for that. The main
> problem is i am not able to find the structure of 802.11 headers in C
> i am using this structure
>
>
> typedef struct wi_frame {
> u_int16_t wi_frameControl;
> u_int16_t wi_duration;
> u_int16_t wi_add1[3];
> u_int16_t wi_add2[3];
> u_int16_t wi_add3[3];
> u_int16_t wi_sequenceControl;
> u_int16_t wi_add4[3];
> };
>
>
> with this structure i am able to find frame control sequence control
> and duration easily but the problem is with add1,2,3 and 4. Can
> anybody please give me some pointer on this.
See
http://standards.ieee.org/getieee802/download/802.11-2007.pdf
section 7. Note that it says
The fields Address 2, Address 3, Sequence Control, Address 4, QoS
Control, and Frame Body are present only in certain frame types and
subtypes.
which means that you *CANNOT* use a single C structure to analyze the
headers of all 802.11 frames - for example, as per 7.2.1.1, an RTS
frame has only the RA and TA fields, so the header is more like
struct rts_frame {
u_int16_t wi_frameControl;
u_int16_t wi_duration;
u_int16_t wi_ra[3];
u_int16_t wi_ta[3];
};
(BTW, the word "typedef" in your example doesn't do anything useful -
you'd have to put a name after the } for it to be useful), whereas
7.2.2 indicates that the header for a data frame might, or might not,
include a QoS control field, and also indicates that some frames might
not have the "wi_add4" field (see table 7-7).
(Also, I'd make the MAC addresses "u_int8_t xxx[6]" rather than
"u_int16_t xxx[3]".)
More information about the Winpcap-users
mailing list