blob: 3a930072b161fd51b3b1d007daac673526609dc2 [file] [log] [blame]
Andy Green08d1f212007-07-10 19:29:37 +02001How to use packet injection with mac80211
2=========================================
3
4mac80211 now allows arbitrary packets to be injected down any Monitor Mode
5interface from userland. The packet you inject needs to be composed in the
6following format:
7
8 [ radiotap header ]
9 [ ieee80211 header ]
10 [ payload ]
11
12The radiotap format is discussed in
13./Documentation/networking/radiotap-headers.txt.
14
Johannes Bergde2b3e82009-04-08 12:54:41 +020015Despite many radiotap parameters being currently defined, most only make sense
Johannes Berg58d41852007-09-26 17:53:18 +020016to appear on received packets. The following information is parsed from the
17radiotap headers and used to control injection:
Andy Green08d1f212007-07-10 19:29:37 +020018
Johannes Berg58d41852007-09-26 17:53:18 +020019 * IEEE80211_RADIOTAP_FLAGS
20
21 IEEE80211_RADIOTAP_F_FCS: FCS will be removed and recalculated
22 IEEE80211_RADIOTAP_F_WEP: frame will be encrypted if key available
23 IEEE80211_RADIOTAP_F_FRAG: frame will be fragmented if longer than the
Johannes Bergde2b3e82009-04-08 12:54:41 +020024 current fragmentation threshold.
25
Helmut Schaad9cd48f2011-10-07 11:53:41 +020026 * IEEE80211_RADIOTAP_TX_FLAGS
27
28 IEEE80211_RADIOTAP_F_TX_NOACK: frame should be sent without waiting for
29 an ACK even if it is a unicast frame
Johannes Berg58d41852007-09-26 17:53:18 +020030
31The injection code can also skip all other currently defined radiotap fields
32facilitating replay of captured radiotap headers directly.
Andy Green08d1f212007-07-10 19:29:37 +020033
Johannes Bergde2b3e82009-04-08 12:54:41 +020034Here is an example valid radiotap header defining some parameters
Andy Green08d1f212007-07-10 19:29:37 +020035
36 0x00, 0x00, // <-- radiotap version
37 0x0b, 0x00, // <- radiotap header length
38 0x04, 0x0c, 0x00, 0x00, // <-- bitmap
39 0x6c, // <-- rate
40 0x0c, //<-- tx power
41 0x01 //<-- antenna
42
43The ieee80211 header follows immediately afterwards, looking for example like
44this:
45
46 0x08, 0x01, 0x00, 0x00,
47 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
48 0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
49 0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
50 0x10, 0x86
51
52Then lastly there is the payload.
53
54After composing the packet contents, it is sent by send()-ing it to a logical
55mac80211 interface that is in Monitor mode. Libpcap can also be used,
56(which is easier than doing the work to bind the socket to the right
57interface), along the following lines:
58
59 ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
60...
61 r = pcap_inject(ppcap, u8aSendBuffer, nLength);
62
Johannes Bergde2b3e82009-04-08 12:54:41 +020063You can also find a link to a complete inject application here:
Andy Green08d1f212007-07-10 19:29:37 +020064
Johannes Bergde2b3e82009-04-08 12:54:41 +020065http://wireless.kernel.org/en/users/Documentation/packetspammer
Andy Green08d1f212007-07-10 19:29:37 +020066
67Andy Green <andy@warmcat.com>