210 lines
6.6 KiB
Plaintext
210 lines
6.6 KiB
Plaintext
AVS Capture Frame Format
|
|
Version 2.1
|
|
|
|
1. Introduction
|
|
The original header format for "monitor mode" or capturing frames was
|
|
a considerable hack. The document covers a redesign of that format.
|
|
|
|
Any questions, corrections, or proposed changes go to info@linux-wlan.com
|
|
|
|
2. Frame Format
|
|
All sniff frames follow the same format:
|
|
|
|
Offset Name Size Description
|
|
--------------------------------------------------------------------
|
|
0 CaptureHeader AVS capture metadata header
|
|
64 802.11Header [10-30] 802.11 frame header
|
|
?? 802.11Payload [0-2312] 802.11 frame payload
|
|
?? 802.11FCS 4 802.11 frame check sequence
|
|
|
|
Note that the header and payload are variable length and the payload
|
|
may be empty.
|
|
|
|
If the hardware does not supply the FCS to the driver, then the frame shall
|
|
have a FCS of 0xFFFFFFFF.
|
|
|
|
3. Byte Order
|
|
All multibyte fields of the capture header are in "network" byte
|
|
order. The "host to network" and "network to host" functions should
|
|
work just fine. All the remaining multibyte fields are ordered
|
|
according to their respective standards.
|
|
|
|
4. Capture Header Format
|
|
The following fields make up the AVS capture header:
|
|
|
|
Offset Name Type
|
|
------------------------------
|
|
0 version uint32
|
|
4 length uint32
|
|
8 mactime uint64
|
|
16 hosttime uint64
|
|
24 phytype uint32
|
|
28 channel uint32
|
|
32 datarate uint32
|
|
36 antenna uint32
|
|
40 priority uint32
|
|
44 ssi_type uint32
|
|
48 ssi_signal int32
|
|
52 ssi_noise int32
|
|
56 preamble uint32
|
|
60 encoding uint32
|
|
64 sequence uint32
|
|
68 drops uint32
|
|
72 sniffer_addr uint8[6]
|
|
78 padding uint8[2]
|
|
------------------------------
|
|
80
|
|
|
|
The following subsections detail the fields of the capture header.
|
|
|
|
4.1 version
|
|
The version field identifies this type of frame as a subtype of
|
|
ETH_P_802111_CAPTURE as received by an ARPHRD_IEEE80211_PRISM or
|
|
an ARPHRD_IEEE80211_CAPTURE device. The value of this field shall be
|
|
0x80211002. As new revisions of this header are necessary, we can
|
|
increment the version appropriately.
|
|
|
|
4.2 length
|
|
The length field contains the length of the entire AVS capture header,
|
|
in bytes.
|
|
|
|
4.3 mactime
|
|
Many WLAN devices supply a relatively high resolution frame reception
|
|
time value. This field contains the value supplied by the device. If
|
|
the device does not supply a receive time value, this field shall be
|
|
set to zero. The units for this field are microseconds.
|
|
|
|
4.4 hosttime
|
|
The hosttime field is set to the current value of the host maintained
|
|
clock variable when the frame is received.
|
|
|
|
4.5 phytype
|
|
The phytype field identifies what type of PHY is employed by the WLAN
|
|
device used to capture this frame. The valid values are:
|
|
|
|
PhyType Value
|
|
-------------------------------------
|
|
phytype_fhss_dot11_97 1
|
|
phytype_dsss_dot11_97 2
|
|
phytype_irbaseband 3
|
|
phytype_dsss_dot11_b 4
|
|
phytype_pbcc_dot11_b 5
|
|
phytype_ofdm_dot11_g 6
|
|
phytype_pbcc_dot11_g 7
|
|
phytype_ofdm_dot11_a 8
|
|
phytype_dss_ofdm_dot11_g 9
|
|
|
|
4.6 channel
|
|
For all PHY types except FH, this field is just an unsigned integer
|
|
and will be set to the current receiver channel number at the time
|
|
the frame was received. For frequency hopping radios, this field
|
|
is broken in to the following subfields:
|
|
|
|
Byte Subfield
|
|
------------------------
|
|
Byte0 Hop Set
|
|
Byte1 Hop Pattern
|
|
Byte2 Hop Index
|
|
Byte3 reserved
|
|
|
|
4.7 datarate
|
|
The data rate field contains the rate at which the frame was received
|
|
in units of 100kbps.
|
|
|
|
4.8 antenna
|
|
For WLAN devices that indicate the receive antenna for each frame, the
|
|
antenna field shall contain an index value into the dot11AntennaList.
|
|
If the device does not indicate a receive antenna value, this field
|
|
shall be set to zero.
|
|
|
|
4.9 priority
|
|
The priority field indicates the receive priority of the frame. The
|
|
value is in the range [0-15] with the value 0 reserved to indicate
|
|
contention period and the value 6 reserved to indicate contention free
|
|
period.
|
|
|
|
4.10 ssi_type
|
|
The ssi_type field is used to indicate what type of signal strength
|
|
information is present: "None", "Normalized RSSI" or "dBm". "None"
|
|
indicates that the underlying WLAN device does not supply any signal
|
|
strength at all and the ssi_* values are unset. "Normalized RSSI"
|
|
values are integers in the range [0-1000] where higher numbers
|
|
indicate stronger signal. "dBm" values indicate an actual signal
|
|
strength measurement quantity and are usually in the range [-108 - 10].
|
|
The following values indicate the three types:
|
|
|
|
Value Description
|
|
---------------------------------------------
|
|
0 None
|
|
1 Normalized RSSI
|
|
2 dBm
|
|
3 Raw RSSI
|
|
|
|
4.11 ssi_signal
|
|
The ssi_signal field contains the signal strength value reported by
|
|
the WLAN device for this frame. Note that this is a signed quantity
|
|
and if the ssi_type value is "dBm" that the value may be negative.
|
|
|
|
4.12 ssi_noise
|
|
The ssi_noise field contains the noise or "silence" value reported by
|
|
the WLAN device. This value is commonly defined to be the "signal
|
|
strength reported immediately prior to the baseband processor lock on
|
|
the frame preamble". If the hardware does not provide noise data, this
|
|
shall equal 0xffffffff.
|
|
|
|
4.12 preamble
|
|
For PHYs that support variable preamble lengths, the preamble field
|
|
indicates the preamble type used for this frame. The values are:
|
|
|
|
Value Description
|
|
---------------------------------------------
|
|
0 Undefined
|
|
1 Short Preamble
|
|
2 Long Preamble
|
|
|
|
4.13 encoding
|
|
This specifies the encoding of the received packet. For PHYs that support
|
|
multiple encoding types, this will tell us which one was used.
|
|
|
|
Value Description
|
|
---------------------------------------------
|
|
0 Unknown
|
|
1 CCK
|
|
2 PBCC
|
|
3 OFDM
|
|
4 DSSS-OFDM
|
|
5 BPSK
|
|
6 QPSK
|
|
7 16QAM
|
|
8 64QAM
|
|
|
|
4.14 sequence
|
|
This is a receive frame sequence counter. The sniff host shall
|
|
increment this by one for every valid frame received off the medium.
|
|
By watching for gaps in the sequence numbers we can determine when
|
|
packets are lost due to unreliable transport, rather than a frame never
|
|
being received to begin with.
|
|
|
|
4.15 drops
|
|
This is a counter of the number of known frame drops that occured. This
|
|
is particularly useful when the system or hardware cannot keep up with
|
|
the sniffer load.
|
|
|
|
4.16 sniffer_addr
|
|
This specifies the mac address of the sniffer, six octets in length.
|
|
This field is followed by two octets of padding to keep the structure 32-bit
|
|
word aligned.
|
|
|
|
|
|
================================
|
|
|
|
Changes: v2->v2.1
|
|
|
|
* Added contact e-mail address to introduction
|
|
* Added sniffer_addr, drop count, and sequence fields, bringing total
|
|
length to 80 bytes
|
|
* Bumped version to 0x80211002
|
|
* Mactime is specified in microseconds, not nanoseconds
|
|
* Added 64QAM, 16QAM, BPSK, QPSK encodings
|
|
|