libpcap and 802.11 Wireless Networks

As shown in Table 10-2, libpcap supports packet capture from a wide variety of link types, including several link types related to 802.11 wireless networks.

The Arpsniff tool we just demonstrated was designed to work only on Ethernet networks (or more specifically, Ethernet II networks). We check the link type of the network interface because we receive different types of packet frames from the interface depending on the link type reported. For example, Arpsniff is expecting to receive an Ethernet II frame, containing an ARP packet. In this case, we know the Ethernet II frame has a header consisting of 14 bytes, as shown in Figure 10-2.

Ethernet II header format

Figure 10-2. Ethernet II header format

Had Arpsniff been capturing packets from an 802.11 wireless network, however, something such as the 802.11 packet header shown in Figure 10-3 would have been present.

Header format

Figure 10-3. Header format

In addition to expecting the correct packet framing for the data link type we are using, there is one other major obstacle to successful packet capture from wireless networks, and that is monitor mode.

Get Network Security Tools now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.