1429ff87bSMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 2429ff87bSMauro Carvalho Chehab 3429ff87bSMauro Carvalho Chehab========================================= 4429ff87bSMauro Carvalho ChehabHow to use packet injection with mac80211 5429ff87bSMauro Carvalho Chehab========================================= 6429ff87bSMauro Carvalho Chehab 7429ff87bSMauro Carvalho Chehabmac80211 now allows arbitrary packets to be injected down any Monitor Mode 8429ff87bSMauro Carvalho Chehabinterface from userland. The packet you inject needs to be composed in the 9429ff87bSMauro Carvalho Chehabfollowing format:: 10429ff87bSMauro Carvalho Chehab 11429ff87bSMauro Carvalho Chehab [ radiotap header ] 12429ff87bSMauro Carvalho Chehab [ ieee80211 header ] 13429ff87bSMauro Carvalho Chehab [ payload ] 14429ff87bSMauro Carvalho Chehab 15429ff87bSMauro Carvalho ChehabThe radiotap format is discussed in 1666d495d0SMauro Carvalho Chehab./Documentation/networking/radiotap-headers.rst. 17429ff87bSMauro Carvalho Chehab 18429ff87bSMauro Carvalho ChehabDespite many radiotap parameters being currently defined, most only make sense 19429ff87bSMauro Carvalho Chehabto appear on received packets. The following information is parsed from the 20429ff87bSMauro Carvalho Chehabradiotap headers and used to control injection: 21429ff87bSMauro Carvalho Chehab 22429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_FLAGS 23429ff87bSMauro Carvalho Chehab 24429ff87bSMauro Carvalho Chehab ========================= =========================================== 25429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_FCS FCS will be removed and recalculated 26429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_WEP frame will be encrypted if key available 27429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_FRAG frame will be fragmented if longer than the 28429ff87bSMauro Carvalho Chehab current fragmentation threshold. 29429ff87bSMauro Carvalho Chehab ========================= =========================================== 30429ff87bSMauro Carvalho Chehab 31429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_TX_FLAGS 32429ff87bSMauro Carvalho Chehab 33429ff87bSMauro Carvalho Chehab ============================= ======================================== 34429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_TX_NOACK frame should be sent without waiting for 35429ff87bSMauro Carvalho Chehab an ACK even if it is a unicast frame 36429ff87bSMauro Carvalho Chehab ============================= ======================================== 37429ff87bSMauro Carvalho Chehab 38429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_RATE 39429ff87bSMauro Carvalho Chehab 40429ff87bSMauro Carvalho Chehab legacy rate for the transmission (only for devices without own rate control) 41429ff87bSMauro Carvalho Chehab 42429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_MCS 43429ff87bSMauro Carvalho Chehab 44429ff87bSMauro Carvalho Chehab HT rate for the transmission (only for devices without own rate control). 45429ff87bSMauro Carvalho Chehab Also some flags are parsed 46429ff87bSMauro Carvalho Chehab 47429ff87bSMauro Carvalho Chehab ============================ ======================== 48429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_MCS_SGI use short guard interval 49429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_MCS_BW_40 send in HT40 mode 50429ff87bSMauro Carvalho Chehab ============================ ======================== 51429ff87bSMauro Carvalho Chehab 52429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_DATA_RETRIES 53429ff87bSMauro Carvalho Chehab 54429ff87bSMauro Carvalho Chehab number of retries when either IEEE80211_RADIOTAP_RATE or 55429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_MCS was used 56429ff87bSMauro Carvalho Chehab 57429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_VHT 58429ff87bSMauro Carvalho Chehab 59429ff87bSMauro Carvalho Chehab VHT mcs and number of streams used in the transmission (only for devices 60429ff87bSMauro Carvalho Chehab without own rate control). Also other fields are parsed 61429ff87bSMauro Carvalho Chehab 62429ff87bSMauro Carvalho Chehab flags field 63429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_VHT_FLAG_SGI: use short guard interval 64429ff87bSMauro Carvalho Chehab 65429ff87bSMauro Carvalho Chehab bandwidth field 66429ff87bSMauro Carvalho Chehab * 1: send using 40MHz channel width 67429ff87bSMauro Carvalho Chehab * 4: send using 80MHz channel width 68429ff87bSMauro Carvalho Chehab * 11: send using 160MHz channel width 69429ff87bSMauro Carvalho Chehab 70429ff87bSMauro Carvalho ChehabThe injection code can also skip all other currently defined radiotap fields 71429ff87bSMauro Carvalho Chehabfacilitating replay of captured radiotap headers directly. 72429ff87bSMauro Carvalho Chehab 73429ff87bSMauro Carvalho ChehabHere is an example valid radiotap header defining some parameters:: 74429ff87bSMauro Carvalho Chehab 75429ff87bSMauro Carvalho Chehab 0x00, 0x00, // <-- radiotap version 76429ff87bSMauro Carvalho Chehab 0x0b, 0x00, // <- radiotap header length 77429ff87bSMauro Carvalho Chehab 0x04, 0x0c, 0x00, 0x00, // <-- bitmap 78429ff87bSMauro Carvalho Chehab 0x6c, // <-- rate 79429ff87bSMauro Carvalho Chehab 0x0c, //<-- tx power 80429ff87bSMauro Carvalho Chehab 0x01 //<-- antenna 81429ff87bSMauro Carvalho Chehab 82429ff87bSMauro Carvalho ChehabThe ieee80211 header follows immediately afterwards, looking for example like 83429ff87bSMauro Carvalho Chehabthis:: 84429ff87bSMauro Carvalho Chehab 85429ff87bSMauro Carvalho Chehab 0x08, 0x01, 0x00, 0x00, 86429ff87bSMauro Carvalho Chehab 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 87429ff87bSMauro Carvalho Chehab 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 88429ff87bSMauro Carvalho Chehab 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 89429ff87bSMauro Carvalho Chehab 0x10, 0x86 90429ff87bSMauro Carvalho Chehab 91429ff87bSMauro Carvalho ChehabThen lastly there is the payload. 92429ff87bSMauro Carvalho Chehab 93429ff87bSMauro Carvalho ChehabAfter composing the packet contents, it is sent by send()-ing it to a logical 94429ff87bSMauro Carvalho Chehabmac80211 interface that is in Monitor mode. Libpcap can also be used, 95429ff87bSMauro Carvalho Chehab(which is easier than doing the work to bind the socket to the right 96429ff87bSMauro Carvalho Chehabinterface), along the following lines::: 97429ff87bSMauro Carvalho Chehab 98429ff87bSMauro Carvalho Chehab ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf); 99429ff87bSMauro Carvalho Chehab ... 100429ff87bSMauro Carvalho Chehab r = pcap_inject(ppcap, u8aSendBuffer, nLength); 101429ff87bSMauro Carvalho Chehab 102429ff87bSMauro Carvalho ChehabYou can also find a link to a complete inject application here: 103429ff87bSMauro Carvalho Chehab 104*327cdb98SFlavio Suligoihttps://wireless.wiki.kernel.org/en/users/Documentation/packetspammer 105429ff87bSMauro Carvalho Chehab 106429ff87bSMauro Carvalho ChehabAndy Green <andy@warmcat.com> 107