1*429ff87bSMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 2*429ff87bSMauro Carvalho Chehab 3*429ff87bSMauro Carvalho Chehab========================================= 4*429ff87bSMauro Carvalho ChehabHow to use packet injection with mac80211 5*429ff87bSMauro Carvalho Chehab========================================= 6*429ff87bSMauro Carvalho Chehab 7*429ff87bSMauro Carvalho Chehabmac80211 now allows arbitrary packets to be injected down any Monitor Mode 8*429ff87bSMauro Carvalho Chehabinterface from userland. The packet you inject needs to be composed in the 9*429ff87bSMauro Carvalho Chehabfollowing format:: 10*429ff87bSMauro Carvalho Chehab 11*429ff87bSMauro Carvalho Chehab [ radiotap header ] 12*429ff87bSMauro Carvalho Chehab [ ieee80211 header ] 13*429ff87bSMauro Carvalho Chehab [ payload ] 14*429ff87bSMauro Carvalho Chehab 15*429ff87bSMauro Carvalho ChehabThe radiotap format is discussed in 16*429ff87bSMauro Carvalho Chehab./Documentation/networking/radiotap-headers.txt. 17*429ff87bSMauro Carvalho Chehab 18*429ff87bSMauro Carvalho ChehabDespite many radiotap parameters being currently defined, most only make sense 19*429ff87bSMauro Carvalho Chehabto appear on received packets. The following information is parsed from the 20*429ff87bSMauro Carvalho Chehabradiotap headers and used to control injection: 21*429ff87bSMauro Carvalho Chehab 22*429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_FLAGS 23*429ff87bSMauro Carvalho Chehab 24*429ff87bSMauro Carvalho Chehab ========================= =========================================== 25*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_FCS FCS will be removed and recalculated 26*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_WEP frame will be encrypted if key available 27*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_FRAG frame will be fragmented if longer than the 28*429ff87bSMauro Carvalho Chehab current fragmentation threshold. 29*429ff87bSMauro Carvalho Chehab ========================= =========================================== 30*429ff87bSMauro Carvalho Chehab 31*429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_TX_FLAGS 32*429ff87bSMauro Carvalho Chehab 33*429ff87bSMauro Carvalho Chehab ============================= ======================================== 34*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_F_TX_NOACK frame should be sent without waiting for 35*429ff87bSMauro Carvalho Chehab an ACK even if it is a unicast frame 36*429ff87bSMauro Carvalho Chehab ============================= ======================================== 37*429ff87bSMauro Carvalho Chehab 38*429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_RATE 39*429ff87bSMauro Carvalho Chehab 40*429ff87bSMauro Carvalho Chehab legacy rate for the transmission (only for devices without own rate control) 41*429ff87bSMauro Carvalho Chehab 42*429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_MCS 43*429ff87bSMauro Carvalho Chehab 44*429ff87bSMauro Carvalho Chehab HT rate for the transmission (only for devices without own rate control). 45*429ff87bSMauro Carvalho Chehab Also some flags are parsed 46*429ff87bSMauro Carvalho Chehab 47*429ff87bSMauro Carvalho Chehab ============================ ======================== 48*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_MCS_SGI use short guard interval 49*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_MCS_BW_40 send in HT40 mode 50*429ff87bSMauro Carvalho Chehab ============================ ======================== 51*429ff87bSMauro Carvalho Chehab 52*429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_DATA_RETRIES 53*429ff87bSMauro Carvalho Chehab 54*429ff87bSMauro Carvalho Chehab number of retries when either IEEE80211_RADIOTAP_RATE or 55*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_MCS was used 56*429ff87bSMauro Carvalho Chehab 57*429ff87bSMauro Carvalho Chehab * IEEE80211_RADIOTAP_VHT 58*429ff87bSMauro Carvalho Chehab 59*429ff87bSMauro Carvalho Chehab VHT mcs and number of streams used in the transmission (only for devices 60*429ff87bSMauro Carvalho Chehab without own rate control). Also other fields are parsed 61*429ff87bSMauro Carvalho Chehab 62*429ff87bSMauro Carvalho Chehab flags field 63*429ff87bSMauro Carvalho Chehab IEEE80211_RADIOTAP_VHT_FLAG_SGI: use short guard interval 64*429ff87bSMauro Carvalho Chehab 65*429ff87bSMauro Carvalho Chehab bandwidth field 66*429ff87bSMauro Carvalho Chehab * 1: send using 40MHz channel width 67*429ff87bSMauro Carvalho Chehab * 4: send using 80MHz channel width 68*429ff87bSMauro Carvalho Chehab * 11: send using 160MHz channel width 69*429ff87bSMauro Carvalho Chehab 70*429ff87bSMauro Carvalho ChehabThe injection code can also skip all other currently defined radiotap fields 71*429ff87bSMauro Carvalho Chehabfacilitating replay of captured radiotap headers directly. 72*429ff87bSMauro Carvalho Chehab 73*429ff87bSMauro Carvalho ChehabHere is an example valid radiotap header defining some parameters:: 74*429ff87bSMauro Carvalho Chehab 75*429ff87bSMauro Carvalho Chehab 0x00, 0x00, // <-- radiotap version 76*429ff87bSMauro Carvalho Chehab 0x0b, 0x00, // <- radiotap header length 77*429ff87bSMauro Carvalho Chehab 0x04, 0x0c, 0x00, 0x00, // <-- bitmap 78*429ff87bSMauro Carvalho Chehab 0x6c, // <-- rate 79*429ff87bSMauro Carvalho Chehab 0x0c, //<-- tx power 80*429ff87bSMauro Carvalho Chehab 0x01 //<-- antenna 81*429ff87bSMauro Carvalho Chehab 82*429ff87bSMauro Carvalho ChehabThe ieee80211 header follows immediately afterwards, looking for example like 83*429ff87bSMauro Carvalho Chehabthis:: 84*429ff87bSMauro Carvalho Chehab 85*429ff87bSMauro Carvalho Chehab 0x08, 0x01, 0x00, 0x00, 86*429ff87bSMauro Carvalho Chehab 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 87*429ff87bSMauro Carvalho Chehab 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 88*429ff87bSMauro Carvalho Chehab 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 89*429ff87bSMauro Carvalho Chehab 0x10, 0x86 90*429ff87bSMauro Carvalho Chehab 91*429ff87bSMauro Carvalho ChehabThen lastly there is the payload. 92*429ff87bSMauro Carvalho Chehab 93*429ff87bSMauro Carvalho ChehabAfter composing the packet contents, it is sent by send()-ing it to a logical 94*429ff87bSMauro Carvalho Chehabmac80211 interface that is in Monitor mode. Libpcap can also be used, 95*429ff87bSMauro Carvalho Chehab(which is easier than doing the work to bind the socket to the right 96*429ff87bSMauro Carvalho Chehabinterface), along the following lines::: 97*429ff87bSMauro Carvalho Chehab 98*429ff87bSMauro Carvalho Chehab ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf); 99*429ff87bSMauro Carvalho Chehab ... 100*429ff87bSMauro Carvalho Chehab r = pcap_inject(ppcap, u8aSendBuffer, nLength); 101*429ff87bSMauro Carvalho Chehab 102*429ff87bSMauro Carvalho ChehabYou can also find a link to a complete inject application here: 103*429ff87bSMauro Carvalho Chehab 104*429ff87bSMauro Carvalho Chehabhttp://wireless.kernel.org/en/users/Documentation/packetspammer 105*429ff87bSMauro Carvalho Chehab 106*429ff87bSMauro Carvalho ChehabAndy Green <andy@warmcat.com> 107