"HowTo" for injecting frames?

Andreas.Greulich at ISB.admin.ch Andreas.Greulich
Wed Jul 30 05:58:23 PDT 2003 

Hi all,

I'm trying to inject frames from a Linux system (SuSE 8.2, kernel 2.4.20)
and a D-Link DWL-650 PCMCIA card (Prism2) so I'm able to send out frames
with given MAC addresses. Originally, I tried out libradiate, but could ever
make it work - also it is no longer supported.

I read there's a packet injection mechanism provided in hostap (I'm using
version 0.0.3), using a wlan0ap method? Unfortunately I didn't find any
documentation about it. So I was trying to do the following, from what I
could take from a few messages:

In the hostapd directory, I created a test program which is quite a hack, it
just includes the full hostapd.c file without main() function. In the copy
below error handling stuff is left away to make it shorter. Sorry for the
many #includes, I'm not sure which are really needed. Note that "radiate.h"
is just /usr/local/radiate.h from libradiate without the 2 include lines
"#include ./radiate/ieee80211.h" and "#include ./radiate/wireless.h",
because these redefine hfa384... stuff - I only need libradiate and libnet
to create a data frame, in this case a ping:
----------
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include "eloop.h"
#include "hostapd.h"
#include "ieee802_11.h"
#include "sta_info.h"
#include "ieee802_1x.h"
#include "driver.h"
#include <libnet.h>
#include "radiate.h"

<... whole hostapd.c file, without main program - skipped here ...>

char errLib[LIBNET_ERRBUF_SIZE];
char errRad[RADIATE_ERRBUF_SIZE];
u_char llc_snap[8] = {0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x00};

#define SNAPLEN LIBNET_802_2SNAP_H

hostapd *hapd;

main()
{
    int cnt,i;
    u_char src_mac[6]={0x00,0x05,0x5D,0xF1,0x33,0x4F}; /* this laptop
(wireless) */
    u_char dst_mac[6]={0x00,0x01,0x02,0xB7,0x12,0x04}; /* target system on
(wired) behind AP ethernet */
    u_char bssid[6]  ={0x00,0x05,0x5d,0xf1,0xe2,0xcf}; /* access point
bridging the nets (DWL1000) */
    u_long src_ip;
    u_long dst_ip;
    struct hfa384x_rx_frame *tx;
    radiate_t *r = radiate_init((char)0,errRad);
    libnet_t *l = libnet_init(LIBNET_RAW4_ADV,NULL,errLib);
    libnet_ptag_t ptag;
    u_long payload_s,ip_packet_s;
    u_char *payload,*ip_packet,*frame;

    hapd = hostapd_init("hostapd.conf");
    hostapd_setup_interface(hapd);
    dst_ip = libnet_name2addr4(l, "192.168.14.228", LIBNET_DONT_RESOLVE);
    src_ip = libnet_name2addr4(l, "192.168.14.230", LIBNET_DONT_RESOLVE);
    /* build ping packet */
    ptag = libnet_build_icmpv4_echo(ICMP_ECHO,0,0,0x0600,0x0e00,NULL0,l,0);
    ptag = libnet_build_ipv4(LIBNET_IPV4_H +
LIBNET_ICMPV4_ECHO_H,0,0xfe,0,128,IPPROTO_ICMP,

        0,src_ip,dst_ip,NULL,0,l,0);
    libnet_toggle_checksum(l, ptag, LIBNET_ON);
    ip_packet   = NULL;
    ip_packet_s = 0;
    libnet_adv_cull_packet(l, &ip_packet, &ip_packet_s);
    /* build IEEE802_11 frame */
    payload_s = LIBNET_IPV4_H + LIBNET_ICMPV4_ECHO_H + SNAPLEN;
    payload   = malloc(payload_s);
    memcpy(payload, llc_snap, SNAPLEN);
    memcpy(payload+SNAPLEN, ip_packet, ip_packet_s);
    frame = radiate_build_data_frame(bssid,dst_mac,src_mac,
            RADIATE_DATA_STYPE_DATA,RADIATE_CTRL_TODS,payload,payload_s,,r);
    tx = (struct hfa384x_rx_frame *)frame;
    /* test output */
    for (i=0; i<sizeof(*tx)+SNAPLEN+ip_packet_s;i++)
    {
      printf("%02x ",(u_char)frame[i]);
      if (i%16 == 0) printf("\n");
    }
    printf("\n");
    /* Send packet, without 14 bytes Prism2-header (it seems these must be
skipped) */
    cnt=send(hapd->sock, frame+14, sizeof(*tx)-14+SNAPLEN+ip_packet_s, 0);
    printf("Packet written, %d bytes\n",cnt);
}
------
Compiled within hostapd directory (after a "make" and with "hostapd.o"
removed): 
  gcc -I ../driver/modules -o test test.c *.o -lradiate -lnet

As I said, it is a hack and I just want to try out if injection works. But
unfortunately it doesn't.... a second laptop with Ethereal running can't see
the packets. The program produces the output:
------
Opening raw packet socket for ifindex 18
Using interface wlan0ap with hwaddr 00:05:5d:f1:33:4f and ssid 'isbsec014'
Flushing old station entries
Deauthenticate all stations
00 
00 00 00 00 00 00 00 38 f7 00 00 0e 00 08 01 74 
35 00 05 5d f1 e2 cf 00 01 02 b7 12 04 00 05 5d 
f1 33 4f 00 00 00 00 00 80 00 00 24 00 06 08 06 
00 00 00 28 00 00 00 20 36 15 40 aa aa 03 00 00 
00 08 00 45 00 00 1c 00 fe 00 00 80 01 9a c8 c0 
a8 0e e6 c0 a8 0e e4 08 00 f7 eb 00 06 00 0e 
Packet written, 82 bytes

If I set the wlan0 into monitor mode (iwconfig wlan0 mode monitor), I don't
get any error messages within dmesg, but packets are not sent (ifconfig
wlan0 shows that #err-packets increased). 

In master mode, I get an error message (per packet)
---
  Jul 30 16:44:56 isb1055 kernel: wlan0: Could not find STA for this TX
error
---

If I additionally start "hostapd hostapd.conf" (is this needed for packet
injection..?) in verbose&dump mode, hostapd tells me (when I try to inject
my packet in parallel):
---
Received 26 bytes management frame
  dump: c0 00 00 00 ff ff ff ff ff ff 00 05 5d f1 33 4f 00 05 5d f1 33 4f 00
00 02 00
MGMT
MGMT: DA=ff:ff:ff:ff:ff:ff not our address
Received 82 bytes management frame
  dump: 08 01 74 35 00 05 5d f1 e2 cf 00 01 02 b7 12 04 00 05 5d f1 33 4f 00
00 00 00 00 80 00 00 24 00 06 08 06 00 00 00 28 00 00 00 20 36 15 40 aa aa
03 00 00 00 08 00 45 00 00 1c 00 fe 00 00 80 01 9a c8 c0 a8 0e e6 c0 a8 0e
e4 08 00 f7 eb 00 06 00 0e
DATA
Data frame from not associated STA 00:01:02:b7:12:04
---

(Note that the dump packet indeed is teh same we constructed using
libradiate above)

And finally, in managed mode, dmesg tells me:
---
Jul 30 16:48:50 isb1055 kernel: wlan0: LinkStatus=2 (Disconnected)
Jul 30 16:48:50 isb1055 kernel: wlan0: TXEXC - status=0x0004 ([Discon])
tx_control=000c
Jul 30 16:48:50 isb1055 kernel:    retry_count=0 tx_rate=0 fc=0x00c0
(Mgmt::12)
Jul 30 16:48:50 isb1055 kernel:    A1=ff:ff:ff:ff:ff:ff A2=00:05:5d:f1:33:4f
A3=00:05:5d:f1:33:4f A4=00:00:00:00:00:00
Jul 30 16:48:50 isb1055 kernel: wlan0: LinkStatus: BSSID=44:44:44:44:44:44
Jul 30 16:48:50 isb1055 kernel: wlan0: TXEXC - status=0x0004 ([Discon])
tx_control=000cJul 30 16:48:50 isb1055 kernel:    retry_count=0 tx_rate=0
fc=0x0108 (Data::0 ToDS)
Jul 30 16:48:50 isb1055 kernel:    A1=00:05:5d:f1:e2:cf A2=00:01:02:b7:12:04
A3=00:05:5d:f1:33:4f A4=00:00:00:00:00:00
Jul 30 16:48:50 isb1055 kernel: wlan0: LinkStatus=1 (Connected)
Jul 30 16:48:50 isb1055 kernel: wlan0: LinkStatus: BSSID=00:05:5d:f1:e2:cf
---
(it seems it automatically disconnects from the AP while inkecting the
packet, if I interpret the messages right, and re-connects).


Anyway... none of these approaches work. Maybe somebody can tell me what I'm
doing wrong? Any help (really, any :-) would be highly welcome!! Thanks in
adcance,


Andy

More information about the Hostap mailing list