packet injection questions

kala_maico at kala_maico
Thu Feb 5 04:38:33 PST 2004

Hi all,

I am running tests for my thesis work with packet inkection and forging
and I have some questions:

first, my setup: I am using hostap driver 0.1.2, hostap utils 0.1.2, with
D-Link DWL-650 PCMCIA card (Prism2.5, firmware 1.3.5), running on Debian
Linux with kernel 2.4.22 (wireless extensions v15) and wireless tools 26.
For injecting packets I am using libwlan (,
which is a slightly modified copy of the hostapd code (0.1.0). Setup of
the card is as follows:

prism2_param wlan0 hostapd 1 (this enables wlan0ap device ->frames are transmitted
with function prism2_tx_80211...right?)
ifconfig wlan0ap up
iwconfig wlan0 mode monitor
prism2_param wlan0 dump 6

1) With this setup I am able to forge and send packets (using wlan0ap device)
but the bssid field is always set to 00:00:00:00:00:00 (sniffed by another
machine running ethereal on a prism2 card in monitor mode). In my case,
I am trying to forge a deauthentication frame, whcih is sent on the air
but (obviously) ignored by other stations. Why is this happening? Is the
firmware which overwrites the bssid field?  I don't get any error in dmesg,
no TX nor TXEXC dump. 

2) I set the card in managed mode then, making it associate to an AP. This
works. Unfortunately, the forging station is not hidden at all and easily thesis is on Intrusion Detection Systems so this is an issue
I have to be careful with

3) I turn down probe requests and automatic joining (prism2_param
host_roaming 2) and disassociate form the AP. If I send forged frames in
monitor mode I get the same behaviour as above, while in managed mode I
get a TXEXC [Discon] error in dmesg and frames are not sent. My question
is: who generates this error? Is this a software interrupt? Is there a way
to circumvent it? I tracked the sequence of calls and I found what follows:
hostap_bap_tasklet  calls prism2_txexc (which actually prints the error
in dmesg), but who calls hostap_bap_tasklet? It's set up in prism2_init_local_data,
but I couldn't track where or when it's invoked.

4) The function prism2_tx_80211 is the one which sends frames for the wlan0ap
device. Is it correct that it doesn't make any check on which mode the card
is running? This is what I understood but I wouldn't bet on it....

/Giorgio Calandriello

Attivazione GRATIS, contributo adesione GRATIS, modem GRATIS,

More information about the Hostap mailing list