无法了解PcapNG文件中的802.11数据帧格式 [英] Cannot understand 802.11 Data Frame format in PcapNG file

问题描述

我有Wireshark创建的 PcapNG 文件，我尝试使用 python-pcapng 进行解析。

I have PcapNG files created by Wireshark, which I try to parse with python-pcapng.

但是，我无法弄清楚如何协调从 FileScanner 的 packet_payload_info 收到的输出使用 802.11数据帧格式：

However, I cannot figure out how to reconcile the output I receive from FileScanner's packet_payload_info with the 802.11 Data frame format:

这是我得到的输出（我的代码在底部）：

This is the output I get (my code is at the bottom):

magic_number 0xa0d0d0a
SectionHeader(version_major=1, version_minor=0, section_length=-1, options=Options({'shb_userappl': [u'Dumpcap 1.12.4 (v1.12.4-0-gb4861da from master-1.12)'], 'shb_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)']}))

magic_number 0x1
InterfaceDescription(link_type=127, reserved='\x00\x00', snaplen=262144, options=Options({'if_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)'], 'if_tsresol': [6], 'if_name': [u'en1']}))

magic_number 0x6
EnhancedPacket(interface_id=0, timestamp_high=332139, timestamp_low=2801116064L, packet_payload_info=(45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12'), options=Options({}))

packet_payload_info      : (45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12') 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (bin): 00000000 00000000 00011001 00000000 01101111 00001000 00000000 00000000 01100000 01001001 10110010 00100110 00000000 00000000 00000000 00000000 00010010 00011000 01110001 00010110 01000000 00000001 10110001 10101010 00000000 10110100 00000000 10010000 00000000 11110100 00001111 00011011 10111000 01110011 01001100 01100000 10010010 00010111 00110101 00000000 00000001 11100011 11001111 00000000 00010010

可以您告诉我 packet_payload_data 在802.11数据帧中的什么位置？*

• 即，它的第一个字节在框架中的什么地方
  
  



Could you tell me where does the packet_payload_data fit in the 802.11 Data frame?*

• i.e., where does its first byte fit in the frame
  
  

Python代码：

Python code:

#!/usr/bin/env python

from pcapng import FileScanner

def hex_str_to_num(hex_str,out_format='X'):
    if out_format.upper() == 'B':
        return ' '.join(format(ord(x), out_format).zfill(8) for x in hex_str)
    else:
        return ' '.join(format(ord(x), out_format).zfill(2) for x in hex_str)


PCAPNG = "/cygdrive/c/tmp/trace3.pcapng"
MAX = 3
ENHANCEDPACKET_ID = 6

with open(PCAPNG, "r") as pcapng_file:
    scanner = FileScanner(pcapng_file)
    counter = MAX
    for block in scanner:
        print
        print "magic_number",hex(block.magic_number)
        print block

        if block.magic_number == ENHANCEDPACKET_ID:
            print
            payload_data = block.packet_payload_info[2]
            print "packet_payload_info      :",block.packet_payload_info,"\n"
            print "packet_payload_data (hex):",hex_str_to_num(payload_data,"X"),"\n"
            print "packet_payload_data (bin):",hex_str_to_num(payload_data,"b")

        counter -= 1
        if not counter:
            break





编辑1：





如果我打印几个 EnhancedPacket 的 packet_payload_data ，我注意到它们都以 00 00 19 00 6F 08 00 00 开头。现在， 08 是数据帧标记，这让我怀疑 packet_payload_data 不仅仅是有效载荷数据，还包括 Frame control 位。

EDIT 1:

If I print several EnhancedPacket's packet_payload_data, I notice that all of them start with 00 00 19 00 6F 08 00 00. Now, the 08 is the data frame marker, which make me suspect that the packet_payload_data isn't just the payload data, but also includes the Frame control bits.

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 49 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 09 4A B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 C0 23 FF FF FF FF FF FF FF FF 58 D0 59 5C 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 5F 51 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 B4 00 1C 1B F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 86 51 B2 26 00 00 00 00 12 6C 71 16 40 01 CA AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 EE 53 B2 26 00 00 00 00 12 6C 71 16 40 01 B1 AA 00 B4 00 74 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 15 54 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 98 56 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 AB 00 74 00 F4 0F 1B B8 73 3C E4 44 DF 67 09 14 3A 0A 24 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 C0 56 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 E8 58 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 1B 59 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 59 B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 D0 23 FF FF FF FF FF FF FF FF B0 51 F7 7B 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 A0 69 B2 26 00 00 00 00 12 6C 71 16 40 01 C6 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 17 6A B2 26 00 00 00 00 12 6C 71 16 40 01 C5 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7 




推荐答案

首先，请不假定，只是因为您是在802.11接口上捕获的，所以帧数据以802.11标头开头。它可能以无线元数据标头开头，例如，其后为802.11标头。

First of all, do not assume that, just because you captured on an 802.11 interface, the frame data begins with an 802.11 header. It might begin with a "radio metadata" header, for example, with the 802.11 header following it.

ALL 程序读取pcap-ng文件必须：

ALL programs that read pcap-ng files must:



• 读取所有接口描述块，并至少记住该IDB的序号（稍后将使用）作为接口ID）和该接口的LinkType值；


• 在处理数据包块时，请查找具有指定接口ID的接口的LinkType值，并使用该值来解释原始数据包数据。



LinkType值的正式列表指示值是什么以及应如何解释该值的数据包数据。永远永远不要假设数据包数据将是什么样子；始终检查LinkType值。

The official list of LinkType values indicates what the values are and how the packet data should be interpreted for that value. Never ever ever ever ever ever ever assume what the packet data will look like; always check the LinkType value.

（这也适用于pcap文件；始终检查文件的链接层标头类型。）

(This applies to pcap files as well; always check the file's link-layer header type.)

现在，请注意 00 00 19 00 6F 08 00 00 可能是 radiotap 标头，版本值为0，填充字节为0，little-endian长度为25个字节，第一个存在位字为0x0000086F。该存在位字表示存在的字段为 TSFT （8个字节），标志（1字节），费用（1字节），频道（4个字节），天线信号（1字节），天线噪声（1字节）和天线（1个字节）。版本，填充字节，长度和状态位字为8个字节，总共8 + 8 + 1 + 1 + 4 + 1 + 1 + 1 = 25个字节。

Now, note that 00 00 19 00 6F 08 00 00 could possibly be the beginning of a radiotap header, with a version value of 0, pad byte of 0, and little-endian length of 25 bytes, with the first presence-bit word being 0x0000086F. That presence-bit word would say that the fields that are present would be TSFT (8 bytes), Flags (1 byte), Rate (1 byte), Channel (4 bytes), Antenna signal (1 byte), Antenna noise (1 byte), and Antenna (1 byte). The version, pad byte, length, and presence bit word are 8 bytes, for a total of 8+8+1+1+4+1+1+1 = 25 bytes.

因此，我绝对会不假定您正在查看802.11标头！您必须检查LinkType。如果是127（LINKTYPE_IEEE802_11_RADIOTAP），则数据包以radiotap标头开头，后跟802.11标头。如果它是105（LINKTYPE_IEEE802_11），则它们以802.11标头开头。

So I would most definitely NOT assume that you're looking at an 802.11 header! You must check the LinkType; if it's 127 (LINKTYPE_IEEE802_11_RADIOTAP), the packets begin with a radiotap header, followed by an 802.11 header. If it's 105 (LINKTYPE_IEEE802_11), they begin with an 802.11 header.

802.11标头，无论是紧跟在radiotap（或其他无线电元数据）标头之后还是在开头原始数据包数据的一部分是原始802.11标头，因此它以帧控制字段开头，然后是持续时间，等等。

The 802.11 header, whether it follows the radiotap (or other radio metadata) header or is at the beginning of the raw packet data, is a raw 802.11 header, so it begins with a Frame Control field, followed by Duration, and so on.

这篇关于无法了解PcapNG文件中的802.11数据帧格式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！