为什么即使在无线设备上，pcap_datalink()总是返回1(以太网)? [英] Why is pcap_datalink() always returning 1 (Ethernet), even on wireless device?

问题描述

我遇到一个问题，其中pcap_datalink()总是返回1.据我了解，这是LINKTYPE_ETHERNET.但是，我使用的设备是无线网卡，在我的情况下是en0.

I'm having an issue where by pcap_datalink() is always returning 1. To my understanding this is LINKTYPE_ETHERNET. But, the device I am using is a wireless card and in my case en0.

这使我无法将卡置于监视模式，并且使我的WLAN过滤器无法工作.我试图在OSX和Linux上运行此程序，但结果相同.我也以root身份运行.

This is stopping me from putting the card into monitor mode, and stopping my WLAN filters from working. I've tried to run this on both OSX and Linux with the same results. I also run as root.

这是导致问题的代码的一部分.例如，假设dev设置为en0(在Mac上为无线设备).

Here's the part of my code that's causing the problem. For the example, assume dev is set to en0 (wireless device on Mac).

#include <stdio.h>
#include <pcap.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
    pcap_t *pcap_h;
    char *dev, errbuf[PCAP_ERRBUF_SIZE];
    struct bpf_program fp;
    struct pcap_pkthdr header;
    const u_char *packet;

    if(argc < 2)
    {
        printf("Usage: %s device\n", argv[0]);
        exit(EXIT_FAILURE);
    }

    dev = argv[1];

    if((pcap_h = pcap_create(dev, errbuf)) == NULL)
    {
        printf("pcap_create() failed: %s\n", errbuf);
        exit(EXIT_FAILURE);
    }

    if(pcap_can_set_rfmon(pcap_h) == 0)
    {
        printf("Monitor mode can not be set.\n");
    }

    if(pcap_set_rfmon(pcap_h, 1) != 0)
    {
        printf("Failed to set monitor mode.\n");
        exit(EXIT_FAILURE);
    }

    if(pcap_activate(pcap_h) != 0)
    {
        printf("pcap_activate() failed\n");
        exit(EXIT_FAILURE);
    }

    /*
     * Compile a filter to sniff 802.11 probe requests
     * Filter: type mgt subtype probe-req
     */ 
    if(pcap_compile(pcap_h, &fp, "type mgt subtype probe-req", 0, PCAP_NETMASK_UNKNOWN) == -1)
    {
        printf("pcap_compile() failed: %s\n", pcap_geterr(pcap_h));
        exit(EXIT_FAILURE);
    }

    /*
     * Set the compiled filter
     */ 
    if(pcap_setfilter(pcap_h, &fp) == -1)
    {
        printf("pcap_setfilter() failed: %s\n", pcap_geterr(pcap_h));
        exit(EXIT_FAILURE);
    }

    pcap_freecode(&fp);

    packet = pcap_next(pcap_h, &header);

    printf("Header: %d\n", header.len); 
    pcap_close(pcap_h);
    return 0;
}

任何想法都是为什么pcap_datalink()总是返回1吗?

Any idea's why pcap_datalink() is always returning 1?

修改

更新了代码，并在调用pcap_activate()之前添加了pcap_set_rfmon().我收到错误消息:

Updated code, and added pcap_set_rfmon() before the call to pcap_activate(). I get an error:

pcap_compile() failed: 802.11 link-layer types supported only on 802.11

推荐答案

您是 shure 吗?这是在阻止您将卡置于监视模式，并停止WLAN过滤器工作，或者您是否通过调用pcap_datalink()来检查该问题的位置?

Are you shure this is what's is stopping you from putting the card into monitor mode, and stopping your WLAN filters from working, or do you do this call to pcap_datalink() as a check trying to pinpoint the issue?

请注意，从PCAP-LINKTYPE(7):

Be aware that, from PCAP-LINKTYPE(7):

对于实时捕获或``保存文件''，libpcap提供了 pcap_datalink(3PCAP)例程的返回值，该值是 指示位于开头的链路层报头的类型 它提供的数据包.这不一定是链路层的类型 捕获的数据包在网络上具有的标头 他们被捕获了；例如，来自IEEE 802.11的数据包 libpcap可能会提供网络，并带有以太网标头 网络适​​配器或网络适配器驱动程序从 802.11标头.

For a live capture or ``savefile'', libpcap supplies, as the return value of the pcap_datalink(3PCAP) routine, a value that indicates the type of link-layer header at the beginning of the packets it provides. This is not necessarily the type of link-layer header that the packets being captured have on the network from which they're being captured; for example, packets from an IEEE 802.11 network might be provided by libpcap with Ethernet headers that the network adapter or the network adapter driver generates from the 802.11 headers.

因此，我不会将此LINKTYPE_ETHERNET/DLT_EN10MB返回值视为此处出现问题的肯定指示.

So I would not take this LINKTYPE_ETHERNET / DLT_EN10MB return value as the sure indication of a problem here.

另外，应该在激活句柄之前 调用pcap_set_rfmon()，这在您的代码中不可见.

Also, pcap_set_rfmon() is supposed to be call before the handle is activated, which is not visible in your code.

pcap对于应该完成的顺序相当敏感.看看pcap_can_set_rfmon和pcap_set_rfmon的手册页.

pcap is rather touchy about the order things should be done. Have a look at the man pages for pcap_can_set_rfmon and pcap_set_rfmon.

顺序应为:

• pcap_create
• pcap_can_set_rfmon
• pcap_set_rfmon(如果到目前为止还不错)
• 然后只有那时，pcap_activate

这篇关于为什么即使在无线设备上，pcap_datalink()总是返回1(以太网)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！