[Snort-devel] 802.11 decoding

Nick Petroni npetroni at ...1103...
Mon Jan 28 11:15:03 EST 2002

I'm not sure if this is something that is desirable for inclusion in the
source tree in part, in entirety, or not at all, but I have two patches
for decoding the 802.11 MAC layer that seem to be working well. The first
simply provides support to sniff with an 802.11 card in RFMON and
provides no added functionality at higher layers. The second provides
all of the functionality of the first plus decodes for EAPOL and EAP
authentication protocols (used in 802.1x). The patches can be found at
http://www.cs.umd.edu/~npetroni/snort_80211_patch and the second at
http://www.cs.umd.edu/~npetroni/snort_eapol_patch. A list of changes
are as follows:

1. New functions DecodeIEEE80211Pkt, DecodeEAP, DecodeEapol,
PrintEapolPkt, PrintEapolHeader, PrintEAPHdr, and PrintWifiHeader
2. additions of the necessary structures and #defines
3. a necessary change to PrintArpHeader to check the MAC type before
comparing src and dst addresses
4. some updates to pc to do some wireless accounting and an added section
to DropStats

Please let me know if this or some variation of it would be useful.


Nick L. Petroni, Jr.
Graduate Student, Computer Science
University of Maryland

More information about the Snort-devel mailing list