Python 802.11 parser from raw socket

1k views Asked by At

Working on a 802.11 parser from raw socket. The purpose of the parser is determine how much of the packet to keep for further processing. Only layer 2 is being saved, all layer 3 and above are stripped. All is well until the security portion. WEP has 4 byte 'header' and TKIP and CCMP have a 8 byte header. I'm looking for an algorithm to determine if the frame has WEP or TKIP/CCMP header but cannot find any on google. I only need to determine if WEP is being used, or if TKIP or CCMP is being used. Obviously I have to do so using the first 4 bytes of the security 'header'.

The only thing I have been able to find is determine is in dot11.py from impacket which says: " Now we must differentiate between WEP and WPA/WPA2 WPA/WPA2 have the ExtIV (Bit 5) enaled and WEP disabled " (SIC).

macSz = n # current determination of mac frame size
if flags['protected']:
    # pf flag is set
    sec = frame[macSz:macSz+4] # get first 4 bytes of msdu
    bs = struct.unpack("=4B",sec)
    # wep test case returns bs = (231, 1, 0, 0)
    # ccmp test case returns bs = (2, 0, 79, 222)

    if bs[3] & 0x20:
        # using TKIP/CCMP
        macSz += 8
    else:
        # using WEP
        macSz += 4

I can't find any literature to confirm this statement and the above code is either wrong on my part or does not work as in most cases, it considers everything to be WEP. What I can find is that the 5th bit of the byte 4 in the WEP header should be a pad bit, in TKIP it is Reserved and in CCMP it is part of PN2.

My question is, did I code this wrong (which I don't think) or is this not the right way to determine WEP or not and if the latter, does anyone know a working algorithm. I'm not an expert on cryptology.

Before saying use scapy, this may be an option during final processing but is not an option at this point, as it consume too much overhead and drops packets. I only want to determine the size of the packet at layer 2 including unecrypted security headers to pass on for further processing.

EDIT 1: According to this link http://www.xirrus.com/cdn/pdf/wifi-demystified/documents_posters_encryption_plotter there should be an Extended IV of 1 bit in the 4th byte at bit 5 (zero index) in which both CCMP and TKIP, this bit is set. However, I can still not get the above code to work. It does seem to identify TKIP but still classifies CCMP as WEP so there must be something in my byte ordering. I'll continue to look into it

EDIT 2: So it looks like it was byte ordering. I had been using packets captured in wireshark by copying the hex to test on. When I used a raw socket it works

0

There are 0 answers