Documentation/networking/mac80211-injection.txt - kernel/common - Git at Google

 How to use packet injection with mac80211
 =========================================

 mac80211 now allows arbitrary packets to be injected down any Monitor Mode
 interface from userland.  The packet you inject needs to be composed in the
 following format:

  [ radiotap header  ]
  [ ieee80211 header ]
  [ payload ]

 The radiotap format is discussed in
 ./Documentation/networking/radiotap-headers.txt.

 Despite 13 radiotap argument types are currently defined, most only make sense
 to appear on received packets.  The following information is parsed from the
 radiotap headers and used to control injection:

  * IEEE80211_RADIOTAP_RATE

    rate in 500kbps units, automatic if invalid or not present


  * IEEE80211_RADIOTAP_ANTENNA

    antenna to use, automatic if not present


  * IEEE80211_RADIOTAP_DBM_TX_POWER

    transmit power in dBm, automatic if not present


  * IEEE80211_RADIOTAP_FLAGS

    IEEE80211_RADIOTAP_F_FCS: FCS will be removed and recalculated
    IEEE80211_RADIOTAP_F_WEP: frame will be encrypted if key available
    IEEE80211_RADIOTAP_F_FRAG: frame will be fragmented if longer than the
 			      current fragmentation threshold. Note that
 			      this flag is only reliable when software
 			      fragmentation is enabled)

 The injection code can also skip all other currently defined radiotap fields
 facilitating replay of captured radiotap headers directly.

 Here is an example valid radiotap header defining these three parameters

 	0x00, 0x00, // <-- radiotap version
 	0x0b, 0x00, // <- radiotap header length
 	0x04, 0x0c, 0x00, 0x00, // <-- bitmap
 	0x6c, // <-- rate
 	0x0c, //<-- tx power
 	0x01 //<-- antenna

 The ieee80211 header follows immediately afterwards, looking for example like
 this:

 	0x08, 0x01, 0x00, 0x00,
 	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
 	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
 	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
 	0x10, 0x86

 Then lastly there is the payload.

 After composing the packet contents, it is sent by send()-ing it to a logical
 mac80211 interface that is in Monitor mode.  Libpcap can also be used,
 (which is easier than doing the work to bind the socket to the right
 interface), along the following lines:

 	ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
 ...
 	r = pcap_inject(ppcap, u8aSendBuffer, nLength);

 You can also find sources for a complete inject test applet here:

 http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer

 Andy Green <[email protected]>
	How to use packet injection with mac80211
	=========================================

	mac80211 now allows arbitrary packets to be injected down any Monitor Mode
	interface from userland. The packet you inject needs to be composed in the
	following format:

	[ radiotap header ]
	[ ieee80211 header ]
	[ payload ]

	The radiotap format is discussed in
	./Documentation/networking/radiotap-headers.txt.

	Despite 13 radiotap argument types are currently defined, most only make sense
	to appear on received packets. The following information is parsed from the
	radiotap headers and used to control injection:

	* IEEE80211_RADIOTAP_RATE

	rate in 500kbps units, automatic if invalid or not present


	* IEEE80211_RADIOTAP_ANTENNA

	antenna to use, automatic if not present


	* IEEE80211_RADIOTAP_DBM_TX_POWER

	transmit power in dBm, automatic if not present


	* IEEE80211_RADIOTAP_FLAGS

	IEEE80211_RADIOTAP_F_FCS: FCS will be removed and recalculated
	IEEE80211_RADIOTAP_F_WEP: frame will be encrypted if key available
	IEEE80211_RADIOTAP_F_FRAG: frame will be fragmented if longer than the
	current fragmentation threshold. Note that
	this flag is only reliable when software
	fragmentation is enabled)

	The injection code can also skip all other currently defined radiotap fields
	facilitating replay of captured radiotap headers directly.

	Here is an example valid radiotap header defining these three parameters

	0x00, 0x00, // <-- radiotap version
	0x0b, 0x00, // <- radiotap header length
	0x04, 0x0c, 0x00, 0x00, // <-- bitmap
	0x6c, // <-- rate
	0x0c, //<-- tx power
	0x01 //<-- antenna

	The ieee80211 header follows immediately afterwards, looking for example like
	this:

	0x08, 0x01, 0x00, 0x00,
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	0x10, 0x86

	Then lastly there is the payload.

	After composing the packet contents, it is sent by send()-ing it to a logical
	mac80211 interface that is in Monitor mode. Libpcap can also be used,
	(which is easier than doing the work to bind the socket to the right
	interface), along the following lines:

	ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
	...
	r = pcap_inject(ppcap, u8aSendBuffer, nLength);

	You can also find sources for a complete inject test applet here:

	http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer

	Andy Green <[email protected]>