Parsing Dot11 Management Frame with multiple Vendor Specific fields

[Scott Hutchinson]

Hello again,

I am trying to determine the encryption type of a connection through Beacon PDUs. 

Most of the time, a Beacon frame contains a RSN tagged parameter which can be used to derive the encryption/cypher data, but in some cases the RSN field is not present. I have found that in this case there is usually a vendor specific capability tag visible in wireshark that can be used to derive the encryption type. 

I am trying to access this tag using the "vendor_specific" getter function of the Dot11ManagementFrame class. This function returns the "Broadcom" vendor specific data that is just before the  WPA information that I am after.

I was wondering if this class is able to parse multiple Vendor Specific data structures, or will I need to access the data from the raw buffer? Also, have I overlooked a helper function that exists in the library that can automatically determine the encryption type of a packet?

I have provided a PCAP for this partiular packet if it helps.

Regards,

Scott

[Scott Hutchinson]

Supplying a quick code dump that I am using to read, extract and print the data incase it helps.

#include <tins/tins.h>

#include <iostream>

int main()

{

const char* PCAP_PATH = "WPA-Packet.pcap";

Tins::FileSniffer sniffer(PCAP_PATH);

const Tins::Packet& packet = sniffer.next_packet();

auto& beacon = packet.pdu()->rfind_pdu<Tins::Dot11Beacon>();

if (beacon.search_option(Tins::Dot11::OptionTypes::VENDOR_SPECIFIC))

{

auto vst = beacon.vendor_specific();

std::cout << vst.oui.to_string() << std::endl;

for(size_t i = 0; i < vst.data.size(); i++) {

if (i % 16 == 0) printf("\n");

printf("%x ", vst.data[i]);

}

}

}

[Anton Andrewson]

I have run into this exact same issue where there are multiple vendor-specific tags and I need to access the 3rd one, not the first one. Is there a vendor_specific() member function that returns a vector so we can iterate to the appropriate tag?

[Bill Egert]

I too am really interested in this ability within libtins!

On Thursday, October 4, 2018 at 3:36:27 AM UTC-4, Scott Hutchinson wrote:

[Scott Elliott]

I was trying to send my own custom vendor tags in beacons and found the output very problematic.  I assumed it was the drive so I posted the issues here https://forum.aircrack-ng.org/index.php/topic,4667.0.html  looking for a driver fix.  Not sure if it is exactly the same thing you are seeing.  I was using a RTL8812AU dongle on a RPi3.  I suspected building the output in pcap had buffer overruns and that what I was seeing captured on my PC was correct (scruzled in the wireshark capture).  Perhaps I had it backwards and the problem lies in the capture side.  This is a major pain point for me too.

[Scott Elliott]

....Specifically, what I was seeing was that some of the lengths on the Information Elements were wildly of the wrong length and that was causing wireshark major heart burn

--
You received this message because you are subscribed to the Google Groups "libtins" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libtins+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libtins/e0a19952-ccef-4896-ba2a-6f1173755715%40googlegroups.com.

[Bill Egert]

Seeing something slightly different I guess.  In wireshark I can clearly see 2 distinct and proper vendor tags, but libtins just seems to grab the first one with no way to get any following.

To unsubscribe from this group and stop receiving emails from it, send an email to lib...@googlegroups.com.

[Scott Elliott]

I've had no trouble seeing multiple Vendor Elements from grabs using my MAC's or HP PC's wifi card.  Just to wildly guess again, but it sounds like pcap interface to monitor mode in the drivers may not be quite so standard.  Monitor mode is probably not tested too deeply - I can imaging delaying a product because some corner cases failed in in monitor mode.

To unsubscribe from this group and stop receiving emails from it, send an email to libtins+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libtins/16d52292-0b88-4c6d-9bc3-1a5726789176%40googlegroups.com.

[Scott Elliott]

Has anyone found a way to retrieve other than the first Vendor element in dot11 (2nd 3rd, etc Vendor Element)?  I know I have multiple Vendor Elements as I'm using captured files and I can see them in WireShark. 

There seems to be some private iterator functions that search_option() uses in libtins/src/dot11/dot11_base.cpp.  I'm just starting to dig into the code, but it looks like Vectors might be used underneath all of this??  

Would really value any suggesting or examples.  

Thx

-s

On Friday, May 22, 2020 at 1:10:52 PM UTC-7, Bill Egert wrote:

[Bill Egert]

My Approach:

Tins::Dot11ManagementFrame frame;

try

{

  using TMGMT = Tins::Dot11ManagementFrame;

  const TMGMT::vendor_specific_type::oui_type my_oui = {"12:34:56"};

  auto opts = frame.options();

  std::for_each(opts.cbegin(), opts.cend(),

    [&](const Tins::Dot11::option& opt){

      if (opt.option() == Tins::Dot11::VENDOR_SPECIFIC) {

        auto v = TMGMT::vendor_specific_type::from_bytes (opt.data_ptr(), opt.data_size());

        if (v.oui == my_oui) { //Do Stuff

[Scott Elliott]

Bill,

Brilliant code snippet.  I had hoped for something like this, but could not find the starting point to iterate over.  I would have headed-off on a much more difficult direction. You saved me a world of pain.

Greatly appreciated,

-scott