[PATCH 0/2] Radiotap on Monitor Mode interfaces for rx and tx

[PATCH 0/2] Radiotap on Monitor Mode interfaces for rx and tx

[andy]

Hi folks -

This pair of patches change the Monitor Mode wireless interfaces to use radiotap
both for monitoring and for packet injection.  The monitoring side is done by a patch
from Michael Wu.  Tcpdump knows how to handle the result.

For injecting packets, the you issue a packet using libpcap or a SOCK_PACKET
socket down an interface to the wireless device that is in Monitor Mode.  The packet
has a normal radiotap header prepended to the IEEE80211 header.  The radiotap header
is variable length depending on what the user wants to specify, currently the
transmit rate, power and antenna can be specified using normal radiotap semantics.
Any other entries are skipped.

A usermode app packetspammer is available from here

http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer

which allows easy injection of these packets from the commandline.  At the moment it
loops issuing packets at a variety of rates which can be seen from another
machine's monitor mode interface on the same channel.  There are instructions for
build and using it on the page above.

Currently it has been tested for both rx and tx using zd1211rw-mac80211 and works
except for 1Mbps TX (54Mbps - 2Mbps works) and the rx radiotap rate is not shown in
tcpdump.

The patches should be based against wireless-dev.

-- 

[PATCH 1/2] mac80211: Add radiotap support

[andy]

From: Michael Wu <flamingice@sourmilk.net>


---

 include/net/mac80211.h         |    3 ++
 net/mac80211/ieee80211.c       |   69 +++++++++++++++++++++++++++++++++-------
 net/mac80211/ieee80211_iface.c |    2 +
 3 files changed, 61 insertions(+), 13 deletions(-)

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 916b21b..050f126 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -529,6 +529,9 @@ struct ieee80211_hw {
 	 * per-packet RC4 key with each TX frame when doing hwcrypto */
 #define IEEE80211_HW_TKIP_REQ_PHASE2_KEY (1<<14)
 
+	/* Driver supports radiotap. Temporary until all drivers support it. */
+#define IEEE80211_HW_RADIOTAP_SUPPORTED (1<<20)
+
 	u32 flags;			/* hardware flags defined above */
 
 	/* Set to the size of a needed device specific skb headroom for TX skbs. */
diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
index 0b7cb35..c3a9f0e 100644
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -8,6 +8,7 @@
  */
 
 #include <net/mac80211.h>
+#include <net/ieee80211_radiotap.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/netdevice.h>
@@ -286,6 +287,14 @@ int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
 }
 EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
 
+static int ieee80211_get_radiotap_len(struct sk_buff *skb)
+{
+	struct ieee80211_radiotap_header *hdr =
+		(struct ieee80211_radiotap_header *) skb->data;
+
+	return le16_to_cpu(hdr->it_len);
+}
+
 #ifdef CONFIG_MAC80211_LOWTX_FRAME_DUMP
 static void ieee80211_dump_frame(const char *ifname, const char *title,
 				 const struct sk_buff *skb)
@@ -2741,26 +2750,50 @@ ieee80211_rx_monitor(struct net_device *dev, struct sk_buff *skb,
 		     struct ieee80211_rx_status *status)
 {
 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-	struct ieee80211_frame_info *fi;
 	struct ieee80211_sub_if_data *sdata;
-	const size_t hlen = sizeof(struct ieee80211_frame_info)
-				- sizeof(fi->msg_type);
+	struct ieee80211_rtap_hdr {
+		struct ieee80211_radiotap_header hdr;
+		u8 flags;
+		u8 pad0;
+		u8 rate;
+		u8 pad1;
+		__le16 chan_freq;
+		__le16 chan_flags;
+		u8 antsignal;
+	} __attribute__ ((packed)) *rthdr;
 
 	skb->dev = dev;
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (skb_headroom(skb) < hlen) {
-		I802_DEBUG_INC(local->rx_expand_skb_head);
-		if (pskb_expand_head(skb, hlen, 0, GFP_ATOMIC)) {
-			dev_kfree_skb(skb);
-			return;
+	if (!(local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED)) {
+		if (skb_headroom(skb) < sizeof(*rthdr)) {
+			I802_DEBUG_INC(local->rx_expand_skb_head);
+			if (pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) {
+				dev_kfree_skb(skb);
+				return;
+			}
 		}
-	}
 
-	fi = (struct ieee80211_frame_info *) skb_push(skb, hlen);
+		rthdr = (struct ieee80211_rtap_hdr *) skb_push(skb, sizeof(*rthdr));
+		memset(rthdr, 0, sizeof(*rthdr));
+		rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
+		rthdr->hdr.it_present =
+			cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) ||
+				    (1 << IEEE80211_RADIOTAP_RATE) ||
+				    (1 << IEEE80211_RADIOTAP_CHANNEL) ||
+				    (1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL));
+		rthdr->flags = local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS ?
+			       IEEE80211_RADIOTAP_F_FCS : 0;
+		rthdr->rate = status->rate / 5;
+		rthdr->chan_freq = cpu_to_le16(status->freq);
+		rthdr->chan_flags =
+			status->phymode == MODE_IEEE80211A ?
+			cpu_to_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ) :
+			cpu_to_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ);
+		rthdr->antsignal = status->ssi;
+	}
 
-	ieee80211_fill_frame_info(local, fi, status);
 	sdata->stats.rx_packets++;
 	sdata->stats.rx_bytes += skb->len;
 
@@ -3164,6 +3197,10 @@ ieee80211_rx_h_monitor(struct ieee80211_txrx_data *rx)
 		return TXRX_QUEUED;
 	}
 
+	if (rx->local->monitors &&
+	    rx->local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED)
+		skb_pull(rx->skb, ieee80211_get_radiotap_len(rx->skb));
+
 	return TXRX_CONTINUE;
 }
 
@@ -3731,6 +3768,13 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	struct ieee80211_txrx_data rx;
 	u16 type;
 	int multicast;
+	int radiotap_len = 0;
+
+	if (local->monitors &&
+	    local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED) {
+		radiotap_len = ieee80211_get_radiotap_len(skb);
+		skb_pull(skb, radiotap_len);
+	}
 
 	hdr = (struct ieee80211_hdr *) skb->data;
 	memset(&rx, 0, sizeof(rx));
@@ -3767,6 +3811,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 		goto end;
 	skb = rx.skb;
 
+	skb_push(skb, radiotap_len);
 	if (sta && !sta->assoc_ap && !(sta->flags & WLAN_STA_WDS) &&
 	    !local->iff_promiscs && !multicast) {
 		rx.u.rx.ra_match = 1;
@@ -3775,7 +3820,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	} else {
 		struct ieee80211_sub_if_data *prev = NULL;
 		struct sk_buff *skb_new;
-		u8 *bssid = ieee80211_get_bssid(hdr, skb->len);
+		u8 *bssid = ieee80211_get_bssid(hdr, skb->len - radiotap_len);
 
 		list_for_each_entry(sdata, &local->sub_if_list, list) {
 			rx.u.rx.ra_match = 1;
diff --git a/net/mac80211/ieee80211_iface.c b/net/mac80211/ieee80211_iface.c
index 3e0b4fa..51197b1 100644
--- a/net/mac80211/ieee80211_iface.c
+++ b/net/mac80211/ieee80211_iface.c
@@ -199,7 +199,7 @@ void ieee80211_if_set_type(struct net_device *dev, int type)
 		break;
 	}
 	case IEEE80211_IF_TYPE_MNTR:
-		dev->type = ARPHRD_IEEE80211_PRISM;
+		dev->type = ARPHRD_IEEE80211_RADIOTAP;
 		break;
 	default:
 		printk(KERN_WARNING "%s: %s: Unknown interface type 0x%x",

-- 

[PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[andy]

From: Andy Green <andy@warmcat.com>

Try #2
 - took Michael Wu's advice about better tools and basing on wireless-dev
 - took Luis Rodriguez's advice about coding style makeover
 - took Pavel Roskin's advice about little-endian radiotap

Index: linux-2.6.20.i386/include/net/mac80211.h
===================================================

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 4fc8edc..bb5777e 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -189,6 +189,7 @@ struct ieee80211_tx_control {
 #define IEEE80211_TXCTL_FIRST_FRAGMENT	(1<<8) /* this is a first fragment of
 						* the frame */
 #define IEEE80211_TXCTL_TKIP_NEW_PHASE1_KEY (1<<9)
+#define IEEE80211_TXCTL_INJECTED_PACKET (1<<10) /* tx into monitor IF */
 	u32 flags;			       /* tx control flags defined
 						* above */
 	u8 retry_limit;		/* 1 = only first attempt, 2 = one retry, .. */
diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
index fb33b90..3873262 100644
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -35,6 +35,7 @@
 #include "ieee80211_led.h"
 #include "ieee80211_cfg.h"
 #include "ieee80211_sysfs.h"
+#include <net/ieee80211_radiotap.h>
 
 /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */
 /* Ethernet-II snap header (RFC1042 for most EtherTypes) */
@@ -1054,7 +1055,163 @@ ieee80211_tx_h_ps_buf(struct ieee80211_txrx_data *tx)
 }
 
 
-static void inline
+/* deal with packet injection down monitor interface
+ * with Radiotap Header -- only called for monitor mode interface
+ */
+
+static ieee80211_txrx_result
+__ieee80211_convert_radiotap_to_control_and_remove(
+	struct ieee80211_txrx_data *tx,
+	struct sk_buff *skb, struct ieee80211_tx_control *control)
+{
+	/* this is the moment to interpret the radiotap header that
+	 * must be at the start of the packet injected in Monitor
+	 * mode into control and then discard the radiotap header
+	 *
+	 * Need to take some care with endian-ness since radiotap
+	 * is apparently a little-endian struct, including the args
+	*/
+
+	struct ieee80211_radiotap_header *rthdr =
+		(struct ieee80211_radiotap_header *) skb->data;
+
+	/* small length lookup table for all radiotap types we heard of
+	 * starting from b0 in the bitmap, so we can walk the payload
+	 * area of the radiotap header
+	 */
+
+	static const u8 radiotap_entry_sizes[] = {
+		8, /* IEEE80211_RADIOTAP_TSFT */
+		1, /* IEEE80211_RADIOTAP_FLAGS */
+		1, /* IEEE80211_RADIOTAP_RATE */
+		4, /* IEEE80211_RADIOTAP_CHANNEL */
+		2, /* IEEE80211_RADIOTAP_FHSS */
+		1, /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
+		1, /* IEEE80211_RADIOTAP_DBM_ANTNOISE */
+		2, /* IEEE80211_RADIOTAP_LOCK_QUALITY */
+		2, /* IEEE80211_RADIOTAP_TX_ATTENUATION */
+		2, /* IEEE80211_RADIOTAP_DB_TX_ATTENUATION */
+		1, /* IEEE80211_RADIOTAP_DBM_TX_POWER */
+		1, /* IEEE80211_RADIOTAP_ANTENNA */
+		1, /* IEEE80211_RADIOTAP_DB_ANTSIGNAL */
+		1  /* IEEE80211_RADIOTAP_DB_ANTNOISE */
+			/* add more here as they are defined */
+	};
+	int tap_index = 0;
+	u8 *tap_arg = skb->data + sizeof(struct ieee80211_radiotap_header);
+	u32 *curr_arg_bitmap = &rthdr->it_present;
+	u32 arg_bitmap=le32_to_cpu(*curr_arg_bitmap);
+
+	if(rthdr->it_version) return TXRX_DROP; /* version byte used as magic */
+
+		/* sanity check for skb length and radiotap length field */
+	if (skb->len < (le16_to_cpu(rthdr->it_len) +
+		sizeof(struct ieee80211_hdr)))
+		return TXRX_DROP;
+
+		/* find payload start allowing for extended bitmap(s) */
+
+	if(le32_to_cpu(rthdr->it_present) & 0x80000000) {
+		while( le32_to_cpu(*((u32 *)tap_arg)) & 0x80000000)
+			tap_arg += sizeof(u32);
+		tap_arg += sizeof(u32);
+	}
+
+		/* default control situation for all injected packets */
+
+	control->retry_limit = 1; /* no retry */
+	control->key_idx = -1; /* no encryption key */
+	control->flags &= ~(IEEE80211_TXCTL_USE_RTS_CTS |
+		IEEE80211_TXCTL_USE_CTS_PROTECT);
+	control->flags |= (IEEE80211_TXCTL_DO_NOT_ENCRYPT |
+		IEEE80211_TXCTL_NO_ACK);
+	control->antenna_sel_tx = 0; /* default to default/diversity */
+
+		/* for every radiotap entry we can at
+		 * least skip (by knowing the length)...
+		 */
+
+	while(tap_index < sizeof(radiotap_entry_sizes)) {
+		int i, target_rate;
+
+		if(!(arg_bitmap & 1)) goto next_entry;
+
+			/* arg is present */
+
+		switch(tap_index) { /* deal with if interested */
+
+		case IEEE80211_RADIOTAP_RATE:
+			/* radiotap "rate" u8 is in
+			 * 500kbps units, eg, 0x02=1Mbps
+			 * ieee80211 "rate" int is
+			 * in 100kbps units, eg, 0x0a=1Mbps
+			 */
+			target_rate = (*tap_arg) * 5;
+			for (i = 0; i < tx->local->num_curr_rates; i++){
+				struct ieee80211_rate *r =
+					&tx->local->curr_rates[i];
+
+				if(r->rate <= target_rate) {
+					if(r->flags &
+						IEEE80211_RATE_PREAMBLE2) {
+						control->tx_rate = r->val2;
+					} else {
+						control->tx_rate = r->val;
+					}
+				
+
+						/* end on exact match */
+					if(r->rate == target_rate)
+						i = tx->local->num_curr_rates;
+				}
+			}
+			break;
+
+		case IEEE80211_RADIOTAP_ANTENNA:
+			/* radiotap uses 0 for 1st ant,
+			 * mac80211 is 1 for 1st ant
+			 * absence of IEEE80211_RADIOTAP_ANTENNA
+			 * gives default/diversity
+			*/
+			control->antenna_sel_tx = (*tap_arg) + 1;
+			break;
+
+		case IEEE80211_RADIOTAP_DBM_TX_POWER:
+			control->power_level = *tap_arg;
+			break;
+
+		default:
+			break;
+		}
+
+		tap_arg += radiotap_entry_sizes[tap_index];
+
+		next_entry:
+
+		tap_index++;
+		if(unlikely((tap_index & 31) == 0)) {
+				/* completed current u32 bitmap */
+			if(arg_bitmap & 1) { /* b31 was set, there is another */
+				/* move to next u32 bitmap */
+				curr_arg_bitmap++;
+				arg_bitmap = le32_to_cpu(*curr_arg_bitmap);
+			} else {
+				/* he didn't give us any more bitmaps: end */
+				tap_index = sizeof(radiotap_entry_sizes);
+			}
+		} else { /* just try the next bit */
+			arg_bitmap >>= 1;
+		}
+	}
+
+		/* remove the radiotap header */
+	skb_pull(skb, le16_to_cpu(rthdr->it_len));
+
+	return TXRX_CONTINUE;
+}
+
+
+static ieee80211_txrx_result inline
 __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
 		       struct sk_buff *skb,
 		       struct net_device *dev,
@@ -1071,7 +1228,30 @@ __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
 	tx->sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 	tx->sta = sta_info_get(local, hdr->addr1);
 	tx->fc = le16_to_cpu(hdr->frame_control);
+
+		/* set defaults for things that can be set by
+		 * injected radiotap headers
+		 */
+
 	control->power_level = local->hw.conf.power_level;
+	control->antenna_sel_tx = local->hw.conf.antenna_sel_tx;
+	if (local->sta_antenna_sel != STA_ANTENNA_SEL_AUTO && tx->sta )
+		control->antenna_sel_tx = tx->sta->antenna_sel_tx;
+
+		/* process and remove the injection radiotap header */
+
+	if(control->flags & IEEE80211_TXCTL_INJECTED_PACKET) {
+		if(__ieee80211_convert_radiotap_to_control_and_remove(
+			tx, skb, control) == TXRX_DROP) {
+			return TXRX_DROP;
+		}
+		/* we removed the radiotap header after this point,
+		 * we filled control with what we could use
+		 * set to the actual ieee header now
+		 */
+		hdr = (struct ieee80211_hdr *) skb->data;
+	}
+
 	tx->u.tx.control = control;
 	tx->u.tx.unicast = !is_multicast_ether_addr(hdr->addr1);
 	if (is_multicast_ether_addr(hdr->addr1))
@@ -1088,9 +1268,6 @@ __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
 		control->flags |= IEEE80211_TXCTL_CLEAR_DST_MASK;
 		tx->sta->clear_dst_mask = 0;
 	}
-	control->antenna_sel_tx = local->hw.conf.antenna_sel_tx;
-	if (local->sta_antenna_sel != STA_ANTENNA_SEL_AUTO && tx->sta)
-		control->antenna_sel_tx = tx->sta->antenna_sel_tx;
 	hdrlen = ieee80211_get_hdrlen(tx->fc);
 	if (skb->len > hdrlen + sizeof(rfc1042_header) + 2) {
 		u8 *pos = &skb->data[hdrlen + sizeof(rfc1042_header)];
@@ -1098,6 +1275,7 @@ __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
 	}
 	control->flags |= IEEE80211_TXCTL_FIRST_FRAGMENT;
 
+	return TXRX_CONTINUE;
 }
 
 static int inline is_ieee80211_device(struct net_device *dev,
@@ -1215,14 +1393,22 @@ static int ieee80211_tx(struct net_device *dev, struct sk_buff *skb,
 		return 0;
 	}
 
-	__ieee80211_tx_prepare(&tx, skb, dev, control);
+	if(__ieee80211_tx_prepare(&tx, skb, dev, control)==TXRX_DROP) {
+		dev_kfree_skb(skb);
+		return 0;
+	}
+
 	sta = tx.sta;
 	tx.u.tx.mgmt_interface = mgmt;
 
-	for (handler = local->tx_handlers; *handler != NULL; handler++) {
-		res = (*handler)(&tx);
-		if (res != TXRX_CONTINUE)
-			break;
+	if(unlikely((control->flags & IEEE80211_TXCTL_INJECTED_PACKET))) {
+		res=TXRX_CONTINUE;
+	} else {
+		for (handler = local->tx_handlers; *handler != NULL; handler++) {
+			res = (*handler)(&tx);
+			if (res != TXRX_CONTINUE)
+				break;
+		}
 	}
 
 	skb = tx.skb; /* handlers are allowed to change skb */
@@ -1410,6 +1596,8 @@ static int ieee80211_master_start_xmit(struct sk_buff *skb,
 	if (pkt_data->requeue)
 		control.flags |= IEEE80211_TXCTL_REQUEUE;
 	control.queue = pkt_data->queue;
+	if(pkt_data->is_injected_into_monitor)
+		control.flags |= IEEE80211_TXCTL_INJECTED_PACKET;
 
 	ret = ieee80211_tx(odev, skb, &control,
 			   control.type == IEEE80211_IF_TYPE_MGMT);
@@ -1456,6 +1644,51 @@ static int ieee80211_subif_start_xmit(struct sk_buff *skb,
 		goto fail;
 	}
 
+	if(unlikely(sdata->type==IEEE80211_IF_TYPE_MNTR)) {
+		struct ieee80211_radiotap_header * prthdr=
+			(struct ieee80211_radiotap_header *)skb->data;
+
+			/* there must be a radiotap header at the
+			 * start in this case
+			 */
+
+		if(unlikely(prthdr->it_version)) {
+			/* radiotap version used as magic */
+			ret=0;
+			goto fail;
+		}
+
+		skb->dev = local->mdev;
+
+		pkt_data = (struct ieee80211_tx_packet_data *)skb->cb;
+		memset(pkt_data, 0, sizeof(struct ieee80211_tx_packet_data));
+		pkt_data->ifindex =  local->mdev->ifindex;
+		pkt_data->mgmt_iface = 0;
+		pkt_data->do_not_encrypt = 1;
+		pkt_data->is_injected_into_monitor = 1;
+			/* above needed because we set skb device to master */
+
+			/* fix up the pointers accounting for the radiotap
+			 * header still being in there.  We are being given
+			 * a precooked IEEE80211 header so no need for
+			 * normal processing
+			 */
+
+		skb->mac.raw = skb->data+prthdr->it_len;
+		skb->nh.raw = skb->data+prthdr->it_len+
+			sizeof(struct ieee80211_hdr);
+		skb->h.raw = skb->data+prthdr->it_len+
+			sizeof(struct ieee80211_hdr);
+
+			/* pass the radiotap header up to
+			 * the next stage intact
+			 */
+
+		dev_queue_xmit(skb);
+
+		return 0;
+	}
+
 	nh_pos = skb->nh.raw - skb->data;
 	h_pos = skb->h.raw - skb->data;
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 9df8ef0..617d297 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -162,6 +162,7 @@ struct ieee80211_tx_packet_data {
 	unsigned int requeue:1;
 	unsigned int mgmt_iface:1;
 	unsigned int queue:4;
+	unsigned int is_injected_into_monitor:1;
 };
 
 struct ieee80211_tx_stored_packet {

-- 

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Michael Buesch]

On Saturday 17 March 2007 11:58, andy@warmcat.com wrote:
> From: Andy Green <andy@warmcat.com>
> 
> Try #2
>  - took Michael Wu's advice about better tools and basing on wireless-dev
>  - took Luis Rodriguez's advice about coding style makeover
>  - took Pavel Roskin's advice about little-endian radiotap
> 
> Index: linux-2.6.20.i386/include/net/mac80211.h
> ===================================================
> 
> diff --git a/include/net/mac80211.h b/include/net/mac80211.h
> index 4fc8edc..bb5777e 100644
> --- a/include/net/mac80211.h
> +++ b/include/net/mac80211.h
> @@ -189,6 +189,7 @@ struct ieee80211_tx_control {
>  #define IEEE80211_TXCTL_FIRST_FRAGMENT	(1<<8) /* this is a first fragment of
>  						* the frame */
>  #define IEEE80211_TXCTL_TKIP_NEW_PHASE1_KEY (1<<9)
> +#define IEEE80211_TXCTL_INJECTED_PACKET (1<<10) /* tx into monitor IF */

What is a driver supposed to do on this flag? More documentation, please.

-- 
Greetings Michael.

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Michael Buesch wrote:

>> +#define IEEE80211_TXCTL_INJECTED_PACKET (1<<10) /* tx into monitor IF */
> 
> What is a driver supposed to do on this flag? More documentation, please.

Hi Michael -

The driver doesn't have to do anything with that flag... it's a private 
mac80211-internal flag to get the attribute that the packet was injected 
into a Monitor interface into ieee80211_tx_control where 
__ieee80211_tx_prepare() can access that information.  By then as I 
understood it the information that the packet came in on the monitor 
interface isn't available because we redirected it to the master 
interface.  That one bit of state, that the packet originated from a 
send() to a Montitor Mode interface is the meaning of the flag.

Currently the information travels like this:

- ieee80211_subif_start_xmit() sees that it is a monitor mode interface 
getting the packet.

  - It sets ieee80211_tx_packet_data.is_injected_into_monitor, which 
travels with the packet inside skb.cb.

  - ieee80211_master_start_xmit() eventually gets the packet and 
examines the ieee80211_tx_packet_data in the skb.cb.  If 
is_injected_into_monitor is set, it sets control.flags |= 
IEEE80211_TXCTL_INJECTED_PACKET.  This is done because at the start of 
ieee80211_master_start_xmit() there is a comment

	/*
	 * copy control out of the skb so other people can use skb->cb
	 */

  - finally the end user __ieee80211_tx_prepare() is able to find the 
state information in control->flags & IEEE80211_TXCTL_INJECTED_PACKET 
and work out if it expects a radiotap header prepended or not from that.

If there's a simpler way I'm happy to use it.

-Andy

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Michael Buesch]

On Saturday 17 March 2007 15:58, Andy Green wrote:
> Michael Buesch wrote:
> 
> >> +#define IEEE80211_TXCTL_INJECTED_PACKET (1<<10) /* tx into monitor IF */
> > 
> > What is a driver supposed to do on this flag? More documentation, please.
> 
> Hi Michael -
> 
> The driver doesn't have to do anything with that flag... it's a private 
> mac80211-internal flag to get the attribute that the packet was injected 

> If there's a simpler way I'm happy to use it.

Ok, no. I'm fine with this. But please mark it as mac80211-internal
flag, so driver authors don't waste time on thinking about wtf this is. ;)
Either by documenting it in a comment or by doing a special define
(two underscores or something). Or both.

-- 
Greetings Michael.

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Michael Buesch wrote:
> On Saturday 17 March 2007 15:58, Andy Green wrote:
>> Michael Buesch wrote:
>>
>>>> +#define IEEE80211_TXCTL_INJECTED_PACKET (1<<10) /* tx into monitor IF */
>>> What is a driver supposed to do on this flag? More documentation, please.
>> Hi Michael -
>>
>> The driver doesn't have to do anything with that flag... it's a private 
>> mac80211-internal flag to get the attribute that the packet was injected 
> 
>> If there's a simpler way I'm happy to use it.
> 
> Ok, no. I'm fine with this. But please mark it as mac80211-internal
> flag, so driver authors don't waste time on thinking about wtf this is. ;)
> Either by documenting it in a comment or by doing a special define
> (two underscores or something). Or both.

Both sounds like a good idea, thanks: I will wait a bit for any more 
comments and then add this to a try #3.  I noticed Michael Wu set his 
flag to 1<<20 and I guess he had this in mind, so I will change mine to 
1<<21 to further distance it from the other flags in bits and in meaning.

-Andy

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Michael Wu]

[-- Attachment #1: Type: text/plain, Size: 1384 bytes --]

On Saturday 17 March 2007 06:58, andy@warmcat.com wrote:
> diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
> index fb33b90..3873262 100644
> --- a/net/mac80211/ieee80211.c
> +++ b/net/mac80211/ieee80211.c
> @@ -35,6 +35,7 @@
>  #include "ieee80211_led.h"
>  #include "ieee80211_cfg.h"
>  #include "ieee80211_sysfs.h"
> +#include <net/ieee80211_radiotap.h>
>
Already included by my patch.

> +	int tap_index = 0;
> +	u8 *tap_arg = skb->data + sizeof(struct ieee80211_radiotap_header);
> +	u32 *curr_arg_bitmap = &rthdr->it_present;
> +	u32 arg_bitmap=le32_to_cpu(*curr_arg_bitmap);
Space before and after the =. 

> +
> +	if(rthdr->it_version) return TXRX_DROP; /* version byte used as magic */
Space after the if.

> +
> +		/* sanity check for skb length and radiotap length field */
Keep comments indented the same as everything else.

> +	if (skb->len < (le16_to_cpu(rthdr->it_len) +
> +		sizeof(struct ieee80211_hdr)))
Using some spaces to align the start of the second line with the parenthesis 
often looks better.

> +		/* process and remove the injection radiotap header */
> +
> +	if(control->flags & IEEE80211_TXCTL_INJECTED_PACKET) {
dev points to the virtual interface that the frame originally came in on. You 
can get sdata from that and figure out if the interface was a monitor 
interface.

Thanks,
-Michael Wu

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Michael Wu]

[-- Attachment #1: Type: text/plain, Size: 676 bytes --]

On Saturday 17 March 2007 17:30, Michael Wu wrote:
> > +		/* process and remove the injection radiotap header */
> > +
> > +	if(control->flags & IEEE80211_TXCTL_INJECTED_PACKET) {
>
> dev points to the virtual interface that the frame originally came in on.
> You can get sdata from that and figure out if the interface was a monitor
> interface.
>
Of course, this depends on ifindex being set properly.

You added:
	pkt_data->ifindex =  local->mdev->ifindex;

but in that same function, this is used instead:
	pkt_data->ifindex = sdata->dev->ifindex;

Which allows the master device to figure out which virtual interface the skb 
came from.

-Michael Wu

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Michael Wu wrote:
> On Saturday 17 March 2007 17:30, Michael Wu wrote:
>>> +		/* process and remove the injection radiotap header */
>>> +
>>> +	if(control->flags & IEEE80211_TXCTL_INJECTED_PACKET) {
>> dev points to the virtual interface that the frame originally came in on.
>> You can get sdata from that and figure out if the interface was a monitor
>> interface.
>>
> Of course, this depends on ifindex being set properly.
> 
> You added:
> 	pkt_data->ifindex =  local->mdev->ifindex;
> 
> but in that same function, this is used instead:
> 	pkt_data->ifindex = sdata->dev->ifindex;
> 
> Which allows the master device to figure out which virtual interface the skb 
> came from.

Yeah naturally it was my first move to use what was there, but the 
result was a panic that went away when I moved the skb to belong to the 
"master" interface's index and separately persistently tagged the packet 
as being injected.

Is it safe against race problems on interface removal to consider to 
look up against the interface index at actual send time?

-Andy

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Michael Wu]

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

On Saturday 17 March 2007 18:09, Andy Green wrote:
> Yeah naturally it was my first move to use what was there, but the
> result was a panic that went away when I moved the skb to belong to the
> "master" interface's index and separately persistently tagged the packet
> as being injected.
>
I don't see anything that would prevent this from working.. if you have a 
patch which does this and crashes, I'll take a look at it.

> Is it safe against race problems on interface removal to consider to
> look up against the interface index at actual send time?
>
Yes. dev_get_by_index in ieee80211_master_start_xmit calls dev_hold. When it 
is done, dev_put is called. The headroom reservation code looks suspicious 
though.. it doesn't call dev_put if it fails. Fortunately, this is unlikely 
to happen.

Thanks,
-Michael Wu

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Michael Wu wrote:
> On Saturday 17 March 2007 18:09, Andy Green wrote:
>> Yeah naturally it was my first move to use what was there, but the
>> result was a panic that went away when I moved the skb to belong to the
>> "master" interface's index and separately persistently tagged the packet
>> as being injected.
>>
> I don't see anything that would prevent this from working.. if you have a 
> patch which does this and crashes, I'll take a look at it.

Okay I will try to regenerate this situation tomorrow afternoon, which 
will be my next chance.

-Andy

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Andy Green wrote:
> Michael Wu wrote:
>> On Saturday 17 March 2007 18:09, Andy Green wrote:
>>> Yeah naturally it was my first move to use what was there, but the
>>> result was a panic that went away when I moved the skb to belong to the
>>> "master" interface's index and separately persistently tagged the packet
>>> as being injected.
>>>
>> I don't see anything that would prevent this from working.. if you 
>> have a patch which does this and crashes, I'll take a look at it.
> 
> Okay I will try to regenerate this situation tomorrow afternoon, which 
> will be my next chance.

Well the panic did not return, I guess whatever I was doing that 
provoked it I am not doing any more.  So I changed it back to the 
sdata->dev->ifindex that the normal code path uses and confirmed that 
continued to worked okay.

However when I went on to look at leveraging that to find out if the 
originating interface was in Monitor mode, it seems that it might be a 
little bit more expensive to do that -- and it would have to be done for 
every tx packet in order to find out if it was injected.  By contrast 
with the currently proposed staged system at each level the information 
is always available without processing, and the overhead for the common 
case where the packet was not injected is just testing if the if type 
was monitor, and then later testing a bit in flags that are already 
available.

 From looking around the existing code, it seems something like this is 
called for to use the ifindex instead:

__ieee80211_tx_prepare(...)
{
	struct ieee80211_tx_packet_data *pkt_data;

	/* skb->cb is still valid by this time? */

	pkt_data = (struct ieee80211_tx_packet_data *)skb->cb;

	/* dev_get_by_index holds a read lock and iterates
	 * a hlist, done for every tx packet */

	originating_dev = dev_get_by_index(pkt_data->ifindex);
	if(!originating_dev) goto skipped;
	if (unlikely(!is_ieee80211_device(originating_dev, dev))) {
		goto give_up_dev;
	}

	originating__sdata = IEEE80211_DEV_TO_SUB_IF(dev);
	if(!originating__sdata) goto give_up_dev;

	if (unlikely(originating__sdata->type==IEEE80211_IF_TYPE_MNTR)){
...
	}
	give_up_dev:
	dev_put(originating_dev);
	skipped:
...
}

Given this, if it is actually the leanest implementation of using 
ifindex, is it still preferred?

-Andy

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Andy Green wrote:

> However when I went on to look at leveraging that to find out if the 
> originating interface was in Monitor mode, it seems that it might be a 
> little bit more expensive to do that -- and it would have to be done for 
> every tx packet in order to find out if it was injected.  By contrast 
> with the currently proposed staged system at each level the information 
> is always available without processing, and the overhead for the common 
> case where the packet was not injected is just testing if the if type 
> was monitor, and then later testing a bit in flags that are already 
> available.
> 
>  From looking around the existing code, it seems something like this is 
> called for to use the ifindex instead:

Ha, ignore this, Michael's method works just with what is to hand.  Try 
#3 coming up.

-Andy

Re: [PATCH 2/2] mac80211: Monitor mode radiotap-based packet injection

[Andy Green]

Michael Wu wrote:
> On Saturday 17 March 2007 06:58, andy@warmcat.com wrote:
>> diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
>> index fb33b90..3873262 100644
>> --- a/net/mac80211/ieee80211.c
>> +++ b/net/mac80211/ieee80211.c
>> @@ -35,6 +35,7 @@
>>  #include "ieee80211_led.h"
>>  #include "ieee80211_cfg.h"
>>  #include "ieee80211_sysfs.h"
>> +#include <net/ieee80211_radiotap.h>
>>
> Already included by my patch.

OK.  Not sure why that appears in my patch any longer then since I am 
using guilt thanks to your advice, and your patch is applied first.

>> +	int tap_index = 0;
>> +	u8 *tap_arg = skb->data + sizeof(struct ieee80211_radiotap_header);
>> +	u32 *curr_arg_bitmap = &rthdr->it_present;
>> +	u32 arg_bitmap=le32_to_cpu(*curr_arg_bitmap);
> Space before and after the =. 

Fixed.

>> +
>> +	if(rthdr->it_version) return TXRX_DROP; /* version byte used as magic */
> Space after the if.

Fixed.

>> +
>> +		/* sanity check for skb length and radiotap length field */
> Keep comments indented the same as everything else.

Fixed.

>> +	if (skb->len < (le16_to_cpu(rthdr->it_len) +
>> +		sizeof(struct ieee80211_hdr)))
> Using some spaces to align the start of the second line with the parenthesis 
> often looks better.

Fixed and noted.

>> +		/* process and remove the injection radiotap header */
>> +
>> +	if(control->flags & IEEE80211_TXCTL_INJECTED_PACKET) {
> dev points to the virtual interface that the frame originally came in on. You 
> can get sdata from that and figure out if the interface was a monitor 
> interface.

replied in next mail...

-Andy

[PATCH 0/2] Try #3 Radiotap on Monitor Mode interfaces for rx and tx

[andy]

Hi folks -

This pair of patches change the Monitor Mode wireless interfaces to use radiotap
both for monitoring and for packet injection.  The monitoring side is done by a patch
from Michael Wu.  Tcpdump knows how to handle the result.

For injecting packets, the you issue a packet using libpcap or a SOCK_PACKET
socket down an interface to the wireless device that is in Monitor Mode.  The packet
has a normal radiotap header prepended to the IEEE80211 header.  The radiotap header
is variable length depending on what the user wants to specify, currently the
transmit rate, power and antenna can be specified using normal radiotap semantics.
Any other entries are skipped.

A usermode app packetspammer is available from here

http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer

which allows easy injection of these packets from the commandline.  At the moment it
loops issuing packets at a variety of rates which can be seen from another
machine's monitor mode interface on the same channel.  There are instructions for
build and using it on the page above.

Currently it has been tested for both rx and tx using zd1211rw-mac80211 and works
except for 1Mbps TX (54Mbps - 2Mbps works) and the rx radiotap rate is not shown in
tcpdump.

The patches should be based against wireless-dev.
-- 

[PATCH 1/2] mac80211: Add radiotap support

[andy]

From: Michael Wu <flamingice@sourmilk.net>


---

 include/net/mac80211.h         |    3 ++
 net/mac80211/ieee80211.c       |   69 +++++++++++++++++++++++++++++++++-------
 net/mac80211/ieee80211_iface.c |    2 +
 3 files changed, 61 insertions(+), 13 deletions(-)

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 916b21b..050f126 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -529,6 +529,9 @@ struct ieee80211_hw {
 	 * per-packet RC4 key with each TX frame when doing hwcrypto */
 #define IEEE80211_HW_TKIP_REQ_PHASE2_KEY (1<<14)
 
+	/* Driver supports radiotap. Temporary until all drivers support it. */
+#define IEEE80211_HW_RADIOTAP_SUPPORTED (1<<20)
+
 	u32 flags;			/* hardware flags defined above */
 
 	/* Set to the size of a needed device specific skb headroom for TX skbs. */
diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
index 0b7cb35..c3a9f0e 100644
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -8,6 +8,7 @@
  */
 
 #include <net/mac80211.h>
+#include <net/ieee80211_radiotap.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/netdevice.h>
@@ -286,6 +287,14 @@ int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
 }
 EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
 
+static int ieee80211_get_radiotap_len(struct sk_buff *skb)
+{
+	struct ieee80211_radiotap_header *hdr =
+		(struct ieee80211_radiotap_header *) skb->data;
+
+	return le16_to_cpu(hdr->it_len);
+}
+
 #ifdef CONFIG_MAC80211_LOWTX_FRAME_DUMP
 static void ieee80211_dump_frame(const char *ifname, const char *title,
 				 const struct sk_buff *skb)
@@ -2741,26 +2750,50 @@ ieee80211_rx_monitor(struct net_device *dev, struct sk_buff *skb,
 		     struct ieee80211_rx_status *status)
 {
 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-	struct ieee80211_frame_info *fi;
 	struct ieee80211_sub_if_data *sdata;
-	const size_t hlen = sizeof(struct ieee80211_frame_info)
-				- sizeof(fi->msg_type);
+	struct ieee80211_rtap_hdr {
+		struct ieee80211_radiotap_header hdr;
+		u8 flags;
+		u8 pad0;
+		u8 rate;
+		u8 pad1;
+		__le16 chan_freq;
+		__le16 chan_flags;
+		u8 antsignal;
+	} __attribute__ ((packed)) *rthdr;
 
 	skb->dev = dev;
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (skb_headroom(skb) < hlen) {
-		I802_DEBUG_INC(local->rx_expand_skb_head);
-		if (pskb_expand_head(skb, hlen, 0, GFP_ATOMIC)) {
-			dev_kfree_skb(skb);
-			return;
+	if (!(local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED)) {
+		if (skb_headroom(skb) < sizeof(*rthdr)) {
+			I802_DEBUG_INC(local->rx_expand_skb_head);
+			if (pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) {
+				dev_kfree_skb(skb);
+				return;
+			}
 		}
-	}
 
-	fi = (struct ieee80211_frame_info *) skb_push(skb, hlen);
+		rthdr = (struct ieee80211_rtap_hdr *) skb_push(skb, sizeof(*rthdr));
+		memset(rthdr, 0, sizeof(*rthdr));
+		rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
+		rthdr->hdr.it_present =
+			cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) ||
+				    (1 << IEEE80211_RADIOTAP_RATE) ||
+				    (1 << IEEE80211_RADIOTAP_CHANNEL) ||
+				    (1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL));
+		rthdr->flags = local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS ?
+			       IEEE80211_RADIOTAP_F_FCS : 0;
+		rthdr->rate = status->rate / 5;
+		rthdr->chan_freq = cpu_to_le16(status->freq);
+		rthdr->chan_flags =
+			status->phymode == MODE_IEEE80211A ?
+			cpu_to_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ) :
+			cpu_to_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ);
+		rthdr->antsignal = status->ssi;
+	}
 
-	ieee80211_fill_frame_info(local, fi, status);
 	sdata->stats.rx_packets++;
 	sdata->stats.rx_bytes += skb->len;
 
@@ -3164,6 +3197,10 @@ ieee80211_rx_h_monitor(struct ieee80211_txrx_data *rx)
 		return TXRX_QUEUED;
 	}
 
+	if (rx->local->monitors &&
+	    rx->local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED)
+		skb_pull(rx->skb, ieee80211_get_radiotap_len(rx->skb));
+
 	return TXRX_CONTINUE;
 }
 
@@ -3731,6 +3768,13 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	struct ieee80211_txrx_data rx;
 	u16 type;
 	int multicast;
+	int radiotap_len = 0;
+
+	if (local->monitors &&
+	    local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED) {
+		radiotap_len = ieee80211_get_radiotap_len(skb);
+		skb_pull(skb, radiotap_len);
+	}
 
 	hdr = (struct ieee80211_hdr *) skb->data;
 	memset(&rx, 0, sizeof(rx));
@@ -3767,6 +3811,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 		goto end;
 	skb = rx.skb;
 
+	skb_push(skb, radiotap_len);
 	if (sta && !sta->assoc_ap && !(sta->flags & WLAN_STA_WDS) &&
 	    !local->iff_promiscs && !multicast) {
 		rx.u.rx.ra_match = 1;
@@ -3775,7 +3820,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	} else {
 		struct ieee80211_sub_if_data *prev = NULL;
 		struct sk_buff *skb_new;
-		u8 *bssid = ieee80211_get_bssid(hdr, skb->len);
+		u8 *bssid = ieee80211_get_bssid(hdr, skb->len - radiotap_len);
 
 		list_for_each_entry(sdata, &local->sub_if_list, list) {
 			rx.u.rx.ra_match = 1;
diff --git a/net/mac80211/ieee80211_iface.c b/net/mac80211/ieee80211_iface.c
index 3e0b4fa..51197b1 100644
--- a/net/mac80211/ieee80211_iface.c
+++ b/net/mac80211/ieee80211_iface.c
@@ -199,7 +199,7 @@ void ieee80211_if_set_type(struct net_device *dev, int type)
 		break;
 	}
 	case IEEE80211_IF_TYPE_MNTR:
-		dev->type = ARPHRD_IEEE80211_PRISM;
+		dev->type = ARPHRD_IEEE80211_RADIOTAP;
 		break;
 	default:
 		printk(KERN_WARNING "%s: %s: Unknown interface type 0x%x",

--