[RFC][PATCH] Add radiotap-based packet injection capability to monitor mode

[RFC][PATCH] Add radiotap-based packet injection capability to monitor mode

[Andy Green]

[-- Attachment #1: Type: text/plain, Size: 1304 bytes --]

Hi folks -

This patch adds the monitor mode packet injection stuff that was talked 
about a week or so ago to mac80211.  Using a radiotap header prepended 
to the injection payload was felt to be a reasonable way forward.

The patch can deal with a variable-sized radiotap header containing any 
fields that are understood by Linux, although currently it skips 
everything except antenna, power and rate selection.  You just put an 
interface in monitor mode and direct packets at it, selecting rate and 
so on by using radiotap semantics.

Along with this patch I have also updated packetspammer

http://warmcat.com/packetspammer-0.3.tar.gz

to allow it to send [ radiotap + ieee80211 + payload ] packets from 
userspace into a Monitor mode interface.  The --help and README both 
show how to do it.  At the moment it simply injects a 54Mbps packet with 
a ping-type payload in it to fixed fake MAC addresses, you can see these 
packets from another box running in Monitor mode on the same channel.

I tested the rate action with a zd1211rw-mac80211 USB device and it 
seems to be happy.  I'm not sure how to test the antenna selection 
action and didn't try to test the tx power selection action yet.

The patch is against Linville's FC7 #4 test kernel sources, which are 
only a few days old.

-Andy

[-- Attachment #2: mac80211-injection.patch --]
[-- Type: text/x-patch, Size: 9962 bytes --]

--- /usr/src/redhat/BUILD/kernel-2.6.20-orig/linux-2.6.20.i386/include/net/mac80211.h	2007-03-13 13:36:16.000000000 +0000
+++ /usr/src/redhat/BUILD/kernel-2.6.20/linux-2.6.20.i386/include/net/mac80211.h	2007-03-14 18:25:04.000000000 +0000
@@ -189,6 +189,7 @@
 #define IEEE80211_TXCTL_FIRST_FRAGMENT	(1<<8) /* this is a first fragment of
 						* the frame */
 #define IEEE80211_TXCTL_TKIP_NEW_PHASE1_KEY (1<<9)
+#define IEEE80211_TXCTL_INJECTED_PACKET (1<<10) /* tx into monitor IF */
 	u32 flags;			       /* tx control flags defined
 						* above */
 	u8 retry_limit;		/* 1 = only first attempt, 2 = one retry, .. */
--- /usr/src/redhat/BUILD/kernel-2.6.20-orig/linux-2.6.20.i386/net/mac80211/ieee80211.c	2007-03-13 13:36:16.000000000 +0000
+++ /usr/src/redhat/BUILD/kernel-2.6.20/linux-2.6.20.i386/net/mac80211/ieee80211.c	2007-03-15 00:30:46.000000000 +0000
@@ -34,6 +34,7 @@
 #include "ieee80211_led.h"
 #include "ieee80211_cfg.h"
 #include "ieee80211_sysfs.h"
+#include <net/ieee80211_radiotap.h>
 
 /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */
 /* Ethernet-II snap header (RFC1042 for most EtherTypes) */
@@ -839,6 +840,7 @@
 }
 
 
+
 static ieee80211_txrx_result
 ieee80211_tx_h_check_assoc(struct ieee80211_txrx_data *tx)
 {
@@ -1045,7 +1047,123 @@
 }
 
 
-static void inline
+/* deal with packet injection down monitor interface
+with Radiotap Header -- only called for monitor mode interface */
+
+static ieee80211_txrx_result
+__ieee80211_convert_radiotap_to_control_and_remove(struct ieee80211_txrx_data *tx,
+		       struct sk_buff *skb,
+		       struct ieee80211_tx_control *control)
+{
+		/* this is the moment to interpret the radiotap header that
+			must be at the start of the packet injected in Monitor
+			mode into control and then discard the radiotap header
+			Note all radiotap is native-endian since it stays on the box*/
+
+	struct ieee80211_radiotap_header *rthdr =
+		(struct ieee80211_radiotap_header *) skb->data;
+
+		/* small length lookup table for all radiotap types we heard of
+			starting from b0 in the bitmap, so we can walk the payload
+			area of the radiotap header */
+
+	static const u8 u8aRadiotapEntrySizes[] = {
+		8, /* IEEE80211_RADIOTAP_TSFT */
+		1, /* IEEE80211_RADIOTAP_FLAGS */
+		1, /* IEEE80211_RADIOTAP_RATE */
+		4, /* IEEE80211_RADIOTAP_CHANNEL */
+		2, /* IEEE80211_RADIOTAP_FHSS */
+		1, /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
+		1, /* IEEE80211_RADIOTAP_DBM_ANTNOISE */
+		2, /* IEEE80211_RADIOTAP_LOCK_QUALITY */
+		2, /* IEEE80211_RADIOTAP_TX_ATTENUATION */
+		2, /* IEEE80211_RADIOTAP_DB_TX_ATTENUATION */
+		1, /* IEEE80211_RADIOTAP_DBM_TX_POWER */
+		1, /* IEEE80211_RADIOTAP_ANTENNA */
+		1, /* IEEE80211_RADIOTAP_DB_ANTSIGNAL */
+		1  /* IEEE80211_RADIOTAP_DB_ANTNOISE */
+	};
+	int nTapIndex=0;
+	u8 * pu8Tap=skb->data + sizeof(struct ieee80211_radiotap_header);
+	u32 *pu32Bitmap=&rthdr->it_present;
+
+	if(rthdr->it_version) return TXRX_DROP; /* version byte used as magic */
+
+		/* sanity check for skb length and radiotap length field */
+	if (skb->len < (rthdr->it_len+sizeof(struct ieee80211_hdr)))
+		return TXRX_DROP;
+
+		/* find payload start allowing for extended bitmap(s) */
+
+	if(rthdr->it_present & 0x80000000) {
+		while( *((u32 *)pu8Tap) & 0x80000000) pu8Tap+=sizeof(u32);
+		pu8Tap+=sizeof(u32);
+	}
+
+		/* default control situation for all injected packets */
+
+	control->retry_limit=1; /* no retry */
+	control->key_idx=-1; /* no encryption key */
+	control->flags&=~(IEEE80211_TXCTL_USE_RTS_CTS|IEEE80211_TXCTL_USE_CTS_PROTECT);
+	control->flags|=(IEEE80211_TXCTL_DO_NOT_ENCRYPT|IEEE80211_TXCTL_NO_ACK);
+	control->antenna_sel_tx=0; /* default to default/diversity */
+
+		/* for every radiotap entry we can at least skip (by knowing the length)... */
+
+	while(nTapIndex<sizeof(u8aRadiotapEntrySizes)) {
+		if( (*pu32Bitmap) & 1) { /* it is present */
+
+			switch(nTapIndex) { /* deal with if interested */
+
+				case IEEE80211_RADIOTAP_RATE:
+					{
+							/* radio tap "rate" u8 is in 500kbps units, eg, 0x02=1Mbps
+								ieee80211 "rate" int is in 100kbps units, eg, 0x0a=1Mbps */
+						int i, nTargetRate=(*pu8Tap)*5;
+
+						for (i = 0; i < tx->local->num_curr_rates; i++) {
+							struct ieee80211_rate *r = &tx->local->curr_rates[i];
+
+							if(r->rate <= nTargetRate) {
+								control->tx_rate=r->val;
+							}
+						}
+					}
+					break;
+
+				case IEEE80211_RADIOTAP_ANTENNA:
+						/* radiotap uses 0 for 1st ant, mac80211 is 1 for 1st ant
+							absence of IEEE80211_RADIOTAP_ANTENNA gives default/diversity */
+					control->antenna_sel_tx=(*pu8Tap)+1;
+					break;
+
+				case IEEE80211_RADIOTAP_DBM_TX_POWER:
+					control->power_level=*pu8Tap;
+					break;
+
+				default:
+					break;
+			}
+
+			pu8Tap+=u8aRadiotapEntrySizes[nTapIndex];
+		}
+
+		(*pu32Bitmap)>>=1;
+
+		nTapIndex++;
+		if(unlikely((nTapIndex & 31)==0)) { // completed current u32 bitmap
+			pu32Bitmap++; // move to next u32 bitmap
+		}
+	}
+
+		/* remove the radiotap header */
+	skb_pull(skb, rthdr->it_len);
+
+	return TXRX_CONTINUE;
+}
+
+
+static ieee80211_txrx_result inline
 __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
 		       struct sk_buff *skb,
 		       struct net_device *dev,
@@ -1062,7 +1180,26 @@
 	tx->sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 	tx->sta = sta_info_get(local, hdr->addr1);
 	tx->fc = le16_to_cpu(hdr->frame_control);
+
+		/* set defaults for things that can be set by
+			injected radiotap headers */
+
 	control->power_level = local->hw.conf.power_level;
+	control->antenna_sel_tx = local->hw.conf.antenna_sel_tx;
+	if (local->sta_antenna_sel != STA_ANTENNA_SEL_AUTO && tx->sta )
+		control->antenna_sel_tx = tx->sta->antenna_sel_tx;
+
+		/* process and remove the injection radiotap header */
+
+	if(control->flags & IEEE80211_TXCTL_INJECTED_PACKET) {
+		if(__ieee80211_convert_radiotap_to_control_and_remove(tx, skb, control)==TXRX_DROP) {
+			return TXRX_DROP;
+		}
+		/* we removed the radiotap header after this point, 
+			we filled control with what we could use */
+		hdr = (struct ieee80211_hdr *) skb->data; /* set to the actual ieee header now */
+	}
+
 	tx->u.tx.control = control;
 	tx->u.tx.unicast = !is_multicast_ether_addr(hdr->addr1);
 	if (is_multicast_ether_addr(hdr->addr1))
@@ -1079,9 +1216,6 @@
 		control->flags |= IEEE80211_TXCTL_CLEAR_DST_MASK;
 		tx->sta->clear_dst_mask = 0;
 	}
-	control->antenna_sel_tx = local->hw.conf.antenna_sel_tx;
-	if (local->sta_antenna_sel != STA_ANTENNA_SEL_AUTO && tx->sta)
-		control->antenna_sel_tx = tx->sta->antenna_sel_tx;
 	hdrlen = ieee80211_get_hdrlen(tx->fc);
 	if (skb->len > hdrlen + sizeof(rfc1042_header) + 2) {
 		u8 *pos = &skb->data[hdrlen + sizeof(rfc1042_header)];
@@ -1089,6 +1223,7 @@
 	}
 	control->flags |= IEEE80211_TXCTL_FIRST_FRAGMENT;
 
+	return TXRX_CONTINUE;
 }
 
 static int inline is_ieee80211_device(struct net_device *dev,
@@ -1206,14 +1341,22 @@
 		return 0;
 	}
 
-	__ieee80211_tx_prepare(&tx, skb, dev, control);
+	if(__ieee80211_tx_prepare(&tx, skb, dev, control)==TXRX_DROP) {
+		dev_kfree_skb(skb);
+		return 0;
+	}
+
 	sta = tx.sta;
 	tx.u.tx.mgmt_interface = mgmt;
 
-	for (handler = local->tx_handlers; *handler != NULL; handler++) {
-		res = (*handler)(&tx);
-		if (res != TXRX_CONTINUE)
-			break;
+	if(unlikely((control->flags & IEEE80211_TXCTL_INJECTED_PACKET))) {
+		res=TXRX_CONTINUE;
+	} else {
+		for (handler = local->tx_handlers; *handler != NULL; handler++) {
+			res = (*handler)(&tx);
+			if (res != TXRX_CONTINUE)
+				break;
+		}
 	}
 
 	skb = tx.skb; /* handlers are allowed to change skb */
@@ -1251,6 +1394,7 @@
 	}
 
 retry:
+
 	ret = __ieee80211_tx(local, skb, &tx);
 	if (ret) {
 		struct ieee80211_tx_stored_packet *store =
@@ -1364,6 +1508,7 @@
 	/*
 	 * copy control out of the skb so other people can use skb->cb
 	 */
+
 	pkt_data = (struct ieee80211_tx_packet_data *)skb->cb;
 	memset(&control, 0, sizeof(struct ieee80211_tx_control));
 
@@ -1401,6 +1546,8 @@
 	if (pkt_data->requeue)
 		control.flags |= IEEE80211_TXCTL_REQUEUE;
 	control.queue = pkt_data->queue;
+	if(pkt_data->is_injected_into_monitor)
+		control.flags |= IEEE80211_TXCTL_INJECTED_PACKET;
 
 	ret = ieee80211_tx(odev, skb, &control,
 			   control.type == IEEE80211_IF_TYPE_MGMT);
@@ -1447,6 +1594,40 @@
 		goto fail;
 	}
 
+	if(unlikely(sdata->type==IEEE80211_IF_TYPE_MNTR)) {
+		struct ieee80211_radiotap_header * prthdr=(struct ieee80211_radiotap_header *)skb->data;
+
+			/* there must be a radiotap header at the start in this case */
+
+		if(unlikely(prthdr->it_version)) { /* radiotap version used as magic */
+			ret=0;
+			goto fail;
+		}
+
+		skb->dev = local->mdev;
+
+		pkt_data = (struct ieee80211_tx_packet_data *)skb->cb;
+		memset(pkt_data, 0, sizeof(struct ieee80211_tx_packet_data));
+		pkt_data->ifindex =  local->mdev/*sdata->dev*/->ifindex;
+		pkt_data->mgmt_iface = 0;
+		pkt_data->do_not_encrypt = 1;
+		pkt_data->is_injected_into_monitor = 1; /* needed because we set skb device to master */
+
+			/* fix up the pointers accounting for the radiotap header still being in there
+				we are being given a precooked IEEE80211 header so no need for
+				normal processing */
+
+		skb->mac.raw = skb->data+prthdr->it_len;
+		skb->nh.raw = skb->data+prthdr->it_len+sizeof(struct ieee80211_hdr);
+		skb->h.raw = skb->data+prthdr->it_len+sizeof(struct ieee80211_hdr);
+
+			/* pass the radiotap header up to the next stage intact */
+
+		dev_queue_xmit(skb);
+	
+		return 0;
+	}
+
 	nh_pos = skb->nh.raw - skb->data;
 	h_pos = skb->h.raw - skb->data;
 
--- /usr/src/redhat/BUILD/kernel-2.6.20-orig/linux-2.6.20.i386/net/mac80211/ieee80211_i.h	2007-03-13 13:36:16.000000000 +0000
+++ /usr/src/redhat/BUILD/kernel-2.6.20/linux-2.6.20.i386/net/mac80211/ieee80211_i.h	2007-03-14 18:23:52.000000000 +0000
@@ -162,6 +162,7 @@
 	unsigned int requeue:1;
 	unsigned int mgmt_iface:1;
 	unsigned int queue:4;
+	unsigned int is_injected_into_monitor:1;
 };
 
 struct ieee80211_tx_stored_packet {

Re: [RFC][PATCH] Add radiotap-based packet injection capability to monitor mode

[Michael Wu]

[-- Attachment #1.1: Type: text/plain, Size: 1160 bytes --]

On Wednesday 14 March 2007 21:13, Andy Green wrote:
> This patch adds the monitor mode packet injection stuff that was talked
> about a week or so ago to mac80211.  Using a radiotap header prepended
> to the injection payload was felt to be a reasonable way forward.
>
It seems rather odd to inject with radiotap headers when capturing with AVS 
headers. I've attached a patch which switches mac80211 to using radiotap. 
It's pretty much the same patch I posted a while ago, except all support for 
AVS on monitor interfaces was removed. Drivers need to implement radiotap for 
best results, but if it isn't implemented, the stack fills in a minimal 
radiotap header. The minimal radiotap header filling code is new in this 
version of the patch and I haven't had a chance to test it yet. The rate 
filling part might be wrong. Anyway, I recommend basing your patch on top of 
this one. Aside from the new default radiotap filling code, the rest is 
fairly solid AFAIK. I had a corresponding patch to hook up radiotap support 
in zd1211rw-mac80211 but it seems like I've lost it. I'll put together a new 
one tomorrow.

Thanks,
-Michael Wu

[-- Attachment #1.2: radio.diff --]
[-- Type: text/x-diff, Size: 5735 bytes --]

mac80211: Add radiotap support

From: Michael Wu <flamingice@sourmilk.net>


---

 include/net/mac80211.h         |    3 ++
 net/mac80211/ieee80211.c       |   69 +++++++++++++++++++++++++++++++++-------
 net/mac80211/ieee80211_iface.c |    2 +
 3 files changed, 61 insertions(+), 13 deletions(-)

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 916b21b..050f126 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -529,6 +529,9 @@ struct ieee80211_hw {
 	 * per-packet RC4 key with each TX frame when doing hwcrypto */
 #define IEEE80211_HW_TKIP_REQ_PHASE2_KEY (1<<14)
 
+	/* Driver supports radiotap. Temporary until all drivers support it. */
+#define IEEE80211_HW_RADIOTAP_SUPPORTED (1<<20)
+
 	u32 flags;			/* hardware flags defined above */
 
 	/* Set to the size of a needed device specific skb headroom for TX skbs. */
diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
index 0b7cb35..c3a9f0e 100644
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -8,6 +8,7 @@
  */
 
 #include <net/mac80211.h>
+#include <net/ieee80211_radiotap.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/netdevice.h>
@@ -286,6 +287,14 @@ int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
 }
 EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
 
+static int ieee80211_get_radiotap_len(struct sk_buff *skb)
+{
+	struct ieee80211_radiotap_header *hdr =
+		(struct ieee80211_radiotap_header *) skb->data;
+
+	return le16_to_cpu(hdr->it_len);
+}
+
 #ifdef CONFIG_MAC80211_LOWTX_FRAME_DUMP
 static void ieee80211_dump_frame(const char *ifname, const char *title,
 				 const struct sk_buff *skb)
@@ -2741,26 +2750,50 @@ ieee80211_rx_monitor(struct net_device *dev, struct sk_buff *skb,
 		     struct ieee80211_rx_status *status)
 {
 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-	struct ieee80211_frame_info *fi;
 	struct ieee80211_sub_if_data *sdata;
-	const size_t hlen = sizeof(struct ieee80211_frame_info)
-				- sizeof(fi->msg_type);
+	struct ieee80211_rtap_hdr {
+		struct ieee80211_radiotap_header hdr;
+		u8 flags;
+		u8 pad0;
+		u8 rate;
+		u8 pad1;
+		__le16 chan_freq;
+		__le16 chan_flags;
+		u8 antsignal;
+	} __attribute__ ((packed)) *rthdr;
 
 	skb->dev = dev;
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (skb_headroom(skb) < hlen) {
-		I802_DEBUG_INC(local->rx_expand_skb_head);
-		if (pskb_expand_head(skb, hlen, 0, GFP_ATOMIC)) {
-			dev_kfree_skb(skb);
-			return;
+	if (!(local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED)) {
+		if (skb_headroom(skb) < sizeof(*rthdr)) {
+			I802_DEBUG_INC(local->rx_expand_skb_head);
+			if (pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) {
+				dev_kfree_skb(skb);
+				return;
+			}
 		}
-	}
 
-	fi = (struct ieee80211_frame_info *) skb_push(skb, hlen);
+		rthdr = (struct ieee80211_rtap_hdr *) skb_push(skb, sizeof(*rthdr));
+		memset(rthdr, 0, sizeof(*rthdr));
+		rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
+		rthdr->hdr.it_present =
+			cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) ||
+				    (1 << IEEE80211_RADIOTAP_RATE) ||
+				    (1 << IEEE80211_RADIOTAP_CHANNEL) ||
+				    (1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL));
+		rthdr->flags = local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS ?
+			       IEEE80211_RADIOTAP_F_FCS : 0;
+		rthdr->rate = status->rate / 5;
+		rthdr->chan_freq = cpu_to_le16(status->freq);
+		rthdr->chan_flags =
+			status->phymode == MODE_IEEE80211A ?
+			cpu_to_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ) :
+			cpu_to_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ);
+		rthdr->antsignal = status->ssi;
+	}
 
-	ieee80211_fill_frame_info(local, fi, status);
 	sdata->stats.rx_packets++;
 	sdata->stats.rx_bytes += skb->len;
 
@@ -3164,6 +3197,10 @@ ieee80211_rx_h_monitor(struct ieee80211_txrx_data *rx)
 		return TXRX_QUEUED;
 	}
 
+	if (rx->local->monitors &&
+	    rx->local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED)
+		skb_pull(rx->skb, ieee80211_get_radiotap_len(rx->skb));
+
 	return TXRX_CONTINUE;
 }
 
@@ -3731,6 +3768,13 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	struct ieee80211_txrx_data rx;
 	u16 type;
 	int multicast;
+	int radiotap_len = 0;
+
+	if (local->monitors &&
+	    local->hw.flags & IEEE80211_HW_RADIOTAP_SUPPORTED) {
+		radiotap_len = ieee80211_get_radiotap_len(skb);
+		skb_pull(skb, radiotap_len);
+	}
 
 	hdr = (struct ieee80211_hdr *) skb->data;
 	memset(&rx, 0, sizeof(rx));
@@ -3767,6 +3811,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 		goto end;
 	skb = rx.skb;
 
+	skb_push(skb, radiotap_len);
 	if (sta && !sta->assoc_ap && !(sta->flags & WLAN_STA_WDS) &&
 	    !local->iff_promiscs && !multicast) {
 		rx.u.rx.ra_match = 1;
@@ -3775,7 +3820,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	} else {
 		struct ieee80211_sub_if_data *prev = NULL;
 		struct sk_buff *skb_new;
-		u8 *bssid = ieee80211_get_bssid(hdr, skb->len);
+		u8 *bssid = ieee80211_get_bssid(hdr, skb->len - radiotap_len);
 
 		list_for_each_entry(sdata, &local->sub_if_list, list) {
 			rx.u.rx.ra_match = 1;
diff --git a/net/mac80211/ieee80211_iface.c b/net/mac80211/ieee80211_iface.c
index 3e0b4fa..51197b1 100644
--- a/net/mac80211/ieee80211_iface.c
+++ b/net/mac80211/ieee80211_iface.c
@@ -199,7 +199,7 @@ void ieee80211_if_set_type(struct net_device *dev, int type)
 		break;
 	}
 	case IEEE80211_IF_TYPE_MNTR:
-		dev->type = ARPHRD_IEEE80211_PRISM;
+		dev->type = ARPHRD_IEEE80211_RADIOTAP;
 		break;
 	default:
 		printk(KERN_WARNING "%s: %s: Unknown interface type 0x%x",

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [RFC][PATCH] Add radiotap-based packet injection capability to monitor mode

[Andy Green]

Michael Wu wrote:
> On Wednesday 14 March 2007 21:13, Andy Green wrote:

>> This patch adds the monitor mode packet injection stuff that was talked
>> about a week or so ago to mac80211.  Using a radiotap header prepended
>> to the injection payload was felt to be a reasonable way forward.
>>
> It seems rather odd to inject with radiotap headers when capturing with AVS 
> headers. I've attached a patch which switches mac80211 to using radiotap. 

Yes it seemed that radiotap on the capture part of Monitor was preferred 
and seen as the place to end up from the last discussion.  But the itch 
I needed to scratch was the injection, so your patch and mine go 
together really well in principle and migrate the whole stack to radiotap.

> It's pretty much the same patch I posted a while ago, except all support for 
> AVS on monitor interfaces was removed. Drivers need to implement radiotap for 
> best results, but if it isn't implemented, the stack fills in a minimal 
> radiotap header. The minimal radiotap header filling code is new in this 
> version of the patch and I haven't had a chance to test it yet. The rate 
> filling part might be wrong. Anyway, I recommend basing your patch on top of 
> this one. Aside from the new default radiotap filling code, the rest is 
> fairly solid AFAIK. I had a corresponding patch to hook up radiotap support 
> in zd1211rw-mac80211 but it seems like I've lost it. I'll put together a new 
> one tomorrow.

Okay I will apply your code when I can resume work on this later today. 
   They shouldn't conflict since yours is only on the receive path and 
mine only on the transmit path.  I need to learn about quilt it seems.

I am monitoring from an ipw2200 box that issues driver radiotap headers 
and tcpdump can do a lot more with them than the PRISM2 stuff.

> +	struct ieee80211_rtap_hdr {
> +		struct ieee80211_radiotap_header hdr;
> +		u8 flags;
> +		u8 pad0;
> +		u8 rate;
> +		u8 pad1;
> +		__le16 chan_freq;
> +		__le16 chan_flags;
> +		u8 antsignal;
> +	} __attribute__ ((packed)) *rthdr;

One thing though, what is the truth about endian-ness of radiotap args? 
  It seemed from the struct ieee80211_radiotap_header header version in 
Linville's latest FC7 #4 RPM anyway that they were native endian, ie, 
using u16 in there.  I took from that the args were likewise u16, which 
was possible since the radiotap part doesn't normally leave the machine. 
  But having fixed endianness makes more sense.

-Andy

Re: [RFC][PATCH] Add radiotap-based packet injection capability to monitor mode

[Pavel Roskin]

On Thu, 2007-03-15 at 06:32 +0000, Andy Green wrote:
>   It seemed from the struct ieee80211_radiotap_header header version in 
> Linville's latest FC7 #4 RPM anyway that they were native endian, ie, 
> using u16 in there.  I took from that the args were likewise u16, which 
> was possible since the radiotap part doesn't normally leave the machine. 
>   But having fixed endianness makes more sense.

I posted a patch that annotates radiotap as little-endian, but I haven't
seen any reaction so far.

I'm not aware of any driver that implements radiotap as native endian
(at least intentionally).  All implementation I know are little endian,
even if it means sparse warnings (that's how I became aware of the
problem with the non-annotated include file for radiotap).

-- 
Regards,
Pavel Roskin