[linux-2.6-block.git] / Documentation / networking / mac80211-injection.rst

.. SPDX-License-Identifier: GPL-2.0

=========================================
How to use packet injection with mac80211
=========================================

mac80211 now allows arbitrary packets to be injected down any Monitor Mode
interface from userland.  The packet you inject needs to be composed in the
following format::

 [ radiotap header  ]
 [ ieee80211 header ]
 [ payload ]

The radiotap format is discussed in
./Documentation/networking/radiotap-headers.rst.

Despite many radiotap parameters being currently defined, most only make sense
to appear on received packets.  The following information is parsed from the
radiotap headers and used to control injection:

 * IEEE80211_RADIOTAP_FLAGS

   =========================  ===========================================
   IEEE80211_RADIOTAP_F_FCS   FCS will be removed and recalculated
   IEEE80211_RADIOTAP_F_WEP   frame will be encrypted if key available
   IEEE80211_RADIOTAP_F_FRAG  frame will be fragmented if longer than the
			      current fragmentation threshold.
   =========================  ===========================================

 * IEEE80211_RADIOTAP_TX_FLAGS

   =============================  ========================================
   IEEE80211_RADIOTAP_F_TX_NOACK  frame should be sent without waiting for
				  an ACK even if it is a unicast frame
   =============================  ========================================

 * IEEE80211_RADIOTAP_RATE

   legacy rate for the transmission (only for devices without own rate control)

 * IEEE80211_RADIOTAP_MCS

   HT rate for the transmission (only for devices without own rate control).
   Also some flags are parsed

   ============================  ========================
   IEEE80211_RADIOTAP_MCS_SGI    use short guard interval
   IEEE80211_RADIOTAP_MCS_BW_40  send in HT40 mode
   ============================  ========================

 * IEEE80211_RADIOTAP_DATA_RETRIES

   number of retries when either IEEE80211_RADIOTAP_RATE or
   IEEE80211_RADIOTAP_MCS was used

 * IEEE80211_RADIOTAP_VHT

   VHT mcs and number of streams used in the transmission (only for devices
   without own rate control). Also other fields are parsed

   flags field
	IEEE80211_RADIOTAP_VHT_FLAG_SGI: use short guard interval

   bandwidth field
	* 1: send using 40MHz channel width
	* 4: send using 80MHz channel width
	* 11: send using 160MHz channel width

The injection code can also skip all other currently defined radiotap fields
facilitating replay of captured radiotap headers directly.

Here is an example valid radiotap header defining some parameters::

	0x00, 0x00, // <-- radiotap version
	0x0b, 0x00, // <- radiotap header length
	0x04, 0x0c, 0x00, 0x00, // <-- bitmap
	0x6c, // <-- rate
	0x0c, //<-- tx power
	0x01 //<-- antenna

The ieee80211 header follows immediately afterwards, looking for example like
this::

	0x08, 0x01, 0x00, 0x00,
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	0x10, 0x86

Then lastly there is the payload.

After composing the packet contents, it is sent by send()-ing it to a logical
mac80211 interface that is in Monitor mode.  Libpcap can also be used,
(which is easier than doing the work to bind the socket to the right
interface), along the following lines:::

	ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
	...
	r = pcap_inject(ppcap, u8aSendBuffer, nLength);

You can also find a link to a complete inject application here:

https://wireless.wiki.kernel.org/en/users/Documentation/packetspammer

Andy Green <andy@warmcat.com>
Commit	Line	Data
429ff87b MCC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	=========================================
08d1f215 AG	4	How to use packet injection with mac80211
	5	=========================================
	6
	7	mac80211 now allows arbitrary packets to be injected down any Monitor Mode
	8	interface from userland. The packet you inject needs to be composed in the
429ff87b	9	following format::
08d1f215 AG	10
	11	[ radiotap header ]
	12	[ ieee80211 header ]
	13	[ payload ]
	14
	15	The radiotap format is discussed in
66d495d0	16	./Documentation/networking/radiotap-headers.rst.
08d1f215	17
de2b3e86	18	Despite many radiotap parameters being currently defined, most only make sense
58d4185e JB	19	to appear on received packets. The following information is parsed from the
58d4185e JB	20	radiotap headers and used to control injection:
08d1f215	21
58d4185e JB	22	* IEEE80211_RADIOTAP_FLAGS
58d4185e JB	23
429ff87b MCC	24	========================= ===========================================
	25	IEEE80211_RADIOTAP_F_FCS FCS will be removed and recalculated
	26	IEEE80211_RADIOTAP_F_WEP frame will be encrypted if key available
	27	IEEE80211_RADIOTAP_F_FRAG frame will be fragmented if longer than the
de2b3e86	28	current fragmentation threshold.
429ff87b	29	========================= ===========================================
de2b3e86	30
d9cd48f9 HS	31	* IEEE80211_RADIOTAP_TX_FLAGS
d9cd48f9 HS	32
429ff87b MCC	33	============================= ========================================
429ff87b MCC	34	IEEE80211_RADIOTAP_F_TX_NOACK frame should be sent without waiting for
d9cd48f9	35	an ACK even if it is a unicast frame
429ff87b	36	============================= ========================================
58d4185e	37
dfdfc2be SE	38	* IEEE80211_RADIOTAP_RATE
	39
	40	legacy rate for the transmission (only for devices without own rate control)
	41
	42	* IEEE80211_RADIOTAP_MCS
	43
	44	HT rate for the transmission (only for devices without own rate control).
	45	Also some flags are parsed
	46
429ff87b MCC	47	============================ ========================
	48	IEEE80211_RADIOTAP_MCS_SGI use short guard interval
	49	IEEE80211_RADIOTAP_MCS_BW_40 send in HT40 mode
	50	============================ ========================
dfdfc2be SE	51
	52	* IEEE80211_RADIOTAP_DATA_RETRIES
	53
	54	number of retries when either IEEE80211_RADIOTAP_RATE or
	55	IEEE80211_RADIOTAP_MCS was used
	56
646e76bb LB	57	* IEEE80211_RADIOTAP_VHT
	58
	59	VHT mcs and number of streams used in the transmission (only for devices
	60	without own rate control). Also other fields are parsed
	61
	62	flags field
429ff87b	63	IEEE80211_RADIOTAP_VHT_FLAG_SGI: use short guard interval
646e76bb LB	64
646e76bb LB	65	bandwidth field
429ff87b MCC	66	* 1: send using 40MHz channel width
	67	* 4: send using 80MHz channel width
	68	* 11: send using 160MHz channel width
646e76bb	69
58d4185e JB	70	The injection code can also skip all other currently defined radiotap fields
58d4185e JB	71	facilitating replay of captured radiotap headers directly.
08d1f215	72
429ff87b	73	Here is an example valid radiotap header defining some parameters::
08d1f215 AG	74
	75	0x00, 0x00, // <-- radiotap version
	76	0x0b, 0x00, // <- radiotap header length
	77	0x04, 0x0c, 0x00, 0x00, // <-- bitmap
	78	0x6c, // <-- rate
	79	0x0c, //<-- tx power
	80	0x01 //<-- antenna
	81
	82	The ieee80211 header follows immediately afterwards, looking for example like
429ff87b	83	this::
08d1f215 AG	84
	85	0x08, 0x01, 0x00, 0x00,
	86	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	87	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	88	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	89	0x10, 0x86
	90
	91	Then lastly there is the payload.
	92
	93	After composing the packet contents, it is sent by send()-ing it to a logical
	94	mac80211 interface that is in Monitor mode. Libpcap can also be used,
	95	(which is easier than doing the work to bind the socket to the right
429ff87b	96	interface), along the following lines:::
08d1f215 AG	97
08d1f215 AG	98	ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
429ff87b	99	...
08d1f215 AG	100	r = pcap_inject(ppcap, u8aSendBuffer, nLength);
08d1f215 AG	101
de2b3e86	102	You can also find a link to a complete inject application here:
08d1f215	103
327cdb98	104	https://wireless.wiki.kernel.org/en/users/Documentation/packetspammer
08d1f215 AG	105
08d1f215 AG	106	Andy Green <andy@warmcat.com>