When sending out custom constructed frames by packet injection from monitor mode, I noticed something that was peculiar... While watching the capture in wireshark of the sending wifi module, it seems as if two frames are being sent, when I try to send one(two identical frames i see in the capture), however, when I sniff from a different wifi module ( now purely the receiving one, also in monitor mode ) I only capture one frame. Does anyone know why this is? In what manner does a monitoring device capture frames that it sends - are they captured before they are sent out, and then the driver filters it out somehow, or?? I'm thinking probably I need to understand how wireshark deals with the outbound 802.11 frames. asked 18 Apr '14, 13:06  itrustedyou |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
some questions:
Ok, I use the code from mdk3 to 'open' the sending device, and get the descriptor ( I am not sure what exactly happens there ). And then I use the write() C System Call to send the frame I hard coded (including the radiotap header ) on the opened device. The OS is Linux 3.8.0 (Mint 15).
This is the sample capture ( the frames I'm talking about are the two UDP black ones ) from the injecting host https://www.cloudshark.org/captures/d9740483f811 (I didn't know about cloudhshark - how very cool!) and here is the one on another host https://www.cloudshark.org/captures/c6480b9d6140
Hm.. interesting. No idea, but I will have a look.
Yay, thanks!
Also, this might be revealing http://i.imgur.com/22gMOU4.png ( i can only share a screenshot, since I don't have a capture or the equipment with me ) . This is what happens when I inject a packet into an ad-hoc network, the targeted device sends all these frames as a response to the first frame, for some reason ( I wish I could disable it though ) , so I'm guessing that only the first one goes through, and the second one is filtered out by the sending device.