Monitor Mode Feature on CYW43455 - Parsing Radio Tap Header

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
lock attach
Attachments are accessible only for community members.
maku_2263101
Level 3
Level 3
First like received First like given

Hi All,

This is a continuation to the discussion done at below link.

Monitor Mode Feature on CYW43455

As this discussion is locked. I am creating a  discussion here.

We are able to capture the packets using tcpdump on linux. but not able to parse the radio header.

We would like to fetch channel,data rate and signal level information from the radio header.

Looks like first 25bytes of the packet is related to broadcom specific radio header and from 26th octet 802.11 MAC Header is started.

Needed help in parsing this broadcom specific radio header.

Sample header:

11:24:06.929119 00:00:24:d0:0c:00 (oui Unknown) > 00:00:00:00:04:00 (oui Ethernet) Null Information, send seq 0, rcv seq 0, Flags [Command], length 257

        0x0000:  0100 0000 d100 0000 f3e7 7e65 0000 0000  ..........~e....

        0x0010:  bdff ffff 0000 0000 0100 0000 0200 0000  ................

        0x0020:  0000 0000 0000 0000 0000 0000 1400 0000  ................

        0x0030:  0000

Below are the steps followed.

Monitor Mode Bring-up:

    wl mpc 0

    wl up

    wl monitor 1

    ifconfig wlan0 up

Setting Channel:

    wl channel 36

Capturing packets: 

    tcpdump -iwlan0 -XXX

Attached tcpdump output for Channel36 and Channel44

Below are the S/W version details:

Drivers Loading log:

Loading modules backported from Linux version v4.14.52-manda-RTM-0-g897c6ce

Backport generated by backports.git v4.14-rc2-1-70-g694b78f

brcmfmac: brcmf_fw_map_chip_to_name: using brcm/brcmfmac43455-sdio.bin for chip 0x004345(17221) rev 0x000006

usbcore: registered new interface driver brcmfmac

brcmfmac: brcmf_c_preinit_dcmds: Murata Customized Version: imx-rocko-manda_r1.0;

brcmfmac: brcmf_c_preinit_dcmds: Firmware version = wl0: Sep 21 2018 04:08:34 version 7.45.173 (r707987 CY) FWID 01-d2799ea2

wl ver:

1.21 RC0.0

wl0: Sep 21 2018 04:08:34 version 7.45.173 (r707987 CY) FWID 01-d2799ea2

wl revinfo:

vendorid 0x14e4

deviceid 0x43ab

radiorev 0x58030b

chipnum 0x4345

chiprev 0x6

chippackage 0x2

corerev 54.0

boardid 0x6e4

boardvendor 0x14e4

boardrev P201

driverrev 7.45.173.0

ucoderev 0x0

bus 0x0

phytype 0xb

phyrev 20.0

anarev 0x0

nvramrev 498373

#########################################################

Note: Below is the VinayakS_26​ response from previous discussion.

"

Frame received in monitor mode contains 802.11 header and starts with d11 header(internal headers recieved from the firmware).

The driver handles the conversion of d11rxhdr to radiotap header conversion.

We will have to look into the driver to see where that parsing is happening.

"

Hi VinayakS_26​,

Did you get any chance to look into the Driver Source to check d11 header parsing ?

0 Likes
1 Solution
VinayakS_26
Moderator
Moderator
Moderator
100 replies posted 50 replies posted 25 replies posted

Hi

I could see that the d11/dot11 headers are handled in the proto directory in /bcmdhd/proto.

In this directory, the 802.11.h folder contains the headers correponding to BRCM OUI.

brcm_ie information element structure is provided in here as well. The IE parsing is done in bcmutils.c.

Regards,

Vinayak

View solution in original post

1 Reply
VinayakS_26
Moderator
Moderator
Moderator
100 replies posted 50 replies posted 25 replies posted

Hi

I could see that the d11/dot11 headers are handled in the proto directory in /bcmdhd/proto.

In this directory, the 802.11.h folder contains the headers correponding to BRCM OUI.

brcm_ie information element structure is provided in here as well. The IE parsing is done in bcmutils.c.

Regards,

Vinayak