What it probably should do is have a daemon to create, destroy, and keep track of the VAPs, with a UNIX-domain socket between the daemon and libpcap, and with the client side of the UNIX-domain socket closed when the pcap_t is closed that would also be closed if the process using libpcap terminated without closing the pcap_t, so the daemon would be able to detect that. If libpcap is build with libnl (which it isn't, on most distributions), it will attempt to find a VAP of that type and use it and, if not, try creating one if the pcap_t is closed, it'll delete the VAP if it created it. As I remember, as long as there's at least one such VAP, the interface is in monitor mode. On Linux, at the user-kernel boundary, if your adapter supports all the mac80211 stuff, the way you capture in monitor mode is that you arrange that there's a "virtual access point" (VAP) for the interface with an NL80211_ATTR_IFTYPE value of NL80211_IFTYPE_MONITOR, and bind that device to a PF_PACKET socket (the type of socket used for raw packet capture). libpcap implements this underneath the standard libpcap API for monitor mode. The AirPort code appears to keep a count of the number of BPF devices that have requested it, with the adapter being in monitor mode if and only if the count is non-zero. On macOS, at the user-kernel boundary, the way you put an interface into monitor mode is to set the link-layer header type for the BPF device used for the interface to be one that provides 802.11 headers. (WinPcap doesn't handle monitor mode at all, so it's libpcap/Npcap). The way monitor mode is implemented is platform-dependent, so how well libpcap/Npcap handles putting into monitor mode an interface that's already in monitor mode is platform-dependent. ![]() Remaining question to investigate: how well does Wireshark (or more specifically libpcap/wpcap) handle an interface that has already been put into monitor mode by e.g. call pcap_list_datalinks() to get the list of data link layers supported, and fail if that fails.get the default data link type by calling pcap_datalink().call pcap_activate() and fail if that fails.if the device supports monitor mode, and get_if_capabilities() was told to determine the capabilities when in monitor mode, turn on monitor mode. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |