-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Garbled data in 802.11 management frames - missing FCS check? #14
Comments
I should have listed this in the bugs section - certain wireless cards are prone to this, for example the TPLINK TL-WN722N. Other cards, like the Alfa Awus036h seem to perform better. I spent a lot of time last year trying to implement the Wireshark FCS algorithm from C (in Wireshark) to Python to patch Scapy, but didn't succeed in the end. Read my question on the Scapy mailing list here: http://comments.gmane.org/gmane.comp.security.scapy.general/4918 And the Wireshark C code for the FCS: I'm trying to find my Python FCS implementation (that was not quite working) to see if you'd have any insight into fixing it. I think it's on a VM back at home, I'll check and update this thread when I find it. We'd add this to prefilter.py (https://github.com/sensepost/snoopy-ng/blob/master/plugins/mods80211/prefilter/prefilter.py) You can see the dirty hack I've got in there at the moment. Also, I've recently discovered Impacket: https://code.google.com/p/impacket/ It has native support for FCS checking, and potetially better performance than Scapy. Well, I'll re-implement and compare performance. |
Yes, TP-LINK - exactly what I'm using in my tests. Happy to check out the Python FCS implementation if you can resurrect it. Impacket looks very promising indeed, I haven't seen that before myself. I've actually got a tshark-based probe and beacon sniffing PoC here in the meantime: https://github.com/maximcherny/snoopy-ng/blob/headway/plugins/tshark.py If you are interested in pulling that in that please let me know. This one does not deal with handshake capture or cookie snarfing though. |
That'd be useful to have as a separate plugin perhaps - |
Going back to this - using scapy_ex it is also possible to determine the presence and the value of the FCS flag, I have got working code here: https://github.com/maximcherny/snoopy-ng/blob/headway/plugins/mods80211/wifi_clients.py if p.Flags is not None:
if p.Flags & 64 != 0:
self.droppedCount += 1
fcs = 0
elif p.Flags & 64 == 0:
fcs = 1 However, I've collected almost 3 million probes and the flag only appears in roughly 75% of the data, remaining unknown for the rest. While it can be an improvement, it's not a silver bullet. Happy to organise a pull request. |
It appears that sometimes (rarely, bit still often enough to be inconvenient) Scapy-based probes and beacons sniffing engine is fed garbled data. By garbled I am referring to:
While I assume the root cause is external to Scapy itself - e.g. noise / interference, Scapy does not offer a mechanism to ensure that only the frames that pass the Frame Control Sequence (FCS) check are processed.
There is a proposed patch dating back some years here:
http://bb.secdev.org/scapy/issue/109/incorrect-parsing-of-80211-frame-with
I haven't tested the patch myself, but first of all would be interested to find out whether you share this concern.
Being able to capture reliable (read - discard garbled) data is a must-have requirement for me, which means I am facing the possibility of switching to a custom tshark-based 802.11 frame capture plugin. Unfortunately, this also means more CPU + memory usage to run an additional process.
Have you experienced this issue throughout your data collection?
The text was updated successfully, but these errors were encountered: