Hello!
I need a solution to determine whether a WiFi is using WEP. I know there is a protection flag within MAC frame but do not know how to access.
To detect whether a WiFi i protected by WPA2 I found the following solution:
Scan with
nl_sock* socket = nl_socket_alloc();
genl_connect(socket);
struct nl_msg* msg = nlmsg_alloc();
int driverId = genl_ctrl_resolve(socket, "nl80211");
genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN, 0);
and fetch with
genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP, NL80211_CMD_GET_SCAN, 0);
Read the received structure using nl80211_bss:: NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter 8.4.2 Information elements)
Which netlink command gives me the related data? Is it NL80211_CMD_GET_BEACON?
Regards,
Thomas
E-Mail: [email protected]
On Thu, 2017-04-06 at 16:27 +0200, Thomas Thielemann wrote:
> Thanks!
>
> If the sequence is the following:
>
> 1. Prepare and execute NL80211_CMD_TRIGGER_SCAN
> 2. Prepare and execute NL80211_CMD_GET_SCAN
> Together with NL80211_CMD_GET_SCAN a callback is registered.
> In the callback the raw data are parsed as BSS. The IE's are parsed
> to.
>
> When do I have to fetch the beacon to get the right beacon but
> without lost of the scan result?
> After I fetched all scan results or immediately after the receive of
> every scan result?
The scan results are essentially the beacons, so you just need to read
the GET_SCAN. Then when parsing the "bss info" you get from the scan
results handler that you registered, you look for:
NL80211_BSS_CAPABILITY: the Privacy bit is in here
NL80211_BSS_INFORMATION_ELEMENTS: the IEs are obviously in here
Dan
> Regards,
> Thomas
>
>
> > Am 05.04.2017 um 19:24 schrieb Dan Williams <[email protected]>:
> >
> > On Wed, 2017-04-05 at 09:27 +0200, Thomas Thielemann wrote:
> > > Hello!
> > >
> > > I need a solution to determine whether a WiFi is using WEP. I
> > > know
> > > there is a protection flag within MAC frame but do not know how
> > > to
> > > access.
> > >
> > > To detect whether a WiFi i protected by WPA2 I found the
> > > following
> > > solution:
> > >
> > > Scan with
> > >
> > > nl_sock* socket = nl_socket_alloc();
> > > genl_connect(socket);
> > > struct nl_msg* msg = nlmsg_alloc();
> > > int driverId = genl_ctrl_resolve(socket, "nl80211");
> > > genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN,
> > > 0);
> > >
> > > and fetch with
> > >
> > > genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP,
> > > NL80211_CMD_GET_SCAN,
> > > 0);
> > >
> > > Read the received structure using nl80211_bss::
> > > NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
> > >
> > > examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter
> > > 8.4.2
> > > Information elements)
> > >
> > > Which netlink command gives me the related data? Is it
> > > NL80211_CMD_GET_BEACON?
> >
> > You want both the beacon (for the Privacy bit) and the information
> > elements.
> >
> > If the privacy bit is set in beacon and there are no WPA/WPA2/RSN-
> > related information elements, then the AP is using
> > WEP. Unfortunately
> > you don't know whether it's WEP-40 or WEP-104, but that's another
> > topic.
> >
> > If the privacy bit is set, and there are WPA/WPA2/RSN information
> > elements, then the AP *might* be using WEP in compatibility
> > mode. This
> > isn't very common though, so you can probably just ignore this
> > case.
> >
> > Dan
> >
>
>
On Wed, 2017-04-05 at 09:27 +0200, Thomas Thielemann wrote:
> Hello!
>
> I need a solution to determine whether a WiFi is using WEP. I know
> there is a protection flag within MAC frame but do not know how to
> access.
>
> To detect whether a WiFi i protected by WPA2 I found the following
> solution:
>
> Scan with
>
> nl_sock* socket = nl_socket_alloc();
> genl_connect(socket);
> struct nl_msg* msg = nlmsg_alloc();
> int driverId = genl_ctrl_resolve(socket, "nl80211");
> genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN, 0);
>
> and fetch with
>
> genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP, NL80211_CMD_GET_SCAN,
> 0);
>
> Read the received structure using nl80211_bss::
> NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
>
> examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter 8.4.2
> Information elements)
>
> Which netlink command gives me the related data? Is it
> NL80211_CMD_GET_BEACON?
You want both the beacon (for the Privacy bit) and the information
elements.
If the privacy bit is set in beacon and there are no WPA/WPA2/RSN-
related information elements, then the AP is using WEP. Unfortunately
you don't know whether it's WEP-40 or WEP-104, but that's another
topic.
If the privacy bit is set, and there are WPA/WPA2/RSN information
elements, then the AP *might* be using WEP in compatibility mode. This
isn't very common though, so you can probably just ignore this case.
Dan
Thanks!
If the sequence is the following:
1. Prepare and execute NL80211_CMD_TRIGGER_SCAN
2. Prepare and execute NL80211_CMD_GET_SCAN
Together with NL80211_CMD_GET_SCAN a callback is registered.
In the callback the raw data are parsed as BSS. The IE's are parsed to.
When do I have to fetch the beacon to get the right beacon but without lost of the scan result?
After I fetched all scan results or immediately after the receive of every scan result?
Regards,
Thomas
> Am 05.04.2017 um 19:24 schrieb Dan Williams <[email protected]>:
>
> On Wed, 2017-04-05 at 09:27 +0200, Thomas Thielemann wrote:
>> Hello!
>>
>> I need a solution to determine whether a WiFi is using WEP. I know
>> there is a protection flag within MAC frame but do not know how to
>> access.
>>
>> To detect whether a WiFi i protected by WPA2 I found the following
>> solution:
>>
>> Scan with
>>
>> nl_sock* socket = nl_socket_alloc();
>> genl_connect(socket);
>> struct nl_msg* msg = nlmsg_alloc();
>> int driverId = genl_ctrl_resolve(socket, "nl80211");
>> genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN, 0);
>>
>> and fetch with
>>
>> genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP, NL80211_CMD_GET_SCAN,
>> 0);
>>
>> Read the received structure using nl80211_bss::
>> NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
>>
>> examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter 8.4.2
>> Information elements)
>>
>> Which netlink command gives me the related data? Is it
>> NL80211_CMD_GET_BEACON?
>
> You want both the beacon (for the Privacy bit) and the information
> elements.
>
> If the privacy bit is set in beacon and there are no WPA/WPA2/RSN-
> related information elements, then the AP is using WEP. Unfortunately
> you don't know whether it's WEP-40 or WEP-104, but that's another
> topic.
>
> If the privacy bit is set, and there are WPA/WPA2/RSN information
> elements, then the AP *might* be using WEP in compatibility mode. This
> isn't very common though, so you can probably just ignore this case.
>
> Dan
>