Wi-Fi frame injection patch for Wireshark

Edit, visualize and send 802.11 frames to the air from Wireshark

Author : Asier Martínez Martínez

Email : axierr at gmail dot com

Why this patch?

I make this patch because I want some visual tool for editing and reinject 802.11 frames. Now I have integrated the powerful of Wireshark decoder and visualization, a simple raw hexadecimal frame editor, and the LORCON library for frame injection. This patch provides the way to do injection/modifications in easy manner, like in CommView and other commercial products. I know that this will be more convenient to do in Netdude , but I'm too lazy to adapt 802.11 decoder for netdude. Is coded in four relaxed days for my tests, I never used GTK libraries before, and some things surely would to be done better, send me your opinions, bugfixes etc...

Download

You can get the latest patch here :

Installation

Software requirements

  • 802.11 card with patched driver and supported by LORCON
  • libgtkhex0 libgtkhex0-dev or gthex 2.8.2 version or higher
  • In theory it works with gtk 1.x versions, but I only tested it with gtk2
  • LORCON library
  • wireshark-0.99.4 ( it should work in other versions, but I don't test it ) source code and it's compilation dependencies glibc, gtk headers etc...

Hardware requirements

The only thing you need is an 802.11 adapter with driver supported by LORCON library, you can get the list of supported device drivers in the Driver Type combo box of the Send Frame menu. For successful use of LORCON library you need a patched device driver, some patches for some specific driver versions comes with LORCON library in patches directory. For more information about driver injection patches you can read Devine's aircrack documentation or aircrack-ng documentation.

Installation steps

In GNU/Linux Debian etch ( In others distros should be similar ) :
  1. Download here LORCON library and uncompress, then use the magic words, ./configure && make && make install
  2. apt-get install libgtkhex0-dev libgtkhex0 or the equivalent in your platform,
  3. apt-get source wireshark or download source code from Sourceforge,
  4. At this point you need Wireshark compilation dependencies, glibc headers, gtk headers and others, in Debian etch you can use the package wireshark-dev
  5. Apply this patch from the root directory where you uncompressed wireshark source code. patch -p0 -i wishark.diff
  6. After run configure script, you need to add the libraries to Makefile in root directorio, in something like this CFLAGS = -DINET6 -D_U_="__attribute__((unused))" -Wall -Wpointer-arith -W -g -O2 -lgtkhex -lorcon ...
  7. You need also to add gtkhex headers directory into gtk directory Makefile of Wireshark source tree, CFLAGS = -DINET6 -D_U_="__attribute__((unused))" -Wall -Wpointer-arith -W -g -O2 -I/usr/include/gtkhex ...
  8. Now you are able to compile Wireshark with send injection features.

How to use

If you have succesfully compiled Wireshark with injection patch, now in the packet menu list after Show packet in new window You should see a new entry named Send Wifi Frame, if you select a packet on packet list, and select this new menu item you can see now the Send Menu. You can use it with opened pcap file, or with live capture.

Note for madwifi users : In newer versions of LORCON, you don't need select athXraw interface to inject because LORCON library handles this internally. You can choose ath0 interface to inject, but LORCON sets ath0raw up and injects with raw interface. When you click the Send button the program tries to put selected interface in injection mode, ( for now, it's the same to put card into monitor mode ) and change the channel of the card to the channel specified in the Channel Number spin button. If you specify athXraw interface you will receive warnings about the card can't be put in monitor mode and setting the specified channel, remember that you can't put a fish in monitor mode ;-).

Editing frames

If you push the button Edit Frame a new window appears with the content of the seleted frame in hexadecimal format, if you change something in this window, automatically the Tree View window will be updated. In this manner you can see the effect of your changes at the same time. This edition doesn't modify the pcap file, it reserves a new buffer for the edited frame.

Frame length spin button

Here you can specify the length of the frame to be injected, this is useful to skip the FCS which appears in some frames. You can rest 4 bytes to the lenght to skip the FCS. For now, I only detect if the packet has Prism Headers and consequently skip them, if your file has Radiotap or AVS headers, you can change this in the code of gtk/packet_win.c file or use prism-strip utility to strip different kinds of headers. 

	switch (cfile.lnk_t)
	{
		case WTAP_ENCAP_PRISM_HEADER:
			injection_frame_len = DataPtr->frame->cap_len - 144;
			break;
		case WTAP_ENCAP_IEEE_802_11:
			injection_frame_len = DataPtr->frame->cap_len;
			break;
		default :
			injection_frame_len = DataPtr->frame->cap_len;
			break;
	}
	/*
         WTAP_ENCAP_IEEE_802_11 
        { "IEEE 802.11 Wireless LAN", "ieee-802-11" },

         WTAP_ENCAP_PRISM_HEADER 
        { "IEEE 802.11 plus Prism II monitor mode header", "prism" },

         WTAP_ENCAP_IEEE_802_11_WITH_RADIO 
        { "IEEE 802.11 Wireless LAN with radio information", "ieee-802-11-radio" },

         WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP 
        { "IEEE 802.11 plus radiotap WLAN header", "ieee-802-11-radiotap" },

         WTAP_ENCAP_IEEE_802_11_WLAN_AVS 
        { "IEEE 802.11 plus AVS WLAN header", "ieee-802-11-avs" }
	*/

TODO

  • Add LORCON new functionalities in the future ...
  • Maybe some edit improvements ...
  • Drink more beer... ( classic )

Screenshots

Image Hosted by ImageShack.us Image Hosted by ImageShack.us Image Hosted by ImageShack.us Image Hosted by ImageShack.us Image Hosted by ImageShack.us

Attachments