linux-vybrid_public/Documentation/networking/mac80211-injection.txt

How to use packet injection with mac80211
=========================================

mac80211 now allows arbitrary packets to be injected down any Monitor Mode
interface from userland.  The packet you inject needs to be composed in the
following format:

 [ radiotap header  ]
 [ ieee80211 header ]
 [ payload ]

The radiotap format is discussed in
./Documentation/networking/radiotap-headers.txt.

Despite 13 radiotap argument types are currently defined, most only make sense
to appear on received packets.  Currently three kinds of argument are used by
the injection code, although it knows to skip any other arguments that are
present (facilitating replay of captured radiotap headers directly):

 - IEEE80211_RADIOTAP_RATE - u8 arg in 500kbps units (0x02 --> 1Mbps)

 - IEEE80211_RADIOTAP_ANTENNA - u8 arg, 0x00 = ant1, 0x01 = ant2

 - IEEE80211_RADIOTAP_DBM_TX_POWER - u8 arg, dBm

Here is an example valid radiotap header defining these three parameters

	0x00, 0x00, // <-- radiotap version
	0x0b, 0x00, // <- radiotap header length
	0x04, 0x0c, 0x00, 0x00, // <-- bitmap
	0x6c, // <-- rate
	0x0c, //<-- tx power
	0x01 //<-- antenna

The ieee80211 header follows immediately afterwards, looking for example like
this:

	0x08, 0x01, 0x00, 0x00,
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	0x13, 0x22, 0x33, 0x44, 0x55, 0x66,
	0x10, 0x86

Then lastly there is the payload.

After composing the packet contents, it is sent by send()-ing it to a logical
mac80211 interface that is in Monitor mode.  Libpcap can also be used,
(which is easier than doing the work to bind the socket to the right
interface), along the following lines:

	ppcap = pcap_open_live(szInterfaceName, 800, 1, 20, szErrbuf);
...
	r = pcap_inject(ppcap, u8aSendBuffer, nLength);

You can also find sources for a complete inject test applet here:

http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer

Andy Green <andy@warmcat.com>