[Prism54-devel] Re: Active testing rules

Jean-Baptiste Note jean-baptiste.note at wanadoo.fr
Wed Jan 26 16:49:56 UTC 2005 

Hello Feyd,

Feyd <feyd at seznam.cz> said :
>
> 01 -> (ping req sent once)                                                 01 -> (probe req template for comparison)
> 00000000: 6C 08 02 00 B6 00 00 00 00 00 00 00 00 00 00 00 l............... 00000000: 6C 06 02 00 70 00 00 00 00 00 00 00 00 00 00 00 l...p...........
> 00000010: 10 40 7C 00[00 A8 07 C9]01 00 07 07 08 07 06 04 .@|............. 00000010: 00 40 34 00 00 48 4A CF 00 00 01 01 00 00 00 00 . at 4..HJ.........
> 00000020: 11 11 10 10 00 00[01 05 FE 1D 11 A1 11 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000030: 00 00 00 00 00 00]00 00 04 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
> 00000040: 00 00 02 7F 33 00 00 00 02 04 08 41 00 00 00 04 ...3......A..... 00000040: 00 00 00 00 00 00 00 00 04 00 00 00 40 00 00 00 ............ at ...
> 00000050: E2 80 9C 8E 00 0C 41 DA 29 4C 00 04 E2 80 9C 8E ......A.)L...... 00000050: FF FF FF FF FF FF 00 0C 41 DA 29 4C FF FF FF FF ........A.)L....
> 00000060: 00 00 4F 44 00 00 AA AA 03 00 00 00 08 00 45 00 ..OD..........E. 00000060: FF FF 00 00 00 0A 50 52 49 53 4D 2D 53 53 49 44 ......PRISM-SSID
> 00000070: 00 54 00 4E 40 00 40 01 E0 35 AC 10 01 04 AC 10 .T.N at .@..5...... 00000070: 01 04 02 04 0B 16 32 08 0C 12 18 24 30 48 60 6C ......2....$0H`l
> 00000080: 01 01 08 00 16 C4 15 42 4E 00 41 C4 61 1D 00 09 .......BN.A.a...
> 00000090: F0 0B 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 ................
> 000000a0: 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 .......... !"#$%
> 000000b0: 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 &'()*+,-./012345
> 000000c0: 36 37 00 00 00 00 D3 F4                         67......

> Comparing the two frames and verifying in the logs I see this:
> 00-04: 00 02 02 00 mgmt (prism, not 802.11) frame
>        6c XX 02 00, XX in 06-09, all other frames
> 05-06: size of the data after the header (0x10 bytes)
> 10,11: 00 40 probe template, assoc, auth, deauth
>        02 40 beacon template
>        10 40 data, auth, disassoc
>        00 80 wireless info/stats request?
>        01 80 mgmt (prism)
> 12-13: size of the encapsulated data
> 15-17: ??

This is found in many packets : a reference for the transaction on 32
bits, that will be used later. The windows driver uses pointer to the
urb data.

> 18-1b: 00 00 01 01 probe template, beacon template
>        01 00 07 07 all other data
> 1c-25: 08 07 06 04 11 11 10 10 00 00 data frame (ping and arp)
>        00 00 00 00 00 00 00 00 00 00 mgmt (802.11) frame
> 26-2c(37?): wep key

Thanks ! I didn't have this wep key field ! Do you know how long they
can get ?  It seems WEP key can be 40,64,128 bits. the key size has to
be specified somewhere...

> 38,48: 00 04 beacon template
>        01 04 probe template
>        02 04 mgmt (802.11) frame
>        04 02 data frame
> 42-44: ??
> 49-4b: ??
> 4c-XX: 802.11 frame

Please note that in the beacon  case, the frame starts at 4a, whereas in
the data case, the frame starts at 4c (noted on my site, generally, 4a
is for data, 4c is for management).

There must be some other fields hidden in what we take for constants for
now :

* maybe more fields to control encryption : key size, maybe encryption
type (possibly im mistaken, and a zero key is similar to no
key. Actually i don't see much difference between your WEP'd packet and
the first packet on http://jbnote.free.fr/prism54usb/DataSent.html,
which is non-wep'd).

* more fields to control rate : I'm sure the rate at which the transmit
occurs is specified somewhere... Where ?

Also we're missing some interaction with other frames, because this is
not sufficient to get the device to emit something. dumbly trying to
replay the probe request, for instance, doesn't work for me :(

> 81 <- (caused by the update?)
> 00000000: 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000010: 01 80 08 00[00 A8 07 C9|08 00 07 07]00 01 75 00 ..............u.
> 00000020: 30 26 10 10                                     0&..

This is sent as a kind of acknowledge by the device. It holds the id
referenced above, which for the windows driver is the adress of a
pointer. It can be whetever value you want, it will return it as a
reference for the transaction you engaged.
The frame is standard, first line size, second line magic 0x01 0x80
(response), then size of embedded data, then ID, then type (08 00 07
07, compare with 01 00 07 07 above), then data proper (8 bytes).

-- 
Jean-Baptiste Note
+33 (0)6 83 03 42 38
jean-baptiste.note at wanadoo.fr

More information about the Prism54-devel mailing list