A few weeks ago I released Airtool, a simple menubar app for OS X that allows you to easily perform 802.11 frame captures on a single or multiple channels. One of the options in Airtool lets you configure the link-layer header type you want to capture as part of the frames. In this blog post I’m going to give a brief description of the header types that are available for the built-in Wi-Fi adapter on a Mac so you can understand the differences and choose the right header type for your captures.
There are several link-layer header types, but the driver of the built-in Wi-Fi adapter found in the latest Mac computers might support only the following types: Ethernet, 802.11, 802.11 plus Radiotap, 802.11 plus AVS radio information, Per-Packet Information, and Raw IP. Wireshark or Airtool will list only the supported header types for the Mac model they are running on. Also, some of these header types are called pseudo-headers because they are not transmitted with the frame. Instead, they are supplied by the driver and contain additional radio information about the frame.
The Ethernet header type basically gives you the 802.3 portion of the frame without any additional headers or pseudo-headers. So, if you choose Ethernet as the header type, only 802.11 data frames with an 802.3 payload will be captured, however, the 802.11 headers will not be included as part of the capture data.
Similarly, the 802.11 header type allows you to capture 802.11 control, management and data frames, but no additional information in the form of pseudo-headers will be included in the capture data.
The 802.11 plus Radiotap , 802.11 plus AVS radio information, and Per-Packet Information headers are examples of pseudo-headers supported on a Mac. The 802.11 plus Radiotap header gives you Radiotap link-layer information followed by an 802.11 frame. Radiotap is a common mechanism for drivers to supply additional information about received frames to user space applications, or for user space applications to the driver for frames that will be transmitted. The Radiotap header format allows to include an arbitrary number of fields, which means that some fields might or might not be present depending on the driver’s implementation.
Some of the fields that can be found in the Radiotap header are:
- Channel: Tx/Rx frequency in MHz
- Rate: Tx/Rx rate
- Antenna Signal: RF signal power at the antenna (dBm)
- Antenna Noise: RF noise power at the antenna (dBm)
- Flags: Properties of transmitted and received frames, such as: encryption, fragmentation, FCS, etc.
- MCS: MCS rate index and additional properties such as: bandwidth, guard interval, HT format, etc.
- A-MPDU Status: Frame was received as part of an A-MPDU
- Antenna: Index of the antenna used to transmit or receive the frame
- VHT: Properties of VHT frames such as: STBC, guard interval, beamforming, etc.
You can find the complete list of Radiotap fields here.
Radiotap headers are only available if the adapter is put into monitor mode, so make sure you choose monitor mode when performing a capture in Wireshark. Airtool will always capture in monitor mode.
The Per-Packet Information header type gives you per-packet information (PPI) headers followed by an 802.11 frame. PPI headers are similar to Radiotap headers in the sense that are a general and extensible header format to supply additional out-of-band radio information. A PPI header consists of a packet header followed by zero or more type-length-value (TLV) triplets called fields. This format was originally designed to provide information about 802.11n frames, but it currently supports other 802.11 technologies.
Same as in a Radiotap header, some of the fields that can be found in a PPI header are: Rate, Channel Frequency, Channel Flags, Antenna Signal, Antenna Noise. You can find a complete list of fields that can be included in PPI headers here.
The 802.11 plus AVS radio information header is another type of pseudo-header that was designed to provide information about 802.11a and 802.11g frames. The AVS header is 64 bytes in length, and it includes information about PHY type the device used to capture the frame, channel, data rate, antenna index, signal strength and noise, etc.
Finally, Raw IP gives you only raw IP datagrams with no 802.11 or 802.3 headers. It is not commonly used since no link-layer header information is included.
Anyone who needs to perform in-depth 802.11 packet and protocol analysis will find that the 802.11 plus radiotap or Per-Packet Information pseudo-headers provide essential information in addition to what it is included in the protocol headers of the different types of 802.11 frames. Radiotap headers are widely supported and are the default link-layer header type in Airtool and in Wireshark when capturing packets from the Wi-Fi interface.