Sending custom packets.

[ggamble22]

@bastibl I am trying to send custom packets from an USRP using the Scapy Python library. It will send packets directly to the tap interface set up in the examples. I am seeing outputs either saying "ethr type: ARP" for arp packets or "unknown ethr type" which I found coming from the ether_encap_impl.cc file. Can you direct me towards modifying the src/examples to have it send my custom packets? Or perhaps towards another project which may have already done something similar. Thanks.

[bastibl]

You have to put in Ethernet frames in the tap interface. Probably that's not what you are doing. https://en.wikipedia.org/wiki/TUN/TAP

[ggamble22]

I am sending layer 2 frames using Scapy's sendp which operates at that layer which is seen here: https://scapy.readthedocs.io/en/latest/usage.html?highlight=sendp#sending-packets. Does anything else need to be changed from the transceiver example?

[bastibl]

Maybe you just copy-pasted without adapting the interface name? For me it works with the example from the link that you cited

sendp(Ether()/IP(dst="1.2.3.4",ttl=(1,4)), iface="tap0")

[ggamble22]

I have been been doing: pkt =Dot11(addr1="", addr2="", addr3="") sendp(pkt, iface="tap0")

Maybe the Dot11 packet type is the issue? The problem is that in the end I am trying just to send a deauth packet which is created using: Dot11()/Dot11Deauth()

[bastibl]

As I already mentioned, a TAP interface expects Ethernet frames. And a WLAN deauth frame is not an Ethernet frame. So this cannot work.

[ggamble22]

Got it. Thanks for the help.

[bastibl]

Np, but actually it would be cool to support Scapy WLAN frame injection. The proper way to do it, might be an additional input to the MAC block, which would just forward the raw bytes. That's basically the same as the current handler, just without creating the MAC header (https://github.com/bastibl/gr-ieee802-11/blob/next/lib/mac.cc#L109-L111).

Then Scapy could be used to create the raw bytes, which could be injected either directly as PMT from the same Python script or, for example, through a UDP source.

I put it on my todo list. Thanks for bringing this up.

[ggamble22]

I was just about to ask about doing something like that. Maybe once I have done it on my side I can polish it up and contribute it back to the project.

[bastibl]

That'd be great. Keep me posted.

[bastibl]

For me, it worked like this: https://www.bastibl.net/gnuradio-wlan-scapy/

[ggamble22]

Hey, your example works great. Thank you for the help.

[armada-h]

@bastibl I am trying to send with an USRP "B210", custom packets "fake access point " forged by the Scapy Python library. using this a flowgraph similar to https://www.bastibl.net/gnuradio-wlan-scapy/ using this code for generating beacon frame and sending it to 127.0.0.1:52001

import socket from scapy.all import * sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) broadcast = "ff:ff:ff:ff:ff:ff" bssid = "12:22:33:44:55:66" frame = Dot11(addr1 = broadcast, addr2 = bssid, addr3 = bssid) / Dot11Beacon(cap = 0x1104) / Dot11Elt(ID = 0 , info = "PING") / Dot11Elt (ID=1, info = "\x82\x84\x8b\x96\x24\x30\x48\x6c") / Dot11Elt(ID=3, info = "\x0b") / Dot11Elt (ID=5, info = "\x00\x01\x00\x00") while True: sock.sendto(bytes(frame), ("127.0.0.1", 52001))

No problem in execution but i cannot see my fake AP beacon in my PC wificard in monitor mode. why ? any hint !?. Thank you @bastibl

[bastibl]

The flowgraph looks good. I'd try to debug it step by step. Start with the TX flowgraph from the examples (just set frequency and sample rate, as you did in the current flowgraph) and see if your card picks it up. With this you can check if it is a Scapy problem. (I guess it's not.) If the problem persists, I'd try to add some thousand samples padding before and after the frame. That seemed to be required sometimes with USRPs.

[armada-h]

Thanks very much for the quick reply .

the python code for generating fake AP beacons, was successful when tried between two Wi-Fi card in monitor mode , just one difference in the socket send instruction.

`sendp(pkt, iface = sys.argv[1] , count = int(sys.argv[3]), inter = .2) # layer 2 frames for wificard in monitor mode

sock.sendto(bytes(frame), ("127.0.0.1", 52001)) # injection through a UDP source in usrp ` Tx example work fine, moved to channel 11 , the first channel was crowded

I guess not a Scapy problem ; add some samples padding before and after the frame !! How ??

[bastibl]

I see... Your WLAN card adds the FCS (Frame Check Sequence, a CRC), while the GNU Radio transmitter expects it to be present. Please give this a try:

https://gist.github.com/bastibl/abedd2f8c656048152d3c30c249dc02e

Note, the use of Dot11FCS instead of Dot11.

[armada-h]

when replacing "Dot11" with "Dot11FCS" , i'm getting this error
name 'Dot11_FCS' is not defined when trying to add the FCS field manually to the frame , I'm getting malformed packet tried harder and no luck . any hints .thank you

[armada-h]

by the way, i'm using scapy version 2.3.3

[bastibl]

Can't you just try the script that I linked? There is obviously a typo in you script. There is no underscore.

If this function really doesn't exist in your scapy version, then please just update scapy. AFAIS, it was introduced over 2 years ago.

[armada-h]

sorry my bad , for the underscore just me trying similar expression. !!!. it gives the same error NameError: name 'Dot11FCS' is not defined ok; i'll update and see.

[armada-h]

Thanks Mr. @bastibl , since the beginning, it was just a problem of old version of scapy , if we can call this a problemmm , Updated scapy to latest version which is 2.4.3 , Now everything work great without adding some padding . Problem resolved .

[paullescot]

@bastibl Hello, thank you very much for your great work with your gr-ieee802-11 transreceiver. I am trying to send and receive frames using your gr-ieee802-11 transreceiver in a loop. I created the frames using scapy with this following code: frame = Dot11FCS(addr1='ff:ff:ff:ff:ff:ff', addr2='23:23:23:23:23:23', addr3='23:23:23:23:23:23')/Dot11Beacon()/Dot11Elt(ID='SSID', info='GR WLAN')

However, when I receive the frames, on the wireshark file, I cannot see the FCS check sequence and the FCS status information.

Moreover, the radioTap information is inserted by your transreceiver ? As if I add radioTap() to the the scapy code, the transreceiver does not receive any frames.

[bastibl]

The radiotap metadata is inserted by the receiver. It is not sent over-the-air. How does your flowgraph look and how do you get the data into Wireshark?

[paullescot]

Hello, I sent data and receive data within Gnu radio. I have separated your transceiver into a transmitter and a receiver. I have then connected the receiver to wireshark.

My emission and reception chain is as follows:

I have connected the receiver to Wireshark as follows:

[bastibl]

Then everything is fine. Radiotap is added by the receiver and should not be added by Scapy (so that's as expected). And since the frame was actually decoded (and not directly fed from the transmitter into Wireshark) the FCS was present and correct (even though it is not forwarded to Wireshark).