RFC: raw 802.11 packet transmit
sam at errno.com
Mon Jul 3 03:52:50 UTC 2006
Andrea Bittau and I have been working on a facility for injecting (i.e.
transmitting) 802.11 frames via bpf. It's to the point where we're
looking for feedback before committing to head.
The idea is that you can send 802.11 frames with bpf using the
DLT_IEEE802_11 and DLT_IEEE802_11_RADIO data link types. The
DLT_IEEE802_11 case takes a mostly formed 802.11 frame and passes it
through the tx path normally used for sending 802.11 management frames.
In this case drivers may fillin bits of the 802.11 header like the
sequence number and apply the tx rate control algorithm.
With DLT_IEEE802_11_RADIO user code passes a special data structure at
the front of each frame that completely specifies how the frame should
be treated and a new tx path is used that honors these parameters.
Drivers must be modified for this mechanism to be effective; legacy
drivers will fall back to the above tx path and the parameters will be
ignored. Even with proper raw tx support not all drivers may be capable
of handling all the parameters passed in (e.g. some cards will stomp on
the sequence number).
There are several unresolved issues; most notably how to handle 802.11
ACK's. We've talked about mechanisms like generating ACK's in the
driver based on dynamically filled in mac tables but I'm not happy with
adding more complexity to drivers. John Bickett's raw xmit support for
madwifi (for the MIT Roofnet project) lets the h/w handle ACK's and
dispatches events on tx complete so user code can track tx status (e.g.
to implement tx rate control). I'm considering this or some other
mechanism for returning tx completion status.
The kernel patches and a set of test tools can be found at:
The patch is for HEAD. The tools go in src/tools/tools/net80211 (the
tarball includes the existing tools so you can save the old dir and put
this new stuff in place). Check out the README files in the tools area.
Most testing has been done with ath but I've also verified ral and ural
work at least some. None of my wi cards work but Andrea did the wi mods
and has something that works (the wi cards I tried were Lucent Gold, and
Intersil Prism w/ sta rev 1.7.4 firmware). Note the ral mods are only
for 256x cards; I don't have any 266x cards. iwi and ipw are not
capable of packet injection.
More information about the freebsd-arch