I'm programming a sniffer over a wifi network and I get some problem with filters I use lorcon2(pcap) in my code
Actually I have the following string
"wlan proto \ip and ip proto \tcp"
"wlan proto \arp and arp dst 255.255.255.255"
"wlan proto \arp"
"wlan proto \ip and ip host 192.168.1.2"
"wlan proto \ip"
when setting it with the lorcon_set_filter() function
I cannot get any packet from my app (I use lorcon_dispatch the same as pcap_dispatch ) for sure I'm in a "non-blocking" mode but I get not packet
but with a "" string filter it works perfectly
Thanks
If your sniffer is capturing in monitor mode, and your Wi-Fi network is "protected", i.e. using WEP or WPA/WPA2, everything following the 802.11 header in the packets you capture will be encrypted, and filters that look at anything past the 802.11 header - such as
wlan proto \ip- won't work.It appears that lorcon2 uses, or at least expects, monitor mode, so you won't be able to filter traffic on a protected network. (If you don't use monitor mode, you will only be able to see the traffic to and from your machine.)
Furthermore, when capturing in monitor mode on a protected network, the traffic you do capture will not be useful unless you decrypt it, and decrypting it is not easy; you'd need code to decrypt it, and you'd need to supply that code with the password for the network and, for WPA/WPA2 networks, which most protected networks are, you'll also have to capture the EAPOL handshake for each station whose traffic you want to decrypt, which means you'll have to force those stations to re-associate with the network while you're sniffing. (Remember, the whole point of WEP and WPA/WPA2 was to protect the traffic on the network, i.e. to make it harder to sniff the network!)
This limitation isn't unique to your program; it applies to all Wi-Fi sniffers, including tcpdump, Wireshark, and various commercial sniffer programs. Wireshark has support for decrypting, but the code is a bit complicated, as is the process for enabling it; see the Wireshark Wiki article on it. However, that decryption is done on traffic that's already been captured; filtering "protected" traffic on anything not in the 802.11 header doesn't work, so, while you can test for data frames, or for particular MAC addresses, you can't test whether the traffic is IP or ARP or anything at that layer (as that's indicated in the 802.2 header, which is part of the payload and thus encrypted), can't test for particular IP addresses, etc..