Kismet Wireless

Kismet Forums


Posted by:justin3337
Subject:How to implement 802.11 link layer filter?
Date:16:24:27 08/01/2011


Why did I post it?

I have looked through related documentation and forum threads but did not find accurate answer, so now I ask directly, hoping some help. (Sorry about my English, this language is not my native one).

What exactly do I want to implement and why?

Currently I am working on some kind of a project in my university. The aim of my project is to develop a 802.11 link layer frame filter based on frame header information analysis. While this sounds similar to what we know as “MAC filter”, my filter should have additional functionality:

a) Ability to analyze all frame header fields (not only MAC addresses);
b) Ability to perform in stateful mode. For example, filter should be able to track frame sequence number and drop frames with illegal combination of MAC address and sequence number (same as some IDS/IPS macspoof detection algorithms);
c) Perform in real time (filter should analyze all frames separately, deciding to allow or drop them).

The objective is to develop a filter, which could prevent specific 802.11 link layer attacks, especially DoS (Deauthentication, probe flood etc.) by identifying illegal frames with some false identification probability. This filter should combine WIDS/WIPS functions with ability to drop frames in real time.

The most important part is, that filter should be able to drop frames before frames are processed. For example, if I send a forged deauthentication frame to deauthenticate a legal wireless network user, filter should identify and drop this frame as illegal, before this frame is processed by some 802.11 management subroutines and legal user ir disconnected. In other words, this filter should prevent some 802.11 attacks, by analyzing and droping frames at low level using existing WIDS/WIPS detection algorithms. In fact, whole project is more like experiment, aimed to investigate how such a filter would work in general.

What have I done so far?

Not much. I did some research, witch lead me here. First, I decided to use open source IDS/IPS and develop some rules or detection modules, which would act like my hypothetical filter but it seems none of these IDS/IPS have much ability in link layer frames and especially none of them can drop frames, triggered by some rules. After that, I considered to use libpcap and write my own application, but it seems, that libpcap also has no functions to drop frames. At the end, I look through IOCTLS, which are provided by my wireless router driver (madwifi), bu I dit not find any of frame drop functionality here. So I concluded, that the only way to develop this filter is by modifying open source wireless card drivers.

What would I like to ask you in specific?

I do not want you to write me a code. I just want some general points on there to go next. These would be:

1. Is it possible to develop this “filter” without modifying drivers?
2. Some other general points, related to my idea (technical preferred).

Thank you.

Reply to this message