Kismet Wireless

Kismet Forums


Posted by:arvindt
Subject:Debugging "PCAP radiotap converter got corrupted Radiotap header length"
Date:17:10:14 07/04/2012

Hi all,

I'm doing a wireless research project where I'm experimenting with sending raw 802.11 packets directly between two computers (not ad-hoc mode, just directly injecting packets). This is on an Atheros card using the ath9k driver on a TP-link WR1043ND router running OpenWRT Backfire (the latest trunk snapshot).

I have put the wlan0 interface in monitor mode using airmon-g (creating a "mon0" interface which appears to work well with kismet-server otherwise). I am using kismet-server to monitor whether the raw packets got sent correctly. I downloaded and installed this kismet build for OpenWRT from:

I am trying to construct an 802.11 data packet using the following C code fragment (adapted from


// constructing radiotap header
rtap_h = (struct ieee80211_radiotap_header*) &packet_buffer;
rtap_h->it_version = 0;
rtap_h->it_pad = 0;
rtap_h->it_len = sizeof(struct ieee80211_radiotap_header) + 1;
rtap_h->it_present = (1 << IEEE80211_RADIOTAP_RATE);

rtap_d = ((u_int8_t*) rtap_h) + sizeof(struct ieee80211_radiotap_header);
rtap_d[0] = rate;

// constructing 802.11 header
ieee80211_h = (struct ieee80211_frame*) &(packet_buffer[sizeof(struct ieee80211_radiotap_header) + 1]);

ieee80211_h->i_fc[0] = IEEE80211_FC0_SUBTYPE_DATA;
ieee80211_h->i_fc[1] = 0;

ieee80211_h->i_dur[0] = 0;
ieee80211_h->i_dur[1] = 0;

// i_addr1 is the destination, i_addr2 is the source, i_addr3 is the BSSID.
memcpy(ieee80211_h->i_addr1, mac_dst, MAC_LEN);
memcpy(ieee80211_h->i_addr2, mac_src, MAC_LEN);
memcpy(ieee80211_h->i_addr3, mac_dst, MAC_LEN);

ieee80211_h->i_seq[0] = 0;
ieee80211_h->i_seq[1] = 0;

// generating packet data.
data = &(packet_buffer[sizeof(struct ieee80211_radiotap_header) + 1 + sizeof(struct ieee80211_frame)]);

for(i=0; i<data_size; i++){
//data[i] = (u_int8_t) random();
data[i] = pattern;


<send data to raw socket as in athrawsend.c>


I ran this program trying to send a data packet to the other computer via the mon0 interface while keeping kismet-server running in the background on mon0. It appears to see the packet each time, but thinks its wrongly formatted, giving me the following error:

"PCAP radiotap converter got corrupted Radiotap header length"

It would appear I'm not formatting my raw packet correctly, but I can't see where I'm going wrong (the C code I'm using dumps out packets that appear to adhere to the radiotap and 802.11 format, which I've verified by doing a hex dump of the packets).

Any ideas what the problem might be, or if there is a way to use kismet to get further insight? Should I be using the mon0 interface to send raw WiFi packets, or some other "raw" version of the interface?

Thanks! Any insight would be appreciated.

Reply to this message