1<!-- 2Author: Michael Mehari, Xianjun Jiao 3SPDX-FileCopyrightText: 2019 UGent 4SPDX-License-Identifier: AGPL-3.0-or-later 5--> 6 7## 802.11 packet injection and fuzzing 8 9The Linux wireless networking stack (i.e. driver, mac80211, cfg80211, net_dev, user app) is a robust implementation supporting a plethora of wireless devices. As robust as it is, it also has a drawback when it comes to single-layer testing and manual/total control mode (fuzzing). 10 11Ping and Iperf are well established performance measurement tools. However, using such tools to measure 802.11 PHY performance can be misleading, simply because they touch multiple layers in the network stack. 12 13Luckily, the mac80211 Linux subsystem provides packet injection functionality when the NIC is in the monitor mode and it allows us to have finer control for physical layer testing and/or fuzzing. 14 15Besides the traditional fuzzing tool (like scapy), we have adapted a [packetspammer](https://github.com/gnychis/packetspammer) application, which is originally written by Andy Green <[email protected]> and maintained by George Nychis <[email protected]>, to show how to inject packets and control the FPGA behavior. 16 17### Build inject_80211 on board 18Userspace program to inject 802.11 packets through mac80211 supported (softmac) wireless devices. 19 20Login/ssh to the board and setup internet connection according to the Quick Start. Then 21``` 22cd openwifi/inject_80211 23make 24``` 25### Customize the packet content 26To customize the packet, following piece of the inject_80211.c needs to be changed: 27``` 28/* IEEE80211 header */ 29static u8 ieee_hdr_data[] = 30{ 31 0x08, 0x02, 0x00, 0x00, 32 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 33 0x66, 0x55, 0x44, 0x33, 0x22, 0x22, 34 0x66, 0x55, 0x44, 0x33, 0x22, 0x33, 35 0x10, 0x86, 36}; 37 38static u8 ieee_hdr_mgmt[] = 39{ 40 0x00, 0x00, 0x00, 0x00, 41 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 42 0x66, 0x55, 0x44, 0x33, 0x22, 0x22, 43 0x66, 0x55, 0x44, 0x33, 0x22, 0x33, 44 0x10, 0x86, 45}; 46 47static u8 ieee_hdr_ack_cts[] = 48{ 49 0xd4, 0x00, 0x00, 0x00, 50 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 51}; 52 53static u8 ieee_hdr_rts[] = 54{ 55 0xb4, 0x00, 0x00, 0x00, 56 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 57 0x66, 0x55, 0x44, 0x33, 0x22, 0x22, 58}; 59``` 60Note: The byte/bit order might not be intuitive when comparing with the standard. 61 62### FPGA behavior control 63- ACK and retransmission after FPGA sends packet 64 65In openwifi_tx of sdr.c, many FPGA behaviors can be controled. Generally they are controled by the information from upper layer (Linux mac80211), but you can override them in driver (sdr.c) 66 67If 802.11 ACK is expected from the peer after the packet is sent by FPGA, variable **pkt_need_ack** should be overridden to 1. In this case, the FPGA will try to receive ACK, and report the sending status (ACK is received or not) to upper layer (Linux mac80211) 68 69The maximum times of transmission for the packet can be controled by variable **retry_limit_raw**. If no ACK is received after the packet is sent, FPGA will try retransmissions automatically if retry_limit_raw>1. 70 71- ACK after FPGA receives packet in monitor mode 72 73Even in monitor mode, openwifi FPGA still sends ACK after the packet is received, if the conditions are met: MAC address is matched, it is a data frame, etc. To disable this automatic ACK generation, the register 11 of xpu should be set to 16: 74``` 75sdrctl dev sdr0 set reg xpu 11 16 76``` 77 78### Options of program inject_80211 79``` 80-m/--hw_mode <hardware operation mode> (a,g,n) 81-r/--rate_index <rate/MCS index> (0,1,2,3,4,5,6,7) 82-t/--packet_type (m/c/d/r for management/control/data/reserved) 83-e/--sub_type (hex value. example: 84 8/A/B/C for Beacon/Disassociation/Authentication/Deauth, when packet_type m 85 A/B/C/D for PS-Poll/RTS/CTS/ACK, when packet_type c 86 0/1/2/8 for Data/Data+CF-Ack/Data+CF-Poll/QoS-Data, when packet_type d) 87-a/--addr1 <the last byte of addr1 in hex> 88-b/--addr2 <the last byte of addr2 in hex> 89-i/--sgi_flag (0,1) 90-n/--num_packets <number of packets> 91-s/--payload_size <payload size in bytes> 92-d/--delay <delay between packets in usec> 93-h this menu 94``` 95 96### Example: 97Login/ssh to the board, Then 98``` 99cd openwifi 100./wgd.sh 101./monitor_ch.sh sdr0 11 102(Above will turn sdr0 into the monitor mode and monitor on channel 11) 103./inject_80211/inject_80211 -m n -r 0 -n 10 -s 64 sdr0 104(Above will inject 10 802.11n packets at 6.5Mbps bitrate and 64bytes size via NIC sdr0) 105``` 106When above injection command is running, you could see the injected packets with wireshark (or other packet sniffer) on another WiFi device monitoring channel 11. 107 108Or add extra virtual monitor interface on top of sdr0, and inject packets: 109``` 110iw dev sdr0 interface add mon0 type monitor && ifconfig mon0 up 111./inject_80211/inject_80211 -m n -r 0 -n 10 -s 64 mon0 # Inject 10 802.11n packets at 6.5Mbps bitrate and 64bytes size 112``` 113 114### Link performance test 115 116To make a profound experimental analysis on the physical layer performance, we can rely on automation scripts. 117 118The following script will inject 100 802.11n packets at different bitrates and payload sizes. 119 120``` 121#!/bin/bash 122 123HW_MODE='n' 124COUNT=100 125DELAY=1000 126RATE=( 0 1 2 3 4 5 6 7 ) 127SIZE=( $(seq -s' ' 50 100 1450) ) # paload size in bytes 128IF="mon0" 129 130for (( i = 0 ; i < ${#PAYLOAD[@]} ; i++ )) do 131 for (( j = 0 ; j < ${#RATE[@]} ; j++ )) do 132 inject_80211 -m $HW_MODE -n $COUNT -d $DELAY -r ${RATE[$j]} -s ${SIZE[$i]} $IF 133 sleep 1 134 done 135done 136 137``` 138 139On the receiver side, we can use tcpdump to collect the pcap traces. 140 141``` 142iw dev sdr0 interface add mon0 type monitor && ifconfig mon0 up 143tcpdump -i mon0 -w trace.pcap 'wlan addr1 ff:ff:ff:ff:ff:ff and wlan addr2 66:55:44:33:22:11' 144``` 145 146Wlan addresses *ff:ff:ff:ff:ff:ff* and *66:55:44:33:22:11* are specific to our injector application. 147 148Next, we analyze the collected pcap traces using the analysis tool provided. 149 150``` 151analyze_80211 trace.pcap 152``` 153 154An excerpt from a sample analysis looks the following 155 156``` 157HW MODE RATE(Mbps) SGI SIZE(bytes) COUNT Duration(sec) 158======= ========== === =========== ===== ============= 159802.11n 6.5 OFF 54 100 0.11159 160802.11n 13.0 OFF 54 100 0.11264 161802.11n 19.5 OFF 54 100 0.11156 162802.11n 26.0 OFF 54 100 0.11268 163802.11n 39.0 OFF 54 100 0.11333 164802.11n 52.0 OFF 54 100 0.11149 165802.11n 58.5 OFF 54 100 0.11469 166802.11n 65.0 OFF 54 100 0.11408 167``` 168 169