I'm a newbie of scapy and i can't make it correctly decode the dot11 frames.
Is there someone can help me?

wireshark decode 802.11 correctly , i saved the packets sniffed and opened with scapy, but it recognize them as raw packet, giving me this error:

"WARNING: PcapReader: unkonwon LL type [127]/[0x7f]. Using Raw packets"

Directly sniffing on eth1 (ipw3945 driver) i get:

"WARNING: Unable to guess type (interface=eth1 protocol=0x19 family=803). Using Ethernet"

scapy1.1.1 backtrack2final. help plz!

hugh !

http://hackaholic.org/papers/blackmagic.txt >>> a litlle good tutorial on how to setup and run scapy(and more)....

hope helps

uhm , no it doesn't help me so much !

i've take a look at the scapy.py source and i've found this

if LINUX:
DNET=PCAP=0
else:
DNET=PCAP=1

since it's linux DNET (libdnet for python) and PCAP (libpcap for python) are not loaded but scapy use

if not PCAP:
f = os.popen("tcpdump -V 2> /dev/null")

prompt> tpcdump -V
tcpdump version 3.9.4
libpcap version 0.9.4

so i think this means that scapy on backtrack is using the default library, the library wireshark use. The mystery is getting darker !!

Another interesting part of scapy.py source is
LLTypes = { ARPHDR_ETHER : Ether_Dot3_Dispatcher,
ARPHDR_METRICOM : Ether_Dot3_Dispatcher,
ARPHDR_LOOPBACK : Ether_Dot3_Dispatcher,
12 : IP,
101 : IP,
801 : Dot11,
802 : PrismHeader,
105 : Dot11,
113 : CookedLinux,
119 : PrismHeader, # for atheros
144 : CookedLinux, # called LINUX_IRDA, similar to CookedLinux
783 : IrLAPHead,
0xB1E70073L : HCI_Hdr, # I invented this one
}

that doesn't show any 127 type number!

I'm now tring to force scapy use lidnet e libpcap for python, and
for libdnet i succeded , but for pylibpcap i'm getting some error from swig during the building process of pylibpcap

prompt> python setup.py build
swig -python -shadow -ISWIG -o pcap.c pcap.i
pcap.i:72: Warning(124): Specifying the language name in %typemap is deprecated - use #ifdef SWIG<LANG> instead.
pcap.i:77: Warning(124): Specifying the language name in %typemap is deprecated - use #ifdef SWIG<LANG> instead.
pcap.i:82: Warning(124): Specifying the language name in %typemap is deprecated - use #ifdef SWIG<LANG> instead.
/usr/bin/python ./build-tools/docify.py pcap.c
/usr/bin/python ./build-tools/docify-shadow.py pcap.py
Traceback (most recent call last):
File "./build-tools/docify-shadow.py", line 30, in ?
raise 'source file doesn\'t look like swigged shadow class code'
source file doesn't look like swigged shadow class code
error: command '/usr/bin/python' failed with exit status 1

Hoping muts can help!!!

phil , the creator of scapy, very kindly helped me to solve the problem and seems that
ipw3945 needs a patch to aply to scapy itself, here is it:

ttp://trac.secdev.org/scapy/attachment/ticket/30/patch-radiotap-scapy.diff?format=raw

in this way you get no error but the decoding is still not very good.

theSnail