[B.A.T.M.A.N.] encapsulated ethernet frame format
sw at simonwunderlich.de
Sat Jul 25 18:15:54 CEST 2015
please see below.
On Thursday 23 July 2015 17:47:23 Berat wrote:
> Thanks a lot for the answer. (Sorry, i didn't realized that i was
> replying to you instead of mailing list.) There is an ultimate point
> that i would like to understand. If you can help me it would be great.
> So, to see if i've got it right, i made this little simulation of the
> C1 C3 C4
> \ | /
> N1 - N2 - N3 - N4 - N5
> / \
> C2 C5
> Client C1 communicates with client C5, and i'm intercepting packets that
> are passing through node N3 and i see a unicast packet at the moment;
> the first ethernet II section has:
> source mac -> mac of N2
> dest. mac -> mac of N3
> batman section has:
> dest. mac -> mac of N5
> //here i see source mac only for batadv_unicast_4addr packets,
> //which are ARP requests. for all other packet types, including
> //dns request which is a unicast packet, there is only destination
> //(or originator if a broadcast packet)
Right, only the 4addr actually shows the source.
> the second ethernet II section has:
> source mac -> mac of C1
> dest. mac -> mac of C5
> So if i got it right, i would like to deduce, if a computer that i see
> by the packet that i intercept is local(connected to the antenna that
> i'm intercepting) or packet is just switched/forwarded by this antenna.
> But without that source mac information in batman section, it doesn't
> seem possible to me. Can i deduce it without that information?
You could try to look at the TTL in the batman-adv header - its decremented on
each hop, so you could find out the first one. Another way would be to check the
second ethernet II header and see if the source in the local table - although
there are some corner cases where this may be incorrect (e.g. when the client
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: This is a digitally signed message part.
More information about the B.A.T.M.A.N