Click here to Skip to main content
Click here to Skip to main content

802.11 Packet Injection for Windows

, 3 Jun 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
Insert custom packets in the 802.11 frame


This project is intended for Windows wireless network developers, and assumes the reader is familiar with the concept of packet injection, 802.11 frames, and IP protocols. The network driver in this package provides a means for developers to create 802.11 packets in user space and send them on the 802.11 layer. The package contains a network driver and an open source command line application. The command line application demonstrates how to use the Packet11 service via DeviceIoControl.


Typically, packet injection is used to test wireless security or break WEP keys (airplay) with "software controlled packets". Although software controlled packets can be used maliciously, they can also provide a better user experience. Mesh networking and virtual access points are two potential and beneficial applications of managing wireless packets. Packet11 is the first step to providing software controlled packets for wireless testing and routing.

To the best of my knowledge, there are no other 802.11 packet injectors for Windows without special adapters (AirPCap). Packets constructed in the 802.11 layer are native to the wireless miniport. Linux has been able to modify native WiFi packets for ages and extend WiFi technology, i.e., MadWiFi. Having more control over native WiFi packets will also extend WiFi capabilities in Windows. Since Windows Vista, Network Driver Interface Specification (NDIS) 6 has given third party Windows developers a better opportunity to manage and extend WiFi adapter capabilities. However, creating and modifying packets in the 802.11 layer is undocumented for Windows.


  • Windows Vista or later
  • Wireless adapter*

*I tested Packet11 on Atheros USB WiFi, Intel PCI WiFi and Rosewill adapters. All were able to send my custom packets. I recommend having a second wireless adapter in monitor mode to look at the packets as they are sent in the air.

Using the Code

I have implemented a new technique since this article was posted that allows a filter driver to originate 802.11 packets without modifying OS generated packets. Now, applications can create and send 802.11 packets using DeviceIoControl.  Obviously, in order to use this function, the Packet11 driver must be installed before using this function.  I have provided commands to install and uninstall the driver.  The readme gives more details on this. Once the driver is installed, we can create and test a custom 802.11 packet.

To demonstrate, I used a probe request type to illustrate one possibility.

// Initialize the 802.11 packet. In this case, a probe request.
void * CreatePacket(
			DOT11_MGMT_SUBTYPE subtype,
			PUCHAR Source,
			PUCHAR Dest,
			PUCHAR Bssid,
			ULONG packetsize


    PDOT11_MGMT_HEADER		pMgmtHeader = NULL;
    PDOT11_PROBE_REQUEST		pProbeRequest = NULL;
    PDOT11_INFO_ELEMENT		pInfoElement = NULL;
    PDOT11_BASIC_RATE		pBasicRate = NULL;
    PDOT11_EXT_RATE		pExtRate = NULL;
    PVOID 			DataBuffer = NULL;

	if(Source == NULL || Dest == NULL || Bssid == NULL){
		printf("CreatePacket ==> null mac address \n");
		return DataBuffer;

	DataBuffer = malloc(packetsize);

	pMgmtHeader = (PDOT11_MGMT_HEADER)(PUCHAR)DataBuffer;
	pMgmtHeader->FrameControl.Version = 0;
	pMgmtHeader->FrameControl.Type = DOT11_FRAME_TYPE_MANAGEMENT;
	pMgmtHeader->FrameControl.Subtype =  subtype;

	//firmware can handle rest of framecontrol
	pMgmtHeader->FrameControl.ToDS = 0;
	pMgmtHeader->FrameControl.FromDS = 0;
	pMgmtHeader->FrameControl.MoreFrag = 0;
	pMgmtHeader->FrameControl.Retry = 0;
	pMgmtHeader->FrameControl.PwrMgt = 0;
	pMgmtHeader->FrameControl.MoreData = 0;
	pMgmtHeader->FrameControl.WEP = 0;
	pMgmtHeader->FrameControl.Order = 0;

	//no specific duration was required to send
	pMgmtHeader->DurationID = 314;

	memcpy(pMgmtHeader->DA, Dest, MAC_ADDR_LEN);
	memcpy(pMgmtHeader->SA, Source, MAC_ADDR_LEN);
	memcpy(pMgmtHeader->BSSID, Bssid, MAC_ADDR_LEN);

	pMgmtHeader->SequenceControl.FragmentNumber = 0;
	pMgmtHeader->SequenceControl.SequenceNumber = 0;

	switch (subtype)
			packetsize = sizeof(DOT11_MGMT_HEADER ) + 
			pProbeRequest = (PDOT11_PROBE_REQUEST)
			((PUCHAR)pMgmtHeader + sizeof(DOT11_MGMT_HEADER ));

			pProbeRequest->ssid.ElementID = 0;  //ssid frame
			pProbeRequest->ssid.Length = 0;

			//the number of rates is up to the user
			pProbeRequest->rateframe.ieheader.ElementID = 1;//rate frame
			pProbeRequest->rateframe.ieheader.Length = 1;	//1 rate object
			pProbeRequest->rateframe.rate[0] = 
					(USHORT)0x82;//mandatory, // 1mbps



	return pMgmtHeader;

The probe request packet is sent with DeviceIoControl.

DeviceHandle = OpenHandle(pPacketuioDevice);

IORequest(DeviceHandle , IOCTL_PACKET11_GET_MAC, NULL, 0, Source, MAC_ADDR_LEN);

PacketLength = sizeof(DOT11_MGMT_HEADER ) + sizeof(DOT11_PROBE_REQUEST) + 1;

pMgmtFrame = CreatePacket(DOT11_MGMT_SUBTYPE_PROBE_REQUEST,Source, 
				BroadCast,BroadCast, PacketLength);

			(PUCHAR)pMgmtFrame, PacketLength, NULL, 0);


When the driver receives the request, it checks the frame type, the source mac address, and the number of packets sent. For now, the frame type must be management. Data frames will be supported in later versions. The source address must match the adapter's mac address to prevent mac spoofing. The final control makes sure no more than two packets are sent in one second intervals. If the user packet passes these checks, the packet is created and sent to the miniport for further processing. Some adapters will send the packet without being associated as long as a channel is set. Some chipsets will only send the user packet while associated. I assume the rules set by the manufacturer while in initialization or operational mode determine if the packet will be sent.

proberequest.png - Click to enlarge image

Side note: Network Monitor 3.2 is an example of the NDIS 6 technology. It can capture 802.11 packets in the air within the range of the adapter.

The highlighted packet above shows that the probe request matches the one defined with packettest.

Related Links


Thanks to Thomas Divine for pointing me in the right direction.


  • Version 1.5 - Beta release - 2/12/2009
  • Version 1.0 - Initial release - 8/20/2008

This is an ongoing project. More updates will come in the future.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Ryan Grevious

United States United States
No Biography provided

Comments and Discussions

GeneralMy vote of 1 PinmemberMember 935986321-Sep-13 17:37 
QuestionGetLastError 2 File not Found PinmemberMember 994908428-Mar-13 10:50 
QuestionAny chance to look at Packet11 driver sources? Pinmembershulmanv26-Feb-13 1:48 
QuestionCant run the packettest application in Win7 PinmemberYahya Javed25-Jan-13 0:16 
Questionnot able to see packets with netgear n150 usb adapter Pinmembersjred23-Oct-12 3:46 
Questionis monitoring filter driver able to inject packets in monitor mode? [modified] Pinmemberaj342328-Feb-12 18:45 
AnswerRe: is monitoring filter driver able to inject packets in monitor mode? PinmemberRyan Grevious10-Jun-12 20:59 
GeneralFCS Custom PinmemberBIGLY14-Sep-10 6:17 
GeneralRe: FCS Custom PinmemberRyan Grevious23-Sep-10 9:14 
Generaldriver source code Pinmembermotocrosserman13-May-10 6:47 
GeneralRe: driver source code PinmemberRyan Grevious13-May-10 8:50 
GeneralRe: driver source code Pinmembermotocrosserman13-May-10 14:12 
GeneralDo not title posts 'Does not work' when referring to YOUR projects PinmemberRyan Grevious11-Jun-09 20:54 
GeneralCannot get to send on Wireless adapter Pinmemberpcpavan9-Jun-09 20:20 
GeneralMy vote of 1 Pinmembersrsr3-Jun-09 23:46 
GeneralRe: My vote of 1 PinmemberRyan Grevious7-Jun-09 12:07 
GeneralMy vote of 1 [modified] PinmemberWillie Lassiter3-Jun-09 6:55 
GeneralRe: My vote of 1 PinmemberRyan Grevious7-Jun-09 12:09 
GeneralSource code Pinmembernew.fx.seznam.cz30-May-09 8:13 
GeneralRe: Source code PinmemberRyan Grevious1-Jun-09 21:40 
GeneralRe: Source code Pinmembernew.fx.seznam.cz1-Jun-09 22:20 
GeneralRe: Source code PinmemberRyan Grevious2-Jun-09 16:15 
GeneralRe: Source code Pinmembernew.fx.seznam.cz3-Jun-09 0:17 
GeneralRe: Source code PinmemberRyan Grevious3-Jun-09 16:24 
GeneralRe: Source code Pinmembermotocrosserman13-May-10 6:52 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.150129.1 | Last Updated 3 Jun 2009
Article Copyright 2008 by Ryan Grevious
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid