new: detection and parsing of deauthentication frames as wifi.deauthentication events

modules/wifi/wifi.go

@@ -661,6 +661,7 @@ func (mod *WiFiModule) Start() error {
 				mod.discoverAccessPoints(radiotap, dot11, packet)
 				mod.discoverClients(radiotap, dot11, packet)
 				mod.discoverHandshakes(radiotap, dot11, packet)
+				mod.discoverDeauths(radiotap, dot11, packet)
 				mod.updateInfo(dot11, packet)
 				mod.updateStats(dot11, packet)
 			}

modules/wifi/wifi_events.go

@@ -9,6 +9,14 @@ type ClientEvent struct {
 	Client *network.Station
 }
 
+type DeauthEvent struct {
+	RSSI     int8   `json:"rssi"`
+	Address1 string `json:"address1"`
+	Address2 string `json:"address2"`
+	Address3 string `json:"address3"`
+	Reason   string `json:"reason"`
+}
+
 type ProbeEvent struct {
 	FromAddr   string `json:"mac"`
 	FromVendor string `json:"vendor"`

modules/wifi/wifi_recon.go

@@ -150,3 +150,35 @@ func (mod *WiFiModule) discoverClients(radiotap *layers.RadioTap, dot11 *layers.
 		}
 	})
 }
+
+func (mod *WiFiModule) discoverDeauths(radiotap *layers.RadioTap, dot11 *layers.Dot11, packet gopacket.Packet) {
+	if dot11.Type != layers.Dot11TypeMgmtDeauthentication {
+		return
+	}
+
+	// ignore deauth frames that we sent
+	if radiotap.ChannelFrequency == 0 {
+		return
+	}
+
+	deauthLayer := packet.Layer(layers.LayerTypeDot11MgmtDeauthentication)
+	if deauthLayer == nil {
+		return
+	}
+
+	deauth, ok := deauthLayer.(*layers.Dot11MgmtDeauthentication)
+	reason := "?"
+	if ok {
+		reason = deauth.Reason.String()
+	}
+
+	mod.Debug("deauth radio %#v", radiotap)
+
+	mod.Session.Events.Add("wifi.deauthentication", DeauthEvent{
+		RSSI:     radiotap.DBMAntennaSignal,
+		Address1: dot11.Address1.String(),
+		Address2: dot11.Address2.String(),
+		Address3: dot11.Address3.String(),
+		Reason:   reason,
+	})
+}