Ethereal-dev: Re: [Ethereal-dev] IEEE 802.11 dissection: auth challenge bug / fragments

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 13 Apr 2002 13:23:33 -0700
On Sat, Apr 13, 2002 at 02:39:49PM +0300, Jouni Malinen wrote:
> In addition, current IEEE 802.11 dissection does not seem to support
> 802.11 fragments. When 802.11 frames are fragmented, Ethereal tries to
> dissect fragmented payload and this will produce bogus data for other
> but the first fragment.

Well, sometimes it does.

However, I have a capture somebody sent where there are 802.11 frames
that have a non-zero fragment number field, have the "More fragments"
flag not set, and that appear to contain LLC frames with a SNAP header,
an OUI of 0x0000f8 (which is some Cisco OUI), and a PID of 0x0800 (the
Ethernet type for IP), and which appear to contain IP datagrams.

In this particular case, the old code dissected the packet as a TCP ACK;
the new code just reports it as a fragment.

Could it be that this is a *reassembled* frame (reassembled by the
802.11 card or by the driver), and that, for whatever reason, the
reassembly code supplied, for example, the fragment number of the *last*
fragment, rather than 0, i.e. the fragment number of the *first*
fragment?