Wireshark-dev: Re: [Wireshark-dev] [tcpdump-workers] What's the difference between NdisMediumBa
From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Sun, 10 Apr 2016 14:17:21 +0800
Hi Guy,

On Sun, Apr 10, 2016 at 10:22 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Apr 9, 2016, at 7:15 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> And there's also a truncation from usDataRateValue (16 bits) to Radiotap "Rate" field (8 bits). I hope a direct assignment is OK:
> *((UCHAR*)Dot11RadiotapHeader + cur) = (UCHAR) usDataRateValue;

For pre-11n PHYs (the fastest of which are 11a and 11g), the maximum data rate is < 255*.5 ~= 127 Mb/s, so it fits.

For 11n and later PHYs, the data rate is calculated from values such as the MCS index; if the drivers aren't supplying that information (because they can't - Microsoft haven't updated the "Native Wi-Fi" radio metadata to handle 11n or 11ac), the drivers *might* be providing data rate values > 127 Mb/s, but there's not much we can do about that.

OK. Then if data rate values > 127 Mb/s, I will make it = 127 Mb/s at least instead of some strange overflowed values when truncated as the following code. 
I think this is currently the best solution for this.

------------------------------------------------------------------------------------------------
// [Radiotap] "Rate" field.
// Looking up the ucDataRate field's value in the data rate mapping table.
// If not found, return 0.
USHORT usDataRateValue = NPF_LookUpDataRateMappingTable(Open, pwInfo->ucDataRate);
pRadiotapHeader->it_present |= BIT(IEEE80211_RADIOTAP_RATE);
if (usDataRateValue > 255)
{
usDataRateValue = 255;
}
*((UCHAR*)Dot11RadiotapHeader + cur) = (UCHAR) usDataRateValue;
cur += sizeof(UCHAR) / sizeof(UCHAR); 
------------------------------------------------------------------------------------------------


Cheers,
Yang