Wireshark · Wireshark-users: [Wireshark-users] 802.11 frame data not decoded

Wireshark-users: [Wireshark-users] 802.11 frame data not decoded

From: Steve Magoun <steve@xxxxxxxxxx>

Date: Thu, 10 Aug 2006 17:11:36 -0400

Hi,

I'm using Wireshark 0.99.2 to view some 802.11 traffic captured byKismet 2006-04-R1. Wireshark correctly interprets the Kismet outputas IEEE 802.11 frames but doesn't fully decode the data inside - thepacket details pane has only "Frame," "IEEE 802.11," and "Data"sections. I'm tracing some DHCP problems, and I was hoping Wiresharkwould break down the 580-byte data section in my sample (enclosed;see below) as IP/UDP/DHCP rather than just a raw hex dump. I checkedthe data section by hand and it appears that it is indeed a DHCPrequest message (as I expected). This problem affects all non-management packets in my dump file.

I've tried this with the same results using Ethereal 0.10-12, 0.99.0,and Wireshark 0.99.2 (all on OS X 10.4.7). Fiddling with theWireshark protocol options for IEEE 802.11 didn't help. What am Idoing wrong?


802.11 frame exported as text:

No.     Time        Source                Destination           Protocol Info
    593 20.780987   U-MediaC_02:9e:32     Broadcast             IEEE 802.11 Data,SN=0,FN=0

Frame 593 (612 bytes on wire, 612 bytes captured)
    Arrival Time: Aug 10, 2006 11:31:31.210589000
    Time delta from previous packet: -2.341919000 seconds
    Time since reference or first frame: 20.780987000 seconds
    Frame Number: 593
    Packet Length: 612 bytes
    Capture Length: 612 bytes
    Frame is marked: False
    Protocols in frame: wlan:data
IEEE 802.11
    Type/Subtype: Data (32)
    Frame Control: 0x4108 (Normal)
        Version: 0
        Type: Data frame (2)
        Subtype: 0
        Flags: 0x41
            DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .1.. .... = Protected flag: Data is protected
            0... .... = Order flag: Not strictly ordered
    Duration: 1
    BSS Id: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Source address: U-MediaC_02:9e:32 (00:11:e0:02:9e:32)
    Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
    Fragment number: 0
    Sequence number: 0
    WEP parameters
        Initialization Vector: 0x81e5bd
        Key Index: 0
        WEP ICV: 0x00000000 (not verified)
Data (580 bytes)

0000  08 41 01 00 00 00 00 00 00 00 00 11 e0 02 9e 32   .A.............2
0010  ff ff ff ff ff ff 00 00 81 e5 bd 00 aa aa 03 00   ................
0020  00 00 08 00 45 00 02 40 00 00 40 00 10 11 68 ae   ....E..@..@...h.
0030  00 00 00 00 ff ff ff ff 00 44 00 43 02 2c 12 93   .........D.C.,..
0040  01 01 06 00 46 dc 1f 02 00 00 00 00 00 00 00 00   ....F...........
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 11 e0 02   ................
0060  9e 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00   .2..............
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63   ............c.Sc
0130  35 01 01 39 02 02 24 37 06 01 03 06 0f 1c 0c 33   5..9..$7.......3
0140  04 00 00 a8 c0 ff 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0260  00 00 00 00                                       ....



Thanks,
Steve

Follow-Ups:
- Re: [Wireshark-users] 802.11 frame data not decoded
  - From: Soh Kam Yung
- Re: [Wireshark-users] 802.11 frame data not decoded
  - From: Guy Harris

Prev by Date: Re: [Wireshark-users] Odd packets
Next by Date: Re: [Wireshark-users] 802.11 frame data not decoded
Previous by thread: Re: [Wireshark-users] [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?
Next by thread: Re: [Wireshark-users] 802.11 frame data not decoded
Index(es):
- Date
- Thread