Wireshark-users: Re: [Wireshark-users] Fake Ethernet II header with 802.11 protocol
From: "Cruz, Petagay" <cruz_petagay@xxxxxxx>
Date: Thu, 14 Dec 2006 15:48:52 -0500
Hello, 
Thanks for all your replys.  I found this reference
http://archives.neohapsis.com/archives/sf/pentest/2004-01/0108.html

seems the captures from Wireshark and Kismet when done in 'monitor mode'
need a conversion:   '802.11 rmon capture doesn't have a 802.3 ethernet
header and tcpreplay really only knows how to deal with ethernet. '

I will try this file and let you know what happened.  I still plan on
contacting 'tcpreplay' list. 
Thanks
maria 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien
Tandel
Sent: Thursday, December 14, 2006 12:09 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Fake Ethernet II header with 802.11
protocol


tcpreplay should send the packet as-is ... if wireshark can decode the
packet before sending it with tcpreplay and is unable after you play
with tcpreplay. You can guess that it's tcpreplay fault ... or
limitation.

Did you already ask to the tcpreplay maintainers if it can handle your
configuration?


P.S. : You can also send the two traces here to try to see what
happened.

Regards,
Sebastien Tandel
Cruz, Petagay wrote:
> tcpreplay seems to actually send the packet ok.  When I capture with 
> Wireshark the packet display in bytes (bottom screen in Wireshark) 
> shows the exact bytes sent via tcpreplay.  Wireshark is dissecting 
> them wrong saying they are those 'Fake Ethernet' packets.
>
> I could run wireshark under debug and trace the dissection ... I was 
> hoping someone ran across this before though.
> Thanks
> Maria   
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien 
> Tandel
> Sent: Thursday, December 14, 2006 11:49 AM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Fake Ethernet II header with 802.11 
> protocol
>
>
> I have a IPW2100 on my laptop and now (sic :-/) I remember that when I

> was playing with aireplay I put an old pcmcia card to overcome this 
> problem.
>
> Are you sure that tcpreplay can overcome these limitations???
>
> Regards,
> Sebastien Tandel
>
> Cruz, Petagay wrote:
>   
>> Thanks, but the aireplay website says:
>> http://www.aircrack-ng.org/doku.php?id=install_drivers
>> As of now, Aireplay-ng only supports injection on Prism2, PrismGT 
>> (FullMAC), Atheros, RTL8180 and Ralink. Injection on Centrino, 
>> Hermes,
>>     
>
>   
>> ACX1xx, Aironet, ZyDAS, Marvell and Broadcom is not supported because

>> of firmware and/or driver limitations.
>>
>> Do you think aireplay would work with IPW2200 (Centrino)drivers?  
>> maria
>>
>> -----Original Message-----
>> From: wireshark-users-bounces@xxxxxxxxxxxxx
>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien

>> Tandel
>> Sent: Thursday, December 14, 2006 10:14 AM
>> To: Community support list for Wireshark
>> Subject: Re: [Wireshark-users] Fake Ethernet II header with 802.11 
>> protocol
>>
>> Hi,
>>
>>
>> you should use aireplay from the package aircrack.
>>
>> Sebastien Tandel
>> Cruz, Petagay wrote:
>>   
>>     
>>> hi, I ran Wireshark 0.99.4 and captured 802.11 management traffic to
>>>       
> a
>   
>>> file.   In wireshark and can see it dissected fine.  I then used
>>> tcpreplay and replayed the pcap file on the same interface and 
>>> captured that.  The new capture file shows 802.11 management 
>>> messages
>>>       
>
>   
>>> as 'Ethernet II" or 'Ethernet Encapsulated'.  The Protocol column 
>>> has
>>>       
>
>   
>>> various 'hex' numbers.
>>>  
>>> I am using Wireshark 0.99.4,  Compiled with GTK+ 2.6.10, with GLib 
>>> 2.6.6, with libpcap 0.9.4,
>>>  
>>> Linux RHEL4 OS, IPW2200 driver v1.1.2 Firmware version:  fw-3.0,
>>> IEEE802.11 stack version:  1.1.13
>>>  
>>> tcpreplay is also built with libpcap 0.9.4 and libnet 1.1.3. 
>>>  
>>> what am i doing wrong...
>>>  
>>> Maria Cruz
>>> Associate
>>> Booz Allen Hamilton
>>> 151 Industrial Way East
>>> Eatontown, NJ 07724
>>> 732-935-5393
>>> cruz_petagay <blocked::mailto:cruz_petagay@xxxxxxx>@bah.com
>>> <blocked::mailto:cruz_petagay@xxxxxxx>
>>>  
>>>  
>>>  
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> --
>>>
>>> _______________________________________________
>>> Wireshark-users mailing list
>>> Wireshark-users@xxxxxxxxxxxxx
>>> http://www.wireshark.org/mailman/listinfo/wireshark-users
>>>   
>>>     
>>>       
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> http://www.wireshark.org/mailman/listinfo/wireshark-users
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> http://www.wireshark.org/mailman/listinfo/wireshark-users
>>   
>>     
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>   

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users