Wireshark-users: Re: [Wireshark-users] Fake Ethernet II header with 802.11 protocol
From: "Cruz, Petagay" <cruz_petagay@xxxxxxx>
Date: Thu, 14 Dec 2006 15:48:52 -0500
Hello, Thanks for all your replys. I found this reference http://archives.neohapsis.com/archives/sf/pentest/2004-01/0108.html seems the captures from Wireshark and Kismet when done in 'monitor mode' need a conversion: '802.11 rmon capture doesn't have a 802.3 ethernet header and tcpreplay really only knows how to deal with ethernet. ' I will try this file and let you know what happened. I still plan on contacting 'tcpreplay' list. Thanks maria -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien Tandel Sent: Thursday, December 14, 2006 12:09 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Fake Ethernet II header with 802.11 protocol tcpreplay should send the packet as-is ... if wireshark can decode the packet before sending it with tcpreplay and is unable after you play with tcpreplay. You can guess that it's tcpreplay fault ... or limitation. Did you already ask to the tcpreplay maintainers if it can handle your configuration? P.S. : You can also send the two traces here to try to see what happened. Regards, Sebastien Tandel Cruz, Petagay wrote: > tcpreplay seems to actually send the packet ok. When I capture with > Wireshark the packet display in bytes (bottom screen in Wireshark) > shows the exact bytes sent via tcpreplay. Wireshark is dissecting > them wrong saying they are those 'Fake Ethernet' packets. > > I could run wireshark under debug and trace the dissection ... I was > hoping someone ran across this before though. > Thanks > Maria > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien > Tandel > Sent: Thursday, December 14, 2006 11:49 AM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Fake Ethernet II header with 802.11 > protocol > > > I have a IPW2100 on my laptop and now (sic :-/) I remember that when I > was playing with aireplay I put an old pcmcia card to overcome this > problem. > > Are you sure that tcpreplay can overcome these limitations??? > > Regards, > Sebastien Tandel > > Cruz, Petagay wrote: > >> Thanks, but the aireplay website says: >> http://www.aircrack-ng.org/doku.php?id=install_drivers >> As of now, Aireplay-ng only supports injection on Prism2, PrismGT >> (FullMAC), Atheros, RTL8180 and Ralink. Injection on Centrino, >> Hermes, >> > > >> ACX1xx, Aironet, ZyDAS, Marvell and Broadcom is not supported because >> of firmware and/or driver limitations. >> >> Do you think aireplay would work with IPW2200 (Centrino)drivers? >> maria >> >> -----Original Message----- >> From: wireshark-users-bounces@xxxxxxxxxxxxx >> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien >> Tandel >> Sent: Thursday, December 14, 2006 10:14 AM >> To: Community support list for Wireshark >> Subject: Re: [Wireshark-users] Fake Ethernet II header with 802.11 >> protocol >> >> Hi, >> >> >> you should use aireplay from the package aircrack. >> >> Sebastien Tandel >> Cruz, Petagay wrote: >> >> >>> hi, I ran Wireshark 0.99.4 and captured 802.11 management traffic to >>> > a > >>> file. In wireshark and can see it dissected fine. I then used >>> tcpreplay and replayed the pcap file on the same interface and >>> captured that. The new capture file shows 802.11 management >>> messages >>> > > >>> as 'Ethernet II" or 'Ethernet Encapsulated'. The Protocol column >>> has >>> > > >>> various 'hex' numbers. >>> >>> I am using Wireshark 0.99.4, Compiled with GTK+ 2.6.10, with GLib >>> 2.6.6, with libpcap 0.9.4, >>> >>> Linux RHEL4 OS, IPW2200 driver v1.1.2 Firmware version: fw-3.0, >>> IEEE802.11 stack version: 1.1.13 >>> >>> tcpreplay is also built with libpcap 0.9.4 and libnet 1.1.3. >>> >>> what am i doing wrong... >>> >>> Maria Cruz >>> Associate >>> Booz Allen Hamilton >>> 151 Industrial Way East >>> Eatontown, NJ 07724 >>> 732-935-5393 >>> cruz_petagay <blocked::mailto:cruz_petagay@xxxxxxx>@bah.com >>> <blocked::mailto:cruz_petagay@xxxxxxx> >>> >>> >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -- >>> >>> _______________________________________________ >>> Wireshark-users mailing list >>> Wireshark-users@xxxxxxxxxxxxx >>> http://www.wireshark.org/mailman/listinfo/wireshark-users >>> >>> >>> >> _______________________________________________ >> Wireshark-users mailing list >> Wireshark-users@xxxxxxxxxxxxx >> http://www.wireshark.org/mailman/listinfo/wireshark-users >> _______________________________________________ >> Wireshark-users mailing list >> Wireshark-users@xxxxxxxxxxxxx >> http://www.wireshark.org/mailman/listinfo/wireshark-users >> >> > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
- References:
- Re: [Wireshark-users] Fake Ethernet II header with 802.11 protocol
- From: Sebastien Tandel
- Re: [Wireshark-users] Fake Ethernet II header with 802.11 protocol
- Prev by Date: Re: [Wireshark-users] wireshark on Fedora Core 5
- Next by Date: Re: [Wireshark-users] voip troubleshooting
- Previous by thread: Re: [Wireshark-users] Fake Ethernet II header with 802.11 protocol
- Next by thread: [Wireshark-users] Timestamp with Sniffer Pro
- Index(es):