Wireshark-users: [Wireshark-users] Cannot dissect IEEE802.11 data frames
From: Vasily Postnicov <shamaz.mazum@xxxxxxxxx>
Date: Tue, 17 May 2016 15:58:36 +0300
Hello! I am using wireshark 2.0.3 from FreeBSD ports for the first time. I am not good in computer networks and try to analyze traffic captured over unencrypted Wi-Fi network. Turns out that data frames dissection is wrong in my case: wireshark can't dissect further than LLC protocol. I attach pcap file produced by airodump-ng.

Here is the beginning of the sixth frame in hex:
 88 01 30 00 0E 27 22 E9 54 84 1C B7 2C 4E 24 DF D4 CA 6D D6 F5 4D 40 29 00 00 40 00 AA AA 03 00 00 00 08 00 45 00 00 39 B5 B1 40 00 40 11 BF 76 C0 A8 22 3A C0 A8 22 01
Wireshark says that LLC header begins with sequence 40 00 aa aa, so

DSAP is Unknown (0x40)
SSAP is NULL LSAP (0x00)
Control field is I, N(R)=85, N(S)=85 (0xAAAA)

From what I read in wikipedia, this seems to be wrong. It seems DSAP is actually 0xAA here, SSAP is also 0xAA and control field is 1 octet 0x03, that means SNAP extension is used. Next 3 octets (0x000000) are unused OUI, and following 2 octets 0x0800 are protocol ID for ipv4. Next octet 0x45 is the beginning of ip packet header.

According to ifconfig, access point of that network supported high throughput and atheros protocol extensions (had HTCAP and ATH in ifconfig wlan0 list scan), whatever that means.

So what am I doing wrong? Or is this a bug? With best regards, Vasily

Attachment: shark.pcap
Description: application/vnd.tcpdump.pcap