Wireshark-dev: [Wireshark-dev] Questions about IEEE 802.11 dissector

From: Stig Bjørlykke <stig.bjorlykke@xxxxxxxxx>
Date: Mon, 2 Apr 2007 15:56:59 +0200

Hi.

I have some questions about the ieee 802.11 dissector (and the wlancap dissector). I am capturing on Mac OS 10.4.9 with the latest wireshark svn on the wireless device wlt1.

1. When connected to an open network all packages have 4 trailing bytes which is not recognized correctly as a "tagged parameter", and the packet is tagged malformed. Is this some sort of ICV for unprotected packages? See the attached capture ieee80211-clear.pcap.

2. When connected to a wep encrypted network the data package is marked as protected but the data part is not encrypted and the content is not dissected. Is this be because the mac os driver has decrypted the data before they are captured with wireshark? In this case I think the data should be dissected. See the attached capture ieee80211-wep.pcap, with a IPP package which is not dissected.

3. A question for the wlancap dissector: The SSI-type seems to have wrong endian, and the SSI-signal has a negative value. Should this be handled by the dissector?

I do not know anything about the 802.11 protocol (yet), but I am willing to make a fix if I understand how to handle this :)

--
Stig Bjørlykke

Attachment: ieee80211-clear.pcap
Description: Binary data

Attachment: ieee80211-wep.pcap
Description: Binary data