Wireshark-dev: Re: [Wireshark-dev] Questions about IEEE 802.11 dissector

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 2 Apr 2007 16:09:13 -0700

On Apr 2, 2007, at 6:56 AM, Stig Bjørlykke wrote:

3. A question for the wlancap dissector: The SSI-type seems to have wrong endian,

What type of AirPort adapter do you have?

I think at least some of them are using (yay!) radiotap headers rather than AVS headers, although some older ones might've used AVS headers. There might be a driver bug wherein the SSI type isn't big-endian, although with older adapters that'd arguably be somewhat stoopid, given that

1) the AVS header spec says "All multibyte fields of the capture header are in "network" byte order." (go to http://mail.shaftnet.org, click on "Development", click on "Version Control", click on "trunk", click on "doc", click on "capturefrm.txt", select the atest revision (1795, as of now);

2) older adapters are on older Macs, which have big-endian PowerPC processors;

3) Ethereal/Wireshark, as is appropriate, interprets them as big- endian, so little-endian fields in an AVS header would've shown up pretty quickly when looking at those captures.

and the SSI-signal has a negative value.

To quote the AVS header spec:

	4.11 ssi_signal
	The ssi_signal field contains the signal strength value reported by
	the WLAN device for this frame. Note that this is a signed quantity
	and if the ssi_type value is "dBm" that the value may be negative.