Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] wlccp dissector scm advertisement

From: Jochen Bartl <jochen.bartl@xxxxxxxxx>
Date: Fri, 08 Aug 2008 18:56:24 +0200
Hi all,

I found out that there is a problem with the WLCCP dissector, when
parsing SCM Advertisements. The dissector directly appends the TLV
fields to the standard WLCCP header, when the TLV flag is set. After
reading the WLCCP patent, I found out that SCM Advertisements have a
specific header, which is between the standard WLCCP header and the
TLVs.

I have attached a screenshot[1] from my Scapy WLCCP dissector, which
shows where the SCM header should be inserted. You can find the
displayed packet in the attached pcap file as packet number 27.

My scapy SCM header looks like this:

class WlccpScmAdv(Packet):
    name = "WLCCP SCM Advertisement"
    fields_desc = [
                   MACField("wdsmac", RandMAC()),
                   # 16 Bit
                   FlagsField("scmflags", 0, 16, SCM_FLAGS),
                   ByteField("scmelectgroup", 0),
                   ByteField("attachcount", 0),
                   ByteField("scmpriority", 0),
                   ByteField("bridgepriority", 254),
                   MACField("unknownmac3", RandMAC()),
                   ShortField("unknown4", 0),
                   IntField("age", 11), #increments by 1
                   ShortField("pathcost", 0),
                   ByteField("hopcount", 0),
                   ByteField("period", 5), # Average numberof seconds
between SCM Advs
                   # append TLV fields if TLV flag is set
                   ConditionalField(RepeatedTlvListField("tlvlist", [],
_WlccpGuessPayloadClass),
                       lambda pkt:pkt.underlayer.flags & 0x2000 ==
0x2000)
                   ]

There are two fields left at the moment in the header, where I coundn't
find out for what they are for. It's the "unknownmac3" and the
"unknown4" field.

It would be great if someone could update the WLCCP dissector and insert
this additional SCM header. I had a look at the dissector code myself,
but fixing it is far beyond my C programming skills.

I could also upload my Cisco Aironet AP config files from my testlab or
more pcap files with WLCCP packets if necessary. Just ask if I should
provide more info or do some tests.

best regards,

jochen


1) http://silentwire.net/~lobo/files/wlccp-scmadv-tlv.jpg
2) http://silentwire.net/~lobo/files/wlccp-scmadv-pkts.pcap

Attachment: wlccp-scmadv-pkts.pcap
Description: application/extension-pcap

Attachment: wlccp-scmadv-tlv.jpg
Description: JPEG image

Attachment: signature.asc
Description: This is a digitally signed message part