Wireshark-users: Re: [Wireshark-users] 802.11 Monitor Mode Malformed Packets

From: Seoras Ray <sray@xxxxxxxxxxxxx>
Date: Thu, 30 Apr 2009 15:12:22 -0400

The packet is okay as far as I can tell, Wireshark extracts all the
useful information and displays it okay. The 802.11 headers appear
fine, in fact looking at the packet I don't see anything obviously
malformed. I did check the protected bit and it is set to false.

Okay -edit-, I did just have to go back and try again to make sure I
hadn't missed anything and the only error I see in the packet
description is related to the FCS:
802.11 FCS: 0x00000000 [incorrect, should be 0x1cdf4421]

I ended up just running the pcap file through airdecap-ng and
converting it to wpa decrypted ethernet packets and then loading that
into wireshark. That got me what I needed so I didn't pursue the
mangled packet issue too much.

Seoras.


On Thu, Apr 30, 2009 at 2:55 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Apr 29, 2009, at 9:20 AM, Seoras Ray wrote:
>
>> I am trying to sniff wireless traffic on my wireless network and an
>> running into an issue with malformed packets. When I am sniffing the
>> interface in managed mode I see traffic coming through correctly with no
>> problems, however when I switch to monitored mode almost everything comes
>> through as a malformed packet.
>
> "Malformed" where?  Is the packet mostly OK, or does it show up as mangled
> from the beginning (or from the beginning of the 802.11 header, if there's a
> radio header before that)?
>
>



-- 
Seoras Ray
Applications Development Manager
GWI
8 Pomerleau Street
Biddeford, ME 04005
Tel: (207) 286-8686
Fax: (207) 286-2061