Wireshark · Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?

[Guy Harris <gharris@xxxxxxxxx>]

On Mon, Jun 10, 2002 at 08:34:57AM -0700, Doug Ambrisko wrote:
> Also note that with the Cisco card you do not get the WEP keys in the
> "raw" 802.11 packet (so is it really 802.11 monitor mode ... not really).
> It is speculated that the WEP HW engine removes this.  I've been able
> to decrypt and view the payload correctly when I enabled WEP on the
> card and set the keuys then in Ethereal dissector I have it skip
> the WEP part of the packet and then Ethereal disects the rest of the
> packet correctly (ie. follow HTTP streams etc.).

I.e., the card delivers *decrypted* WEP packets, but leaves the WEP flag
set in the header, so that any analyzer that takes the WEP flag
seriously gets confused?

By "skip the WEP part of the packet" do you mean you skip the first 4
bytes after the header (i.e., the stuff dissected by the

  if (IS_WEP(COOK_FLAGS(fcf)))
    {
      int pkt_len = tvb_reported_length (tvb); 
      int cap_len = tvb_length (tvb);

		...

    }

code in "dissect_ieee80211_common()"), and then, instead of calling
"call_dissector()", with "data_handle" as the handle argument, to
dissect the payload (minus the WEP header and the WEP CRC), you just
dissect that part of the frame as if it were unencrypted data?