ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 10139] New: Wireshark PEEKREMOTE decoding packets from Cis

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 28 May 2014 15:37:59 +0000
Bug ID 10139
Summary Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty for EAP/EAPOL
Classification Unclassified
Product Wireshark
Version 1.11.x (Experimental)
Hardware All
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected] 

Created attachment 12775 [details]
Filtered captures from the sniffer APs

Build Information:
Version 1.11.3 (v1.11.3-0-g1dd5d3a from master)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Apr 15 2014),
with
AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.
       Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, with 3979MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
We see an issue when decoding packets sniffed from a Cisco Sniffer AP using
PEEKREMOTE.

The header for “IEEE 802.11 QoS Data” under “AiroPeek/OmniPeek encapsulated
IEEE 802.11” is found to be of 28 bytes in length. Whereas the same ““IEEE
802.11 QoS Data” under default decoding is 26 bytes for “LLC” packets. This
leads to the fist 2 bytes of LLC to go wrongly under “IEEE 802.11 QoS Data”,
which in turn leads to LLC DSAP as unknown and Wireshark is not able to
identify EAP/EAPOL packets.

The following are the screen shots from the capture.

<attached_screen1.jpg> 

The two bytes highlighted are not a part “QOS Control” which is the last field
in “IEEE 802.11 QoS Data”.

<attached_screen2.jpg>

The same packets are decoded properly with 26 bytes header by “WildPackets
Omnipeek” as shown below.

<attached_screen3.jpg>

For packets captured over the air with sniffer laptops (default decoding and
not PEEKREMOTE), the “IEEE 802.11 QoS Data” is correctly decoded with 26 bytes
header as EAP/EAPOL is identified.

<attached_screen4.jpg>

Also attached the filtered captures from the sniffer APs showing the LLC
packets.

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube