Wireshark-dev: [Wireshark-dev] Questions about IEEE 802.11 dissector
From: Stig Bjørlykke <[email protected]>
Date: Mon, 2 Apr 2007 15:56:59 +0200
Hi.

I have some questions about the ieee 802.11 dissector (and the wlancap dissector). I am capturing on Mac OS 10.4.9 with the latest wireshark svn on the wireless device wlt1.
1. When connected to an open network all packages have 4 trailing  
bytes which is not recognized correctly as a "tagged parameter", and  
the packet is tagged malformed.  Is this some sort of ICV for  
unprotected packages?  See the attached capture ieee80211-clear.pcap.
2. When connected to a wep encrypted network the data package is  
marked as protected but the data part is not encrypted and the  
content is not dissected.  Is this be because the mac os driver has  
decrypted the data before they are captured with wireshark?  In this  
case I think the data should be dissected.  See the attached capture  
ieee80211-wep.pcap, with a IPP package which is not dissected.
3. A question for the wlancap dissector: The SSI-type seems to have  
wrong endian, and the SSI-signal has a negative value.  Should this  
be handled by the dissector?
I do not know anything about the 802.11 protocol (yet), but I am  
willing to make a fix if I understand how to handle this :)

--
Stig Bjørlykke

Attachment: ieee80211-clear.pcap
Description: Binary data

Attachment: ieee80211-wep.pcap
Description: Binary data