Wireshark-dev: Re: [Wireshark-dev] UI for packets differing by a checksum on the end
From: Jon Smirl <[email protected]>
Date: Thu, 29 Jul 2010 16:18:08 -0400
On Thu, Jul 29, 2010 at 3:25 PM, Guy Harris <[email protected]> wrote:
> On Jul 29, 2010, at 7:19 AM, Jon Smirl wrote:
>> I'm working on the 802.15.4 packet decoder. 802.15.4 packets have a
>> two byte hardware checksum at the end of them. Some sniffer hardware
>> includes this checksum in the packets returned and some hardware
>> doesn't.
>> We've been switching between them by changing the source code:
>> -        ieee802154_handle   = find_dissector("wpan");
>> +        ieee802154_handle   = find_dissector("wpan_nofcs");
>> How can i fix this so that I can switch using the UI?
> Well, the first question you should ask is "can I fix this so that I don't *need* to switch using the UI?"  If the machine doing the capturing knows whether the sniffer hardware includes the FCS or not, users shouldn't *have* to know it and shouldn't *have* to tell Wireshark.

The hardware that is leaving the FCS on encapsulates them as Ethernet
frames with an Ethertype of 0x809a.

In packet-ieee802154.c:

static void
dissect_ieee802154_nofcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
    tvbuff_t    *new_tvb;
    /* If there is no FCS present in the reported packet, then the length of
     * the true IEEE 802.15.4 packet is actually 2 bytes longer. Re-create
     * the buffer with an extended reported length so that the packet will
     * be handled as though the FCS were truncated.
     * Note, we can't just call tvb_set_reported_length(), because it includes
     * checks to ensure that the new reported length is not longer than the old
     * reported length (why?), and will throw an exception.
    new_tvb = tvb_new_subset(tvb, 0, -1,
    /* Call the common dissector. */
    dissect_ieee802154_common(new_tvb, pinfo, tree, 0);
} /* dissect_ieee802154_nofcs */

That routine is adding fake fcs bytes to the end of the packet. The
main dissector code assumes the FCS is present.
Adding a check that the packet is not encapsulated in ethertype 0x809a
should do the trick.
How do I check for that?

if (!ethernet encapsulate 0x809a)
    new_tvb = tvb_new_subset(tvb, 0, -1,

> In what file format are the captures for those different pieces of hardware?  If they're in pcap format, you should ask for a new DLT_ value for "802.15.4 without an FCS", use that DLT_ value for the sniffing hardware that doesn't include the checksum, and map that DLT_ value to the new WTAP_ENCAP_IEEE802_15_4_NOFCS value.

Both pieces of hardware are sending the packets into the Linux
networking subsystem. I'm using Wireshark to capture from the network

> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:[email protected]?subject=unsubscribe

Jon Smirl
[email protected]