Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] [tcpdump-workers] regarding wireless data frames

From: abhinav narain <abhinavnarain10@xxxxxxxxx>
Date: Sat, 10 Mar 2012 13:18:38 -0500
Oh, and one more thing:

Some network adapters, when running in a mode where they supply an 802.11 header (such as monitor mode), put some padding in between the 802.11 header and the payload, so the 802.2 LLC header in a data frame might not immediately follow the 802.11 header (regardless of whether the payload is encrypted or not).  The radiotap header includes a flag for that - it's the 0x20 flag bit in the Flags field:

       http://www.radiotap.org/defined-fields/Flags

I have two questions.
I believe, the data packets destined for my AP, will be decrypted by the hardware itself
In any case, when I get them in userland, they should be unencrypted. right ?
If I look at tpdump code, for each data frame, I need to check
FC_WEP(fc), if only its false, I should check further.
then get the header length.
  int hdrlen  = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
   if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc)))
   hdrlen += 2

And then, if then jump this length to check for ether type, using the llc frame .
I hope I am not missing any detail.
As on doing the above .. i get very low frequency of arp,udp packets, but I never get tcp packets output on my screen , even though  I am browsing.

Any comments ?

Abhinav