Wireshark-dev: Re: [Wireshark-dev] Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs
From: Alexis La Goutte <[email protected]>
Date: Wed, 28 May 2014 15:54:10 +0200

On Wed, May 28, 2014 at 3:36 PM, Vignesh Viswanathan -X (vignevis - EMBED UR SYSTEMS at Cisco) <[email protected]> wrote:

Hi All,


We see an issue when decoding packets sniffed from a Cisco Sniffer AP using PEEKREMOTE.


The header for “IEEE 802.11 QoS Data” under “AiroPeek/OmniPeek encapsulated IEEE 802.11” is found to be of 28 bytes in length. Whereas the same ““IEEE 802.11 QoS Data” under default decoding is 26 bytes for “LLC” packets. This leads to the fist 2 bytes of LLC to go wrongly under “IEEE 802.11 QoS Data”, which in turn leads to LLC DSAP as unknown and Wireshark is not able to identify EAP/EAPOL packets.


The following are the screen shots from the capture.



The two bytes highlighted are not a part “QOS Control” which is the last field in “IEEE 802.11 QoS Data”.


The same packets are decoded properly with 26 bytes header by “WildPackets Omnipeek” as shown below.


For packets captured over the air with sniffer laptops (default decoding and not PEEKREMOTE), the “IEEE 802.11 QoS Data” is correctly decoded with 26 bytes header as EAP/EAPOL is identified.



Please provide your thoughts on how we can resolve this issue as we are seeing this in multiple sniffer setups using Wireshark.



Please attach your samples in bugtracker and specify your Wireshark release version




Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe