Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] 802.11 timeline view and aggregation

From: Simon Barber <simon.barber@xxxxxxxxxx>
Date: Thu, 28 May 2015 14:26:21 -0700
A few years ago I wrote an extension for Wireshark that allows 802.11 frames to be viewed on a zoomable, scrollable timeline in a third pane added to the main display.


I'm now working on updating and revamping that code to support 802.11n and 802.11ac, and porting it to the new QT UI.

802.11n added aggregation as a new feature. Most wireless cards do the de-aggregation in the hardware, and deliver the individual MPDU frames to the driver. As a result all the radiotap captures I have seen have multiple frames in the capture where on the air there was only a single physical layer aggregate frame (A-MPDU). Since this extension to wireshark is calculating and exposing physical layer properties (inter frame spaces and timings) it needs to work with physical layer frames. I have a design question. Should I

1. pre-process the capture files to re-aggregate the MPDUs into single A-MPDU frames (a single A-MPDU shows up in wireshark as a single packet, containing multiple 802.11 MPDUs)
or
2. somehow track the A-MPDUs within wireshark, perhaps using the 'conversation' feature. (frames show up in the packet list as they do now - each MPDU is a separate packet in wireshark, and the timeline view needs to be smart as to how it displays them).

Simon