Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Got "Radiotap data goes past the end of the radiotap header"

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 9 Apr 2016 02:33:43 -0700
On Apr 9, 2016, at 1:09 AM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> However, most information of the radiotap header is zero like below. The most commonly seen TSFT field (I thought) is not there. Although I didn't implement some fields like "Rate" yet, but I still feel it's too blank?
> Maybe this is because the underlying network card driver doesn't implement so many 802.11 OOB data,

It could be:

	https://social.technet.microsoft.com/Forums/en-US/624a6148-f8ed-4be0-819e-924ae3cd3dda/wifi-in-netmon-dealing-with-broken-monitor-mode-implementations-in-the-drivers?forum=netmon

Michael Berg of Tamosoft has also noted that the quality of the metadata supplied by Native Wi-Fi drivers for Windows... *varies*.  (Unfortunately, I think that was in some tweets he posted, and Twitter makes it *really hard* to search - it seems not to find reply tweets, which I think his comments were.)

> One of my 802.11 packet's radiotap header is like this:
> 
> --------------------------------------------------------
> Radiotap Header v0, Length 15
>   Header revision: 0
>   Header pad: 0
>   Header length: 15
>   Present flags
>   Flags: 0x00
>   Channel frequency: 0

If the channel frequency is 0, that probably means that it's not supplied, so don't provide a Channel field.

>   Channel flags: 0x0000
>   SSI Signal: -47 dBm
> --------------------------------------------------------
> 
> 
> The only field with non-zero values is SSI Signal.
> sometimes -46 dBm, sometimes -47 dBm, most times is also 0 dBm.

That might mean that it's not supplying a signal strength; it means "1 milliwatt", which seems to be a lot stronger than the signals I typically see, so it's probably not a valid value.