Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] IEEE80211 Prism header dissecting problem ..

From: "H.Jin Ko" <ymir.kr@xxxxxxxxx>
Date: Fri, 21 Mar 2014 11:19:21 +0900
As you say, wlan driver wrote prism header with host byte order and it
runs on mips(big-endian) machine.
However prism dissector treated prism is little-endian (such like radiotap).
I need to fix driver or use custom dissector for this case.

Thanks for replay, Hadriel and Guy.
I really appreciate it.

- H.Jin


2014-03-21 2:50 GMT+09:00 Guy Harris <guy@xxxxxxxxxxxx>:
>
> On Mar 20, 2014, at 8:37 AM, Hadriel Kaplan <hadrielk@xxxxxxxxx> wrote:
>
>> I think the Prism dissector is being called, but then it hands it to normal 802.11 instead. I don't know anything about Prism packets, but the wireshark code appears to expect the Prism message codes (either 0x00000044 for type 1, or 0x00000041 for type 2) to be in little-endian order on-the-wire, whereas your packet has it in network-order (ie, big-endian) on-the-wire.
>
> Actually, they're not "on-the-wire" at all - the Prism header is radio-level-information metadata generated by and written to the packet buffer by the driver.
>
> So the byte order might depend on the driver and the CPU type; he said "mips" - there are both big-endian and little-endian MIPS systems, so perhaps
>
>         1) this was a big-endian MIPS system
>
> and
>
>         2) the drivers put the Prism header in host byte order
>
> in which case we need to have the Prism code support both byte orders.
>
> (Yet another reason not to like Prism headers; radiotap:
>
>         http://www.radiotap.org
>
> specifies little-endian byte order, so a non-buggy driver would write out the radiotap header in little-endian order *even when running on a big-endian machine*.)
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe