A year ago I sent the following patches to ethereal-dev but
they were neither accepted nor refused (explicitly). Perhaps
someone will bother look at them this time... (the patches work
against 0.10.0a albeit with nonzero offsets):
Ethereal cannot handle Ethernet frames embedded within 802.11
frames. It sounds really wierd but it happens and was seen in the
wild. As there appears to be no sane way to distinguish
encapsulated Eth. frames from LLC/SNAP I resorted to a
generalized variant of the method used by linux-wlan-ng drivers:
I assume I have an encapsulated Eth. frame when the bytes 0-5 of
the payload match the destination address in the 802.11 header or
bytes 6-11 match the source address (the current version of
linux-wlan-ng requires both addresses to match but frames where
only one of the addresses matched were observed [*]). To reduce the
likelyhood of accidental matches, the first two bytes of the
payload are checked for 0xaa (SNAP).
[*] update: linux-wlan-ng was modified to follow the same logic
as this patch in the meantime
---snip---
--- packet-ieee80211.c.orig Thu Jan 23 03:45:55 2003
+++ packet-ieee80211.c Tue Jan 28 12:28:03 2003
@@ -404,6 +404,7 @@
static dissector_handle_t llc_handle;
static dissector_handle_t ipx_handle;
+static dissector_handle_t eth_handle;
static dissector_handle_t data_handle;
/* *************************************************************************
*/
@@ -1151,7 +1152,7 @@
gboolean save_fragmented;
tvbuff_t *volatile next_tvb = NULL;
guint32 addr_type;
- volatile gboolean is_802_2;
+ volatile gboolean is_802_2, is_encap;
if (check_col (pinfo->cinfo, COL_PROTOCOL))
col_set_str (pinfo->cinfo, COL_PROTOCOL, "IEEE 802.11");
@@ -1849,10 +1850,21 @@
Ethernet dissector, i.e. checking for 0xffff as the first
four bytes of the payload and, if we find it, treating it
as an IPX frame. */
+ /* Ethernet encapsulation: a complete Ethernet frame is encapsulated
+ within an 802.11 data frame */
+ is_encap = FALSE;
is_802_2 = TRUE;
TRY {
if (tvb_get_ntohs(next_tvb, 0) == 0xffff)
is_802_2 = FALSE;
+ src = tvb_get_ptr (next_tvb, 6, 6);
+ dst = tvb_get_ptr (next_tvb, 0, 6);
+ if ((dst[0] != 0xaa || dst[1] != 0xaa) &&
+ (memcmp(src, pinfo->dl_src.data, 6) == 0 ||
+ memcmp(dst, pinfo->dl_dst.data, 6) == 0)) {
+ is_802_2 = FALSE;
+ is_encap = TRUE;
+ }
}
CATCH2(BoundsError, ReportedBoundsError) {
; /* do nothing */
@@ -1862,6 +1874,8 @@
if (is_802_2)
call_dissector(llc_handle, next_tvb, pinfo, tree);
+ else if (is_encap)
+ call_dissector(eth_handle, next_tvb, pinfo, tree);
else
call_dissector(ipx_handle, next_tvb, pinfo, tree);
break;
@@ -2430,10 +2444,11 @@
dissector_handle_t ieee80211_radio_handle;
/*
- * Get handles for the LLC and IPX dissectors.
+ * Get handles for the LLC, IPX and Eth dissectors.
*/
llc_handle = find_dissector("llc");
ipx_handle = find_dissector("ipx");
+ eth_handle = find_dissector("eth");
data_handle = find_dissector("data");
ieee80211_handle = find_dissector("wlan");
---snip---
Special bonus <g>: here is a small fix for packet-prism.c
("Channel Time" should read "Channel"):
---snip---
--- packet-prism.c.orig Sat Nov 9 17:34:33 2002
+++ packet-prism.c Tue Jan 28 02:51:06 2003
@@ -178,7 +178,7 @@
VALFIELD(hosttime, "Host Time");
VALFIELD(mactime, "MAC Time");
- VALFIELD(channel, "Channel Time");
+ VALFIELD(channel, "Channel");
VALFIELD(rssi, "RSSI");
VALFIELD(sq, "SQ");
VALFIELD(signal, "Signal");
@@ -208,7 +208,7 @@
INTFIELD2(FT_UINT32, msglen, "Message Length")
VALFIELD2(hosttime, "Host Time")
VALFIELD2(mactime, "MAC Time")
- VALFIELD2(channel, "Channel Time")
+ VALFIELD2(channel, "Channel")
VALFIELD2(rssi, "RSSI")
VALFIELD2(sq, "SQ")
VALFIELD2(signal, "Signal")
---snip---
--
Pavel Kankovsky, DCIT s.r.o., J. Martiho 2/407, 160 41 Praha 6, CZ
tel (+420) 235 363 342, fax (+420) 235 361 543, url http://www.dcit.cz/