On Sat, 14 Feb 2004, Guy Harris wrote:
> > Ethereal cannot handle Ethernet frames embedded within 802.11
> > frames. It sounds really wierd but it happens and was seen in the
> > wild.
>
> What devices send them?
Beats me. I have got 20 megabytes of those frames gathered
during "Kismet debugging runs". Their source addresses are as
follows (together with the number of frames they appear in):
1 Source address: 00:30:4f:14:4d:62 (PlanetTe_14:4d:62)
11888 Source address: 00:30:4f:19:cb:38 (PlanetTe_19:cb:38)
4 Source address: 00:30:4f:1a:b7:cd (PlanetTe_1a:b7:cd)
1697 Source address: 00:30:4f:1e:14:66 (PlanetTe_1e:14:66)
1 Source address: 00:90:d1:01:2c:c6 (LeichuEn_01:2c:c6)
5 Source address: 00:90:d1:01:47:7f (LeichuEn_01:47:7f)
28034 Source address: 00:90:d1:01:5d:ee (LeichuEn_01:5d:ee)
401 Source address: 00:c0:ca:32:61:c1 (Alfa_32:61:c1)
247 Source address: ff:ff:ff:ff:ff:ff (Broadcast)
(^^^ yes, broadcast!)
and I found them in the following BSS's:
12139 BSS Id: 00:90:d1:01:2c:79 (LeichuEn_01:2c:79)
1 BSS Id: 00:90:d1:01:2c:95 (LeichuEn_01:2c:95)
1 BSS Id: 00:90:d1:01:2c:ca (LeichuEn_01:2c:ca)
1702 BSS Id: 00:90:d1:01:4c:52 (LeichuEn_01:4c:52)
88 BSS Id: 00:90:d1:01:5e:b7 (LeichuEn_01:5e:b7)
28347 BSS Id: 00:90:d1:01:60:90 (LeichuEn_01:60:90)
As far as I can tell when I look at them, they appear to be some
kind of trick used to bridge traffic between two Ethernet
networks over a WLAN without A4 frames (AFAIK, it is difficult
or impossible to send A4 frames with common hardware).
> > As there appears to be no sane way to distinguish
> > encapsulated Eth. frames from LLC/SNAP I resorted to a
> > generalized variant of the method used by linux-wlan-ng drivers:
[...]
>
> Should there be a preference setting to control whether to do this or
> not?
Maybe.
--
Pavel Kankovsky, DCIT s.r.o., J. Martiho 2/407, 160 41 Praha 6, CZ
tel (+420) 235 363 342, fax (+420) 235 361 543, url http://www.dcit.cz/