Ethereal-users: Re: [Ethereal-users] Tree display change

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 22 Jun 2001 14:21:35 -0700 (PDT)
> At 04:20 AM 6/22/2001, you wrote:
> Incidentally, in two seperate cases capturing known WEP traffic,
> despite the AP's Beacon frame having the Capability-Privacy bit set,
> the WEP bit is NOT set in the DATA frames.

Is the payload of the data frames WEP-encrypted?

If not, would the network interface device be decrypting those frames
before handing them to the host, and clearing the WEP bit (given that
the frame they're handing to the host isn't WEP-encrypted)?

(*Outgoing* frames probably get directly handed to the packet-capture
mechanism by the networking code; unless it's the driver, rather than
the interface, that encrypts the frame, those frames presumably won't
have an encrypted payload when tcpdump/Ethereal/... sees them, and so
they presumably won't have the WEP bit set.)

I.e., this may be a case where, although whatever capture mechanism
you're using (the utility from Axis, or a driver with Javier Achirica's
modifications?) can put the interface into "raw mode" so that you see
802.11 traffic rather than pretend-Ethernet traffic, you're still not
seeing "raw traffic" as in "what's actually being broadcast over the
airwaves", and it may not be possible to see that.