["Jeffrey W. Baker" <jwbaker@xxxxxxx>]

On Fri, 21 Sep 2001, Guy Harris wrote:

> > Hi.  i just went outside and did some caps with my 802.11 card.
> > Unfortunately, they are garbage.  Here's one:
> >
> > 2d:05:62:49:a3:36 -> d4:00:00:00:00:02 LLC I [...]
> > 96:34:1e:9e:0f:0f -> d4:00:00:00:00:40 0x0f0f Ethernet II
> >
> > As you can see, the MAC addresses are bogus.  I'm using a Cisco Aironet
> > 352.
>
> On what operating system, and with vanilla or patched drivers?

This is debian linux, powerpc, driver from pcmcia-cs 3.1.29, modified by
me to use the rf monitoring mode of the aironet mac.  It looks as though
the first 10 or more bytes are some kind of header or other protocol info.
In most of the packets, the MAC address starts on byte 10 (counting from
0).  So the MACs on the capture look something list this:

xx:xx:xx:xx:MAC0:MAC1 -> xx:xx:xx:xx:xx:xx Proto info, but actually MAC2

On others, the MAC doesn't include 00: at all, so the MAC address must
have been padded further into the frame(?).  Or they might just be
well-formed RF noise.

-jwb