Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Solomon Peachy <solomon@xxxxxxxxxxxxxx>
Date: Thu, 13 Jun 2002 10:29:13 -0400
On Wed, Jun 12, 2002 at 11:21:44PM -0700, Guy Harris wrote:
> Perhaps we'd need to have a preference setting in the 802.11 dissector
> to control whether to assume WEP frames are decrypted or encrypted?

Personally, I'd just leave it as it is.  Now that the 802.11 dissector can
handle de-wepping data on its own, there's no real reason why we need to
have the card do the decryption itself.  :)
 
> Solomon, what happens with the Prism II reference design cards in
> monitor mode if they receive a WEP frame and the WEP key is set on the
> card?  Do they supply the frame with everything including the WEP header
> as is, but with the payload decrypted?

If the card is set to de-wep the incoming packets in monitor mode
(keepwepflags=true, defaults to false) it strips out the WEP IV+ICV, but
doesn't clear the WEP bit in the 802.11 header.  *grumble*  I was most
displeased when I discovered this gem.

Right now, the driver look for the AA AA 03 SNAP header in the payload; if
it sees that, it clears the WEP bit.   It's not perfect, but it worked for
me.  :) 

If someone has instances of that not working, send me a packet dump and
I'll try to make the detection code a bit more robust.

 - Pizza
-- 
Solomon Peachy                        solomon@xxxxxxxxxxxxxx
AbsoluteValue Systems                 http://www.linux-wlan.com
715-D North Drive                     +1 (321) 259-0737  (office)
Melbourne, FL 32934                   +1 (321) 259-0286  (fax)

Attachment: pgpyPMMyZeIYZ.pgp
Description: PGP signature