Wireshark-bugs: [Wireshark-bugs] [Bug 5281] New: 802.11 frames with FCSes in NetMon 3.4 trace fi

Date: Wed, 6 Oct 2010 10:50:16 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5281

           Summary: 802.11 frames with FCSes in NetMon 3.4 trace files
                    dissected incorrectly
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: tyson.key@xxxxxxxxx


Build Information:
Version 1.5.0-SVN-34381 (SVN Rev 34381 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.6, (64-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, without
SMI, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, without Kerberos, with GeoIP, with PortAudio V19-devel (built Oct 
5 2010), with AirPcap.

Running on 64-bit Windows 7, build 7600, with WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008),
GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
It appears that even after enabling the "Assume packets have FCS" preferences
option, certain non-Data/Management frames (e.g. Beacons) that are considered
to be valid according to Microsoft Network Monitor 3.4 are marked as being
malformed, due to the presence of additional (FCS) data appended to the
aforementioned types of frames.

Ideally, Wireshark should either ignore this extraneous data, or attempt to
parse it as an FCS - instead of as random garbage.

For example, frame 7 in the attached trace file has an FCS value of 0x6475CC1B
according to NetMon:

  Frame: Number = 7, Captured Frame Length = 201, MediaType = WiFi
- WiFi: [ ManagementBeacon] ....... RSSI = -58 dBm, Rate = 1.0 Mbps, SSID =
uobroamnet, Channel = 1
  - MetaData: RSSI = -58 dBm, Rate = 1.0 Mbps
     Version: 2 (0x2)
     Length: 32 (0x20)
   - OpMode: Monitor Mode
      StationMode:           (...............................0) Not Station
Mode
      APMode:                (..............................0.) Not AP Mode
      ExtensibleStationMode: (.............................0..) Not Extensible
Station Mode
      Unused:                (.0000000000000000000000000000...)
      MonitorMode:           (1...............................) Monitor Mode
     Flags: 0 (0x0)
     PhyType: 802.11n
     Channel: Undefined channel with center frequency 2412, Center Frequency:
2412 MHz
     lRSSI: -58 dBm
     Rate: 1.0 Mbps
     TimeStamp: 10/05/2010, 08:57:18.935962 UTC
  - FrameControl: Version 0,Management, Beacon, .......(0x80)
     Version:        (..............00) 0
     Type:           (............00..) Management
     SubType:        (........1000....) Beacon
     DS:             (......00........) Ad hoc network
     MoreFrag:       (.....0..........) No
     Retry:          (....0...........) No
     PowerMgt:       (...0............) Active Mode
     MoreData:       (..0.............) No
     ProtectedFrame: (.0..............) No
     Order:          (0...............) Unordered
    Duration: 0 (0x0)
    DA: *BROADCAST
    SA: Cisco Systems BFBE61
    BSSID: Cisco Systems BFBE61
  - SequenceControl: Sequence Number = 1085
     FragmentNumber: (............0000) 0
     SequenceNumber: (010000111101....) 1085
  - Beacon: Beacon with SSID [uobroamnet]
     TimeStamp: 3254703309230 microsecond(s)
     BeaconInterval: 100 ms
   - Capability: 0x2104
      ESS:                (...............1) Extended service set used
      IBSS:               (..............0.) Independent basic service set Not
used
      CF:                 (............00..) No PC at non-QoS AP
      Privacy:            (...........0....) Not required
      ShortPreamble:      (..........1.....) Allowed
      PBCCModulation:     (.........0......) Not Allowed
      ChannelAgility:     (........0.......) No
      SpectrumManagement: (.......0........) Not Required
      QoS:                (......0.........) Not Implemented
      ShortSlotTime:      (.....1..........) Enabled
      APSD:               (....0...........) Not Implemented
      RadioMeasurement:   (...0............) Disabled
      DSSSOFDM:           (..0.............) Not Allowed
      DelayedBlockAck:    (.0..............) Not Implemented
      ImmediateBlockAck:  (0...............) Not Implemented
   - InformationElements: 
    - ssid: uobroamnet
       ElementID: SSID
       Length: 10 (0xA)
       SSID: uobroamnet
    - rates: 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0
       ElementID: Supported Rates
       Length: 8 (0x8)
     - Rate: Mandatory BitRate = 1.0 Mbps
        Rate: (.0000010) 1.0 Mbps
        Type: (1.......) Rate contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 2.0 Mbps
        Rate: (.0000100) 2.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 5.5 Mbps
        Rate: (.0001011) 5.5 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 6.0 Mbps
        Rate: (.0001100) 6.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 9.0 Mbps
        Rate: (.0010010) 9.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 11.0 Mbps
        Rate: (.0010110) 11.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 12.0 Mbps
        Rate: (.0011000) 12.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 18.0 Mbps
        Rate: (.0100100) 18.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
    - Channel: 1
       ElementID: Channel
       Length: 1 (0x1)
       CurrentChannel: 1 (0x1)
    - TIM: DTIMCount = 0, DTIMPeriod = 2
       ElementID: ATIM
       Length: 5 (0x5)
       DTIMCount: The current TIM is a DTIM
       DTIMPeriod: 2
     - BitmapControl: 12 (0xC)
        TrafficIndicator: (.......0) None broadcast or multicast frames are
buffered at the AP
        BitmapOffset:     (0000110.) 6
     - VirtualBitmap: 
        VirtualBitmap: 16 (0x10)
        VirtualBitmap: 32 (0x20)
    - Country: GB 
       ElementID: Country
       Length: 6 (0x6)
       CountryString: GB 
       FirstChannelNumber: 1 (0x1)
       NumChannels: 13 (0xD)
       MaxTransmitPowerLevel: 17 dBm
    - ERP: No Non-802.11g STA present
       ElementID: ERP
       Length: 1 (0x1)
     - Flags: 
        NonERPPresent:   (.......0) There are no NonERP STAs associated with
the BSS
        Protection:      (......1.) Use Protection
        Preamble:        (.....0..) Preamble type not advocated
        Reserved:        (00000...)
    - ExtendedRates: 24.0, 36.0, 48.0, 54.0
       ElementID: Extended supported rates
       Length: 4 (0x4)
     - Rate: Optional BitRate = 24.0 Mbps
        Rate: (.0110000) 24.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 36.0 Mbps
        Rate: (.1001000) 36.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 48.0 Mbps
        Rate: (.1100000) 48.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
     - Rate: Optional BitRate = 54.0 Mbps
        Rate: (.1101100) 54.0 Mbps
        Type: (0.......) Rate NOT contained in the BSSBasicRateSet parameter
    - UnknownIE: 
       ElementID: Cisco proprietary
       Length: 30 (0x1E)
       Data: Binary Large Object (30 Bytes)
    - VendorSpecificInfo: OUI=Cisco Systems, Inc., FieldType=Unknown
       ElementID: Vendor Specific Information
       Length: 6 (0x6)
       OUI: 00-40-96(Cisco Systems, Inc.)
       Data: Binary Large Object (3 Bytes)
    - VendorSpecificInfo: OUI=Cisco Systems, Inc., FieldType=Unknown
       ElementID: Vendor Specific Information
       Length: 5 (0x5)
       OUI: 00-40-96(Cisco Systems, Inc.)
       Data: Binary Large Object (2 Bytes)
    - VendorSpecificInfo: OUI=Cisco Systems, Inc., FieldType=Unknown
       ElementID: Vendor Specific Information
       Length: 5 (0x5)
       OUI: 00-40-96(Cisco Systems, Inc.)
       Data: Binary Large Object (2 Bytes)
    - VendorSpecificInfo: OUI=MICROSOFT CORP., FieldType=WMM
       ElementID: Vendor Specific Information
       Length: 24 (0x18)
       OUI: 00-50-F2(MICROSOFT CORP.)
     - WMM: WMM Parameter Element
        OUIType: WMM
        OUISubType: WMM Parameter Element
        Version: 1 (0x1)
      - ACParam: 
       - QosInfo: 
          ACVO:        (.......0) Disabled
          ACVI:        (......1.) Enabled
          ACBK:        (.....0..) Disabled
          ACBE:        (....0...) Disabled
          QAck:        (...0....) MIB attribute dot11QAckOptionImplemented is
false
          MaxSPLength: (.00.....) Incorrect formatter specifier for type: %d
          MoreDataAck: (1.......) Can process Ack frames with the More Data bit
set to 1
         Reserved: 0 (0x0)
       - EDCAParameterAC: ACI = Best effort
          AIFSN:    (....0011) 3
          ACM:      (...0....) Admission Control not required
          ACI:      (.00.....) Best effort
          Reserved: (0.......)
          ECWmin:   (....0100) 4
          ECWmax:   (1010....) 10
          TXOPLimit: 0 microsecond(s)
       - EDCAParameterAC: ACI = Background
          AIFSN:    (....0111) 7
          ACM:      (...0....) Admission Control not required
          ACI:      (.01.....) Background
          Reserved: (0.......)
          ECWmin:   (....0100) 4
          ECWmax:   (1010....) 10
          TXOPLimit: 0 microsecond(s)
       - EDCAParameterAC: ACI = Video
          AIFSN:    (....0010) 2
          ACM:      (...0....) Admission Control not required
          ACI:      (.10.....) Video
          Reserved: (0.......)
          ECWmin:   (....0011) 3
          ECWmax:   (0100....) 4
          TXOPLimit: 3008 microsecond(s)
       - EDCAParameterAC: ACI = Voice
          AIFSN:    (....0010) 2
          ACM:      (...0....) Admission Control not required
          ACI:      (.11.....) Voice
          Reserved: (0.......)
          ECWmin:   (....0010) 2
          ECWmax:   (0011....) 3
          TXOPLimit: 1504 microsecond(s)
    FCS: 0x6475CC1B

Ignoring differences in output styles and support for individual tag types,
Wireshark incorrectly decodes frame 7's FCS as a tag of a "reserved" type:

No.     Time        Source                Destination           Protocol Info
      7 -0.445368   Cisco_bf:be:61        Broadcast             IEEE 802.11
Beacon frame, SN=1085, FN=0, Flags=........C, BI=100, SSID="uobroamnet",
Name="rbap01"

Frame 7: 201 bytes on wire (1608 bits), 201 bytes captured (1608 bits)
    Arrival Time: Oct  5, 2010 09:57:18.935792000 GMT Daylight Time
    Epoch Time: 1286269038.935792000 seconds
    [Time delta from previous captured frame: -0.216229000 seconds]
    [Time delta from previous displayed frame: -0.216229000 seconds]
    [Time since reference or first frame: -0.445368000 seconds]
    Frame Number: 7
    Frame Length: 201 bytes (1608 bits)
    Capture Length: 201 bytes (1608 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: netmon_802_11:wlan]
NetMon 802.11 capture header
    Header revision: 2
    Header length: 32
    Operation mode: 0x80000000
        .... .... .... .... .... .... .... ...0 = Station mode: 0x00000000
        .... .... .... .... .... .... .... ..0. = AP mode: 0x00000000
        .... .... .... .... .... .... .... .0.. = Extensible station mode:
0x00000000
        1... .... .... .... .... .... .... .... = Monitor mode: 0x00000001
    PHY type: 802.11n (7)
    Center frequency: 2412 Mhz
    RSSI: -58 dBm
    Data rate: 1.000000 Mb/s
    Timestamp: 129307426389359624
IEEE 802.11 Beacon frame, Flags: ........C
    Type/Subtype: Beacon frame (0x08)
    Frame Control: 0x0080 (Normal)
        Version: 0
        Type: Management frame (0)
        Subtype: 8
        Flags: 0x0
            .... ..00 = DS status: Not leaving DS or network is operating in
AD-HOC mode (To DS: 0 From DS: 0) (0x00)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    Duration: 0
    Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
    Source address: Cisco_bf:be:61 (00:11:21:bf:be:61)
    BSS Id: Cisco_bf:be:61 (00:11:21:bf:be:61)
    Fragment number: 0
    Sequence number: 1085
    Frame check sequence: 0x6475cc1b [correct]
        [Good: True]
        [Bad: False]
IEEE 802.11 wireless LAN management frame
    Fixed parameters (12 bytes)
        Timestamp: 0x000002F5CB6F41AE
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0421
            .... .... .... ...1 = ESS capabilities: Transmitter is an AP
            .... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
            .... ..0. .... 00.. = CFP participation capabilities: No point
coordinator at AP (0x0000)
            .... .... ...0 .... = Privacy: AP/STA cannot support WEP
            .... .... ..1. .... = Short Preamble: Short preamble allowed
            .... .... .0.. .... = PBCC: PBCC modulation not allowed
            .... .... 0... .... = Channel Agility: Channel agility not in use
            .... ...0 .... .... = Spectrum Management:
dot11SpectrumManagementRequired FALSE
            .... .1.. .... .... = Short Slot Time: Short slot time in use
            .... 0... .... .... = Automatic Power Save Delivery: apsd not
implemented
            ..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed
            .0.. .... .... .... = Delayed Block Ack: delayed block ack not
implemented
            0... .... .... .... = Immediate Block Ack: immediate block ack not
implemented
    Tagged parameters (129 bytes)
        SSID parameter set
            Tag Number: 0 (SSID parameter set)
            Tag length: 10
            Tag interpretation: uobroamnet: "uobroamnet"
        Supported Rates: 1.0(B) 2.0 5.5 6.0 9.0 11.0 12.0 18.0 
            Tag Number: 1 (Supported Rates)
            Tag length: 8
            Tag interpretation: Supported rates: 1.0(B) 2.0 5.5 6.0 9.0 11.0
12.0 18.0  [Mbit/sec]
        DS Parameter set: Current Channel: 1
            Tag Number: 3 (DS Parameter set)
            Tag length: 1
            Tag interpretation: Current Channel: 1
            Current Channel: 1
        Traffic Indication Map (TIM): DTIM 0 of 2 bitmap 100 109
            Tag Number: 5 (Traffic Indication Map (TIM))
            TIM length: 5
            DTIM count: 0
            DTIM period: 2
            Bitmap Control: 0x0C (mcast:0, bitmap offset 6)
            Bitmap: traffic for AID's: 100 109
        Country Information: Country Code: GB, Any Environment
            Tag Number: 7 (Country Information)
            Tag length: 6
            Tag interpretation: Country Code: GB, Any Environment
              Start Channel: 1, Channels: 13, Max TX Power: 17 dBm
        ERP Information: no Non-ERP STAs, use protection, short or long
preambles
            Tag Number: 42 (ERP Information)
            Tag length: 1
            Tag interpretation: ERP info: 0x2 (no Non-ERP STAs, use protection,
short or long preambles)
        Extended Supported Rates: 24.0 36.0 48.0 54.0 
            Tag Number: 50 (Extended Supported Rates)
            Tag length: 4
            Tag interpretation: Supported rates: 24.0 36.0 48.0 54.0 
[Mbit/sec]
        Cisco CCX1 CKIP + Device Name
            Tag Number: 133 (Cisco CCX1 CKIP + Device Name)
            Tag length: 30
            Tag interpretation: Unknown + Name: rbap01 #Clients: 8
        Vendor Specific: Aironet: Aironet Unknown
            Tag Number: 221 (Vendor Specific)
            Tag length: 6
            Vendor: Aironet
            Aironet IE type: Unknown (1)
            Aironet IE data: 0101
        Vendor Specific: Aironet: Aironet CCX version = 4
            Tag Number: 221 (Vendor Specific)
            Tag length: 5
            Vendor: Aironet
            Aironet IE type: CCX version (3)
            Aironet IE CCX version?: 4
        Vendor Specific: Aironet: Aironet Unknown
            Tag Number: 221 (Vendor Specific)
            Tag length: 5
            Vendor: Aironet
            Aironet IE type: Unknown (11)
            Aironet IE data: 01
        Vendor Specific: Microsof: WME
            Tag Number: 221 (Vendor Specific)
            Tag length: 24
            Vendor: Microsof
            Tag interpretation: WME PE: type 2, subtype 1, version 1, parameter
set 130
            Tag interpretation: WME AC Parameters: ACI 0 (Best Effort),
Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 10, TXOP 0
            Tag interpretation: WME AC Parameters: ACI 1 (Background),
Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 10, TXOP 0
            Tag interpretation: WME AC Parameters: ACI 2 (Video), Admission
Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 4, TXOP 94
            Tag interpretation: WME AC Parameters: ACI 3 (Voice), Admission
Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 3, TXOP 47

Thanks in advance.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.