Vincent Magnin wrote:
> Hi All,
>
> I am a user of Wireshark 1.0 and I use the AirPcap N card for my Wifi
> analysis.
>
> I've problems with IEEE 802.11n aggregated A-MPDU data (using fields mode):
>
> - How can I have access, with tshark, to a specific A-MPDU?
>
>> tshark -T fields -e frame.number -e wlan.sa -e wlan.da -e
>> wlan.fcs_good -r sample.pcap
>
> Packet 15 shows data of only 1 A-MPDU.
>
> Is it possible to do things like:
>
>> tshark -T fields -e frame.number -e wlan_aggregate[n].wlan.sa -e
>> wlan_aggregate[n].wlan.da -e wlan_aggregate[n].wlan.fcs_good -r
>> sample.pcap
>
> Where n in wlan_aggregate[n] is the MPDU number.
Wireshark doesn't support this sort of notation for filter fields. However, you
can disable A-MPDU reassembly via "Edit->Preferences->Protocols->PPI->Reassemble
fragmented 802.11 A-MPDUs". This will make each MPDU show up as a separate
frame. You can tell which MPDUs are part of the same aggregate by using
ppi.80211n-mac.ampdu_id (which is what Wireshark uses).