Wireshark-dev: Re: [Wireshark-dev] UI for packets differing by a checksum on the end

From: Jon Smirl <jonsmirl@xxxxxxxxx>
Date: Thu, 29 Jul 2010 19:35:42 -0400
On Thu, Jul 29, 2010 at 4:56 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Jul 29, 2010, at 1:18 PM, Jon Smirl wrote:
>
>> The hardware that is leaving the FCS on encapsulates them as Ethernet
>> frames with an Ethertype of 0x809a.
>
> OK, so these *aren't* native 802.15.4 captures, in the sense that the link-layer header at the beginning of the raw frame data isn't an 802.15.4 header, it's an Ethernet header.
>
> In that case, the WTAP_ENCAP_ values are completely irrelevant; the WTAP_ENCAP_ value for the packets in question is, and should be, WTAP_ENCAP_ETHERNET.  Don't even bother defining WTAP_ENCAP_IEEE802_15_4_NOFCS.
>
> So what does the hardware that *doesn't* include the FCS use?  Is it encapsulating them inside Ethernet frames?  If so, what Ethernet type does it use?  Does it also use 0x809a?  If so, could it choose a different Ethertype, so that programs that see those frames can automatically determine whether there's an FCS or not?

I sent you capture files from each device. For these displays I've
hacked (previous patch) on Wireshark to keep it from failing on the
FCS discrepancies.

Note that the second one (Ethernet encapsulated) includes:     FCS:
0xef94 (Correct)

I need a mechanism to reliably tell me when to add back in the missing
two bytes for the FCS:
   new_tvb = tvb_new_subset(tvb, 0, -1,
tvb_reported_length(tvb)+IEEE802154_FCS_LEN);

Conversely I could look for Ethertype 0x809a and remove the last two bytes.

Example packet from the non-FCS device:
No.     Time        Source                Destination           Protocol Info
      3 4.888311    ::                    ff02::2               ICMPv6
  RPL Routing (DODAG Information Solicitation)

Frame 3: 25 bytes on wire (200 bits), 25 bytes captured (200 bits)
    Arrival Time: Jul 25, 2010 13:07:36.294207000 EDT
    Epoch Time: 1280077656.294207000 seconds
    [Time delta from previous captured frame: 4.488115000 seconds]
    [Time delta from previous displayed frame: 4.488115000 seconds]
    [Time since reference or first frame: 4.888311000 seconds]
    Frame Number: 3
    Frame Length: 25 bytes (200 bits)
    Capture Length: 25 bytes (200 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: wpan:6lowpan:ipv6:icmpv6]
    [Coloring Rule Name: ICMP]
    [Coloring Rule String: icmp || icmpv6]
IEEE 802.15.4 Data, Dst: Broadcast, Src: IeeeRegi_ff:fe:a8:c5:45
    Frame Control Field: Data (0xc841)
        .... .... .... .001 = Frame Type: Data (0x0001)
        .... .... .... 0... = Security Enabled: False
        .... .... ...0 .... = Frame Pending: False
        .... .... ..0. .... = Acknowledge Request: False
        .... .... .1.. .... = Intra-PAN: True
        .... 10.. .... .... = Destination Addressing Mode: Short/16-bit (0x0002)
        ..00 .... .... .... = Frame Version: 0
        11.. .... .... .... = Source Addressing Mode: Long/64-bit (0x0003)
    Sequence Number: 109
    Destination PAN: 0xabcd
    Destination: 0xffff
    Source: IeeeRegi_ff:fe:a8:c5:45 (00:50:c2:ff:fe:a8:c5:45)
6LoWPAN
    IPHC Header
        011. .... = Pattern: IP header compression (3)
        ...1 1... .... .... = Traffic class and flow label: Version,
traffic class, and flow label compressed (0x0003)
        .... .0.. .... .... = Next header: Inline
        .... ..10 .... .... = Hop limit: 64 (0x0002)
        .... .... 0... .... = Context identifier extension: False
        .... .... .1.. .... = Source address compression: Stateful
        .... .... ..00 .... = Source address mode: Inline (0x0000)
        .... .... .... 1... = Multicast address compression: True
        .... .... .... .0.. = Destination address compression: Stateless
        .... .... .... ..11 = Destination address mode: 8-bits inline (0x0003)
    Next header: ICMPv6 (0x3a)
    Source: :: (::)
    Destination: ff02::2 (ff02::2)
Internet Protocol Version 6
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 6
    Next header: ICMPv6 (0x3a)
    Hop limit: 64
    Source: :: (::)
    Destination: ff02::2 (ff02::2)
Internet Control Message Protocol v6
    Type: 155 (RPL Routing)
    Code: 0 (DODAG Information Solicitation)
    Checksum: 0x65ba [correct]
    Reserved: 0 (Should always be zero)

Example packet from the device that caputes FCS:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    fe80::f025            ff02::2               ICMPv6
  RPL Routing (DODAG Information Object)

Frame 1: 107 bytes on wire (856 bits), 107 bytes captured (856 bits)
    Arrival Time: Jun 23, 2010 10:18:45.373396000 EDT
    Epoch Time: 1277302725.373396000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 107 bytes (856 bits)
    Capture Length: 107 bytes (856 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:wpan:6lowpan:ipv6:icmpv6]
    [Coloring Rule Name: ICMP]
    [Coloring Rule String: icmp || icmpv6]
Ethernet II, Src: 7a:fb:9f:81:5a:81 (7a:fb:9f:81:5a:81), Dst:
af:ab:ac:ad:ae:af (af:ab:ac:ad:ae:af)
    Destination: af:ab:ac:ad:ae:af (af:ab:ac:ad:ae:af)
    Source: 7a:fb:9f:81:5a:81 (7a:fb:9f:81:5a:81)
    Type: Unknown (0x809a)
IEEE 802.15.4 Data, Dst: Broadcast, Src: 02:00:00:00:00:00:f0:25
    Frame Control Field: Data (0xc841)
        .... .... .... .001 = Frame Type: Data (0x0001)
        .... .... .... 0... = Security Enabled: False
        .... .... ...0 .... = Frame Pending: False
        .... .... ..0. .... = Acknowledge Request: False
        .... .... .1.. .... = Intra-PAN: True
        .... 10.. .... .... = Destination Addressing Mode: Short/16-bit (0x0002)
        ..00 .... .... .... = Frame Version: 0
        11.. .... .... .... = Source Addressing Mode: Long/64-bit (0x0003)
    Sequence Number: 181
    Destination PAN: 0xabcd
    Destination: 0xffff
    Source: 02:00:00:00:00:00:f0:25 (02:00:00:00:00:00:f0:25)
    FCS: 0xef94 (Correct)
6LoWPAN
    IPHC Header
        011. .... = Pattern: IP header compression (3)
        ...1 1... .... .... = Traffic class and flow label: Version,
traffic class, and flow label compressed (0x0003)
        .... .0.. .... .... = Next header: Inline
        .... ..10 .... .... = Hop limit: 64 (0x0002)
        .... .... 0... .... = Context identifier extension: False
        .... .... .0.. .... = Source address compression: Stateless
        .... .... ..11 .... = Source address mode: Compressed (0x0003)
        .... .... .... 1... = Multicast address compression: True
        .... .... .... .0.. = Destination address compression: Stateless
        .... .... .... ..11 = Destination address mode: 8-bits inline (0x0003)
    Next header: ICMPv6 (0x3a)
    Source: fe80::f025 (fe80::f025)
    Destination: ff02::2 (ff02::2)
Internet Protocol Version 6
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 72
    Next header: ICMPv6 (0x3a)
    Hop limit: 64
    Source: fe80::f025 (fe80::f025)
    Destination: ff02::2 (ff02::2)
Internet Control Message Protocol v6
    Type: 155 (RPL Routing)
    Code: 1 (DODAG Information Object)
    Checksum: 0x677a [correct]
    RPLInstanceID: 0
    Version: 0
    Rank: 1
    Flags: 0xea
    DTSN: 3
    Reserved: 0 (Should always be zero)
    Dodagid: 1111:11::1100 (1111:11::1100)
    ICMPv6 Option (DODAG Configuration)
    ICMPv6 Option (Prefix Information)




> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>



-- 
Jon Smirl
jonsmirl@xxxxxxxxx