Wireshark-dev: Re: [Wireshark-dev] Got "Radiotap data goes past the end of the radiotap header"

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Sun, 10 Apr 2016 00:11:25 +0800
Hi Guy,


On Sat, Apr 9, 2016 at 5:33 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Apr 9, 2016, at 1:09 AM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> However, most information of the radiotap header is zero like below. The most commonly seen TSFT field (I thought) is not there. Although I didn't implement some fields like "Rate" yet, but I still feel it's too blank?
> Maybe this is because the underlying network card driver doesn't implement so many 802.11 OOB data,

It could be:

        https://social.technet.microsoft.com/Forums/en-US/624a6148-f8ed-4be0-819e-924ae3cd3dda/wifi-in-netmon-dealing-with-broken-monitor-mode-implementations-in-the-drivers?forum=netmon

Michael Berg of Tamosoft has also noted that the quality of the metadata supplied by Native Wi-Fi drivers for Windows... *varies*.  (Unfortunately, I think that was in some tweets he posted, and Twitter makes it *really hard* to search - it seems not to find reply tweets, which I think his comments were.)

I'm not surprised if the WiFi and monitor support will not work on all hardwares. Even for the current wifi version Npcap with 802.11 data packets enabled, some hardwares even cause crash in certain conditions. So I will see how far this can go.
 

> One of my 802.11 packet's radiotap header is like this:
>
> --------------------------------------------------------
> Radiotap Header v0, Length 15
>   Header revision: 0
>   Header pad: 0
>   Header length: 15
>   Present flags
>   Flags: 0x00
>   Channel frequency: 0

If the channel frequency is 0, that probably means that it's not supplied, so don't provide a Channel field.

Is this a good behavior of not providing Channel? I think Channel contains two parts: 16 bits flags and 16 bits frequency. Even the frequency is invalid, the flags is still there? If I remove Channel field, flags will also be gone.
 

>   Channel flags: 0x0000
>   SSI Signal: -47 dBm
> --------------------------------------------------------
>
>
> The only field with non-zero values is SSI Signal.
> sometimes -46 dBm, sometimes -47 dBm, most times is also 0 dBm.

That might mean that it's not supplying a signal strength; it means "1 milliwatt", which seems to be a lot stronger than the signals I typically see, so it's probably not a valid value.

OK. I think I will just leave it as it is for now.


Cheers,
Yang
 
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe