Wireshark-dev: Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Tue, 12 Apr 2016 15:06:27 +0800
Hi Guy,

Thanks a lot! I must admit that your help has greatly saved my efforts.

As you have said in a previous post:

provide a radiotap Flags field with 0x10 set if the frame includes the FCS (you'll probably have to experiment a bit to see whether you get the FCS or not - the answer might differ for data and management frames, based on Network Monitor's behavior) and with 0x40 set if DOT11_RECV_FLAG_RAW_PACKET_FCS_FAILURE is set in uReceiveFlags;

So the question is how to determine if the 802.11 packet has FCS or not?

In that capture file, I found that only Beacon (like Frame 40) and Reassociation Response (like Frame 47) packets have the "Malformed Packet" error ( I guest Reassociation Response is the same error?).
But I don't think determination based on whether the packet is Beacon or Reassociation Response is good. Because maybe for another wireless adapter, this behavior might change. And it's inappropriate for Npcap to parse the contents of a packet so deep.


Cheers,
Yang



On Tue, Apr 12, 2016 at 2:18 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Apr 11, 2016, at 10:53 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> I'm not an expert of 802.11 protocols, so can anyone point out what's wrong here?

Frame 40 has an FCS, but the "FCS at end" flag in the Flags field of the radiotap header is 0, and Wireshark thus doesn't think it has an FCS at the end, and thinks it has an extra 4 bytes of payload.

Try, by default, turning that flag *on*, and then see if any packets that don't have a valid FCS don't have an FCS at all, rather than having an invalid FCS.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe