Wireshark-dev: Re: [Wireshark-dev] clarification on 802.11 dissector

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Wed, 5 Dec 2018 16:52:12 -0800
On Wed, Dec 5, 2018 at 7:40 AM francisco javier sanchez-roselly
<franciscojavier.sanchezroselly@xxxxxxxx> wrote:
> hi Richard, i thank you for your fast answer.
> > On 5 Dec 2018, at 16:04, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
> >
> > On Wed, Dec 5, 2018 at 6:47 AM francisco javier sanchez-roselly
> > <franciscojavier.sanchezroselly@xxxxxxxx> wrote:
> >>
> >> hi All, i am checking some 802.11 frames and i have two doubts taking into account 802.11-2016 standard.
> >>
> >> the first one has to do with To DS and From DS bits. the dissector groups these bits as a ‘DS status’ field not defined in the standard. the meaning is clear, but in my opinion, this association breaks the endianness criterion for the rest of the frame fields.
> >
> > The code dealing with those two fields was likely written well before
> > IEEE80211-2016 or even IEEE80211-2012 were written. The standard may
> > have changed in that area.
> >
> >> my other suggestion refers to FCS field, as standard says the general convention is not followed for this field, and the highest order term is transmited first.
> >
> > I think you have misunderstood and perhaps you are looking at the way
> > we write the fields in a frame from left to right. The lowest order
> > bit of each field is first on the wire, and the frames will generally
> > be laid out in memory with the left most fields in the lowest
> > addresses. On little endian systems the lowest order bytes will be in
> > the lower addresses as well.
> my understanding after reading the standard and checking same capture frames is, little endian -first bit sent is the most significant- is used inside fields. the standard is clear when field size is greater than 8 bits -first octet sent the one containing the less significant bit-, but for fields smaller than 8 bits nothing is clearly stated and Wireshark presentation seems reasonable -first field sent is the one containing the less significant bit-.
> the point is that for FCS is literally says: 'Any field containinga CRC is an exception to this convention and is trasmitted commencing with the coefficient of the higest-order term.’ in my opinion this means the FCS is transmiitted a whole, not considering byte boundaries. in Wireshark CRC in wire is 0x3fca42e0 and the dissection is 0xe042ca3f, i guess the dissection should be 0x3fca42e0

You have raised an interesting question. I checked IEEE802.11-2016 and
it says exactly what you have said.

I would have to check the CRC checking code to see what it is doing,
and I have not done that yet, but perhaps we should be displaying the
CRC in the opposite order.

Richard Sharpe