Wireshark-users: [Wireshark-users] 802.11 frame data not decoded
From: Steve Magoun <steve@xxxxxxxxxx>
Date: Thu, 10 Aug 2006 17:11:36 -0400
Hi,I'm using Wireshark 0.99.2 to view some 802.11 traffic captured by Kismet 2006-04-R1. Wireshark correctly interprets the Kismet output as IEEE 802.11 frames but doesn't fully decode the data inside - the packet details pane has only "Frame," "IEEE 802.11," and "Data" sections. I'm tracing some DHCP problems, and I was hoping Wireshark would break down the 580-byte data section in my sample (enclosed; see below) as IP/UDP/DHCP rather than just a raw hex dump. I checked the data section by hand and it appears that it is indeed a DHCP request message (as I expected). This problem affects all non- management packets in my dump file.
I've tried this with the same results using Ethereal 0.10-12, 0.99.0, and Wireshark 0.99.2 (all on OS X 10.4.7). Fiddling with the Wireshark protocol options for IEEE 802.11 didn't help. What am I doing wrong?
802.11 frame exported as text:
No. Time Source Destination Protocol Info 593 20.780987 U-MediaC_02:9e:32 Broadcast IEEE 802.11 Data,SN=0,FN=0 Frame 593 (612 bytes on wire, 612 bytes captured) Arrival Time: Aug 10, 2006 11:31:31.210589000 Time delta from previous packet: -2.341919000 seconds Time since reference or first frame: 20.780987000 seconds Frame Number: 593 Packet Length: 612 bytes Capture Length: 612 bytes Frame is marked: False Protocols in frame: wlan:data IEEE 802.11 Type/Subtype: Data (32) Frame Control: 0x4108 (Normal) Version: 0 Type: Data frame (2) Subtype: 0 Flags: 0x41 DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .1.. .... = Protected flag: Data is protected 0... .... = Order flag: Not strictly ordered Duration: 1 BSS Id: 00:00:00_00:00:00 (00:00:00:00:00:00) Source address: U-MediaC_02:9e:32 (00:11:e0:02:9e:32) Destination address: Broadcast (ff:ff:ff:ff:ff:ff) Fragment number: 0 Sequence number: 0 WEP parameters Initialization Vector: 0x81e5bd Key Index: 0 WEP ICV: 0x00000000 (not verified) Data (580 bytes) 0000 08 41 01 00 00 00 00 00 00 00 00 11 e0 02 9e 32 .A.............2 0010 ff ff ff ff ff ff 00 00 81 e5 bd 00 aa aa 03 00 ................ 0020 00 00 08 00 45 00 02 40 00 00 40 00 10 11 68 ae ....E..@[email protected]. 0030 00 00 00 00 ff ff ff ff 00 44 00 43 02 2c 12 93 .........D.C.,.. 0040 01 01 06 00 46 dc 1f 02 00 00 00 00 00 00 00 00 ....F........... 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 11 e0 02 ................ 0060 9e 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .2.............. 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 ............c.Sc 0130 35 01 01 39 02 02 24 37 06 01 03 06 0f 1c 0c 33 5..9..$7.......3 0140 04 00 00 a8 c0 ff 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0260 00 00 00 00 ....
Thanks, Steve
- Follow-Ups:
- Re: [Wireshark-users] 802.11 frame data not decoded
- From: Soh Kam Yung
- Re: [Wireshark-users] 802.11 frame data not decoded
- From: Guy Harris
- Re: [Wireshark-users] 802.11 frame data not decoded
- Prev by Date: Re: [Wireshark-users] Odd packets
- Next by Date: Re: [Wireshark-users] 802.11 frame data not decoded
- Previous by thread: Re: [Wireshark-users] [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?
- Next by thread: Re: [Wireshark-users] 802.11 frame data not decoded
- Index(es):