Wireshark-users: Re: [Wireshark-users] IEEE80211 Prism header dissecting problem ..

From: Hadriel Kaplan <hadrielk@xxxxxxxxx>
Date: Thu, 20 Mar 2014 08:37:25 -0700 (PDT)
I think the Prism dissector is being called, but then it hands it to normal 802.11 instead. I don't know anything about Prism packets, but the wireshark code appears to expect the Prism message codes (either 0x00000044 for type 1, or 0x00000041 for type 2) to be in little-endian order on-the-wire, whereas your packet has it in network-order (ie, big-endian) on-the-wire.

Since the wireshark code doesn't think it's a Prism message, the Prism dissector just calls the normal 802.11 dissector instead. At least that's what a quick look at the code looks like is happening.

If the wireshark code is in error, and Prism message codes are in network-order on-the-wire, please submit a bug.

-hadriel


On Thursday, March 20, 2014 10:14 AM, H.Jin Ko <ymir.kr@xxxxxxxxx> wrote:
Hello List.

I dumped wireless packet using tcpdump (DLT_PRISM_HEADER) on linux
(mips) and opened it in wireshark (v1.10.6) on win7.
Wireshark say its encapsulation type is "IEEE 802.11 plus Prism II
monitor mode radio header (21)" but didn't dissect prism header.
Raw packet has 144 bytes of PRISM header and WLAN's frame control is
started at 0x90.
But wireshark dissected frame control at 0x00 without Prism header.

Prism(Prism capture header) is already checked in Enabled Protocols.
I want to see correct dissected Prism header.
Is there something that I missing?

Thanks in advance.

- H.Jin


$ file out.cap
out.cap: tcpdump capture file (big-endian) - version 2.4 (802.11 with
Prism header, capture length 65535)

<snip>
Frame 24: 394 bytes on wire (3152 bits), 394 bytes captured (3152 bits)
    Encapsulation type: IEEE 802.11 plus Prism II monitor mode radio header (21)
    Arrival Time: Jan  1, 2014 09:03:51.007932000 대한민국 표준시
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1388534631.007932000 seconds
    [Time delta from previous captured frame: 0.076445000 seconds]
    [Time delta from previous displayed frame: 0.076445000 seconds]
    [Time since reference or first frame: 1.100408000 seconds]
    Frame Number: 24
    Frame Length: 394 bytes (3152 bits)
    Capture Length: 394 bytes (3152 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: prism:wlan]
IEEE 802.11 Association Request, Flags: ........
    Type/Subtype: Association Request (0x00)
    Frame Control Field: 0x0000
        .... ..00 = Version: 0
        .... 00.. = Type: Management frame (0)
        0000 .... = Subtype: 0
        Flags: 0x00
            .... ..00 = DS status: Not leaving DS or network is
operating in AD-HOC mode (To DS: 0 >From DS: 0) (0x00)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    .100 0100 0000 0000 = Duration: 17408 microseconds
    Receiver address: 00:00:00:90:61:74 (00:00:00:90:61:74)
    Destination address: 00:00:00:90:61:74 (00:00:00:90:61:74)
    Transmitter address: 68:30:00:00:00:00 (68:30:00:00:00:00)
    Source address: 68:30:00:00:00:00 (68:30:00:00:00:00)
    BSS Id: 00:00:00:00:00:00 (00:00:00:00:00:00)
    Fragment number: 0
    Sequence number: 0

.......

0000  00 00 00 44 00 00 00 90 61 74 68 30 00 00 00 00  ...D....ath0....
0010  00 00 00 00 00 00 00 00 00 01 00 44 00 00 00 04  ...........D....
0020  ff ff bc 9f 00 02 00 44 00 00 00 04 0a ed 92 a3  .......D........
0030  00 03 00 44 00 00 00 04 00 00 00 99 00 04 00 44  ...D...........D
0040  00 00 00 04 00 00 00 1f 00 00 00 00 00 00 00 00  ................
0050  00 00 00 00 00 06 00 44 00 00 00 04 00 00 00 1f  .......D........
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44  ...............D
0070  00 00 00 04 00 00 00 0b 00 09 00 44 00 00 00 04  ...........D....
0080  00 00 00 00 00 0a 00 44 00 00 00 04 00 00 00 fa  .......D........
0090  80 00 00 00 ff ff ff ff ff ff 20 e5 2a 06 d2 73  .......... .*..s
00a0  20 e5 2a 06 d2 73 f0 52 42 90 1a 69 8b 01 00 00    .*..s.RB..i....
00b0  64 00 11 00 00 0d 4e 45 54 47 45 41 52 5f 52 36  d.....NETGEAR_R6
00c0  33 30 30 01 08 8c 12 98 24 b0 48 60 6c 05 04 01  300.....$.H`l...
00d0  02 00 00 30 14 01 00 00 0f ac 04 01 00 00 0f ac  ...0............
00e0  04 01 00 00 0f ac 02 0c 00 2d 1a ef 09 1b ff ff  .........-......
00f0  ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0100  00 00 00 00 00 3d 16 99 0f 04 00 00 00 00 00 00  .....=..........
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 bf 0c b7  ................
0120  00 00 00 ea ff 00 00 ea ff 00 00 c0 05 00 97 00  ................
0130  00 00 dd 31 00 50 f2 04 10 4a 00 01 10 10 44 00  ...1.P...J....D.
0140  01 02 10 47 00 10 56 62 9f 41 f4 59 6f 3d b2 4e  ...G..Vb.A.Yo=.N
0150  40 d4 9a 47 e7 6a 10 3c 00 01 03 10 49 00 06 00  @..G.j.<....I...
0160  37 2a 00 01 20 dd 09 00 10 18 02 01 00 1c 00 00  7*.. ...........
0170  dd 18 00 50 f2 02 01 01 88 00 03 a4 00 00 27 a4  ...P..........'.
0180  00 00 42 43 bc 00 62 32 66 00                    ..BC..b2f.
</snip>
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe