Wireshark-users: Re: [Wireshark-users] IEEE80211 Prism header dissecting problem ..

From: "H.Jin Ko" <ymir.kr@xxxxxxxxx>
Date: Fri, 21 Mar 2014 11:33:09 +0900
Thanks for update.
I installed Wireshark-win64-1.11.3-2058-7b6f0475.exe and saw correct
prism header and wlan frame.

Attached dissected prism header.

- H.Jin


<snip>
No.     Time        Source                S.Port Destination
D.Port Protocol Length Info
      2 0.007733    20:e5:2a:06:d2:73            ff:ff:ff:ff:ff:ff
       802.11   394    Beacon frame, SN=1472, FN=0, Flags=........,
BI=100, SSID=NETGEAR_R6300
Frame 2: 394 bytes on wire (3152 bits), 394 bytes captured (3152 bits)
    Encapsulation type: IEEE 802.11 plus Prism II monitor mode radio header (21)
    Arrival Time: Jan  1, 2014 09:01:40.887805000 대한민국 표준시
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1388534500.887805000 seconds
    [Time delta from previous captured frame: 0.007733000 seconds]
    [Time delta from previous displayed frame: 0.007733000 seconds]
    [Time since reference or first frame: 0.007733000 seconds]
    Frame Number: 2
    Frame Length: 394 bytes (3152 bits)
    Capture Length: 394 bytes (3152 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: prism:wlan]
    [Number of per-protocol-data: 3]
    [IEEE 802.11 wireless LAN, key 1]
    [IEEE 802.11 wireless LAN, key 1]
    [IEEE 802.11 wireless LAN, key 1]
Prism capture header
    Message Code: 0x00000044
    Message Length: 144
    Device Name: ath0
    DID Host Time -49779
        DID: Host Time (0x00010044)
        Status: Supplied (0)
        Length: 4
        Host Time: 4294917517
    DID Mac Time 69827346
        DID: Mac Time (0x00020044)
        Status: Supplied (0)
        Length: 4
        MAC timestamp (lower 32 bits): 69827346
    DID Channel 153
        DID: Channel (0x00030044)
        Status: Supplied (0)
        Length: 4
        Channel: 153
    DID RSSI 0x1e
        DID: RSSI (0x00040044)
        Status: Supplied (0)
        Length: 4
        RSSI: 30
    DID Unknown 0
        DID: Unknown (0x00000000)
        Status: Supplied (0)
        Length: 0
        Unknown DID Field: 0x00000000 (0)
    DID Signal 0x1e
        DID: Signal (0x00060044)
        Status: Supplied (0)
        Length: 4
        Signal: 30
    DID Unknown 0
        DID: Unknown (0x00000000)
        Status: Supplied (0)
        Length: 0
        Unknown DID Field: 0x00000000 (0)
    DID Rate 5.5 Mb/s
        DID: Rate (0x00080044)
        Status: Supplied (0)
        Length: 4
        Data rate (Mb/s): 5.5
    DID Is Tx 0x0
        DID: Is Tx (0x00090044)
        Status: Supplied (0)
        Length: 4
        IsTX: Rx Packet (0x00000000)
    DID Frame Length 250
        DID: Frame Length (0x000a0044)
        Status: Supplied (0)
        Length: 4
        Frame Length: 250
IEEE 802.11 Beacon frame, Flags: ........
    Type/Subtype: Beacon frame (0x0008)
    Frame Control Field: 0x8000
        .... ..00 = Version: 0
        .... 00.. = Type: Management frame (0)
        1000 .... = Subtype: 8
        Flags: 0x00
            .... ..00 = DS status: Not leaving DS or network is
operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    .000 0000 0000 0000 = Duration: 0 microseconds
.........

0000  00 00 00 44 00 00 00 90 61 74 68 30 00 00 00 00   ...D....ath0....
0010  00 00 00 00 00 00 00 00 00 01 00 44 00 00 00 04   ...........D....
0020  ff ff 3d 8d 00 02 00 44 00 00 00 04 04 29 7b 12   ..=....D.....){.
0030  00 03 00 44 00 00 00 04 00 00 00 99 00 04 00 44   ...D...........D
0040  00 00 00 04 00 00 00 1e 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 06 00 44 00 00 00 04 00 00 00 1e   .......D........
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44   ...............D
0070  00 00 00 04 00 00 00 0b 00 09 00 44 00 00 00 04   ...........D....
0080  00 00 00 00 00 0a 00 44 00 00 00 04 00 00 00 fa   .......D........
0090  80 00 00 00 ff ff ff ff ff ff 20 e5 2a 06 d2 73   .......... .*..s
00a0  20 e5 2a 06 d2 73 00 5c 3a 10 54 db c8 01 00 00    .*..s.\:.T.....
00b0  64 00 11 00 00 0d 4e 45 54 47 45 41 52 5f 52 36   d.....NETGEAR_R6
00c0  33 30 30 01 08 8c 12 98 24 b0 48 60 6c 05 04 01   300.....$.H`l...
00d0  02 00 00 30 14 01 00 00 0f ac 04 01 00 00 0f ac   ...0............
00e0  04 01 00 00 0f ac 02 0c 00 2d 1a ef 09 1b ff ff   .........-......
00f0  ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 3d 16 99 0f 04 00 00 00 00 00 00   .....=..........
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 bf 0c b7   ................
0120  00 00 00 ea ff 00 00 ea ff 00 00 c0 05 00 97 00   ................
0130  00 00 dd 31 00 50 f2 04 10 4a 00 01 10 10 44 00   ...1.P...J....D.
0140  01 02 10 47 00 10 56 62 9f 41 f4 59 6f 3d b2 4e   ...G..Vb.A.Yo=.N
0150  40 d4 9a 47 e7 6a 10 3c 00 01 03 10 49 00 06 00   @..G.j.<....I...
0160  37 2a 00 01 20 dd 09 00 10 18 02 01 00 1c 00 00   7*.. ...........
0170  dd 18 00 50 f2 02 01 01 88 00 03 a4 00 00 27 a4   ...P..........'.
0180  00 00 42 43 bc 00 62 32 66 00                     ..BC..b2f.
</snip>

2014-03-21 10:58 GMT+09:00 Guy Harris <guy@xxxxxxxxxxxx>:
>
> On Mar 20, 2014, at 10:50 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
>> in which case we need to have the Prism code support both byte orders.
>
> I've checked into the trunk a change that should handle that.
>
> If your Windows system is 32-bit, please wait until a build with a higher number than 2057 shows up in
>
>         http://www.wireshark.org/download/automated/win32/
>
> The installer will have a name like Wireshark-win32-1.11.3-2058-7b6f0475.exe, with the number after "1.11.3" being 2058 or greater and the item just before ".exe" being some random collection of 8 hex digits.  You may have to wait for a while, however, as that buildbot is currently offline and not generating new builds.
>
> If your Windows system is 64-bit, please wait until a build with a higher number than 2057 shows up in
>
>         http://www.wireshark.org/download/automated/win64/
>
> The installer will have a name like Wireshark-win64-1.11.3-2058-7b6f0475.exe, with the number after "1.11.3" being 2058 or greater and the item just before ".exe" being some random collection of 8 hex digits.
>
> These are development builds, so they may have a random collection of interesting new features and interesting new bugs, as well as interesting user interface changes.  For Windows, they might offer a choice between versions using GTK+ (the old UI toolkit, which is the one current official releases use) and Qt (the new UI toolkit, which we want to use for 1.12).  The Qt version might be nicer in some ways, but a number of UI features have not yet been implemented with Qt, so they will only be available in the GTK+ version.
>
> Once you get the new version installed, please try reading the capture file with the new version, and let us know whether it works or not.