Hello! I am using wireshark 2.0.3 from FreeBSD ports for the
first time. I am not good in computer networks and try to analyze
traffic captured over unencrypted Wi-Fi network. Turns out that data
frames dissection is wrong in my case: wireshark can't dissect further
than LLC protocol. I attach pcap file produced by airodump-ng.
Here is the beginning of the sixth frame in hex:
88
01 30 00 0E 27 22 E9 54 84 1C B7 2C 4E 24 DF D4 CA 6D D6 F5 4D 40 29 00
00 40 00 AA AA 03 00 00 00 08 00 45 00 00 39 B5 B1 40 00 40 11 BF 76 C0
A8 22 3A C0 A8 22 01
Wireshark says that LLC header begins with sequence 40 00 aa aa, so
DSAP is Unknown (0x40)
SSAP is NULL LSAP (0x00)
Control field is I, N(R)=85, N(S)=85 (0xAAAA)
From
what I read in wikipedia, this seems to be wrong. It seems DSAP is
actually 0xAA here, SSAP is also 0xAA and control field is 1 octet 0x03,
that means SNAP extension is used. Next 3 octets (0x000000) are unused
OUI, and following 2 octets 0x0800 are protocol ID for ipv4. Next octet
0x45 is the beginning of ip packet header.
According
to ifconfig, access point of that network supported high throughput and
atheros protocol extensions (had HTCAP and ATH in ifconfig wlan0 list
scan), whatever that means.
So what am I doing wrong? Or is this a bug? With best regards, Vasily
Attachment:
shark.pcap
Description: application/vnd.tcpdump.pcap