Wireshark-users: Re: [Wireshark-users] Cannot dissect IEEE802.11 data frames

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 20 May 2016 12:20:19 -0700
On May 19, 2016, at 6:19 AM, Vasily Postnicov <shamaz.mazum@xxxxxxxxx> wrote:

> Unfortunately, I cannot check this right now, but thanks for advice anyway. Do you have any ideas, what these last two bytes might be?

The 00 00 could be "Atheros padding" - some Atheros adapters, when providing raw 802.11 frames, "helpfully" add some padding between the 802.11 header and 802.11 payload, presumably to put the payload on some nice boundary in memory.

The radiotap header has a flag that allows the driver to say "this frame has Atheros padding", and, if that's set, Wireshark recognizes and ignores the padding.  With no radiotap header, there's no way to indicate the presence of the padding.