Wireshark mailing list archives
Re: Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty
From: Alexis La Goutte <alexis.lagoutte () gmail com>
Date: Wed, 28 May 2014 15:54:10 +0200
On Wed, May 28, 2014 at 3:36 PM, Vignesh Viswanathan -X (vignevis - EMBED UR SYSTEMS at Cisco) <vignevis () cisco com> wrote:
Hi All, We see an issue when decoding packets sniffed from a Cisco Sniffer AP using PEEKREMOTE. The header for “IEEE 802.11 QoS Data” under “AiroPeek/OmniPeek encapsulated IEEE 802.11” is found to be of 28 bytes in length. Whereas the same ““IEEE 802.11 QoS Data” under default decoding is 26 bytes for “LLC” packets. This leads to the fist 2 bytes of LLC to go wrongly under “IEEE 802.11 QoS Data”, which in turn leads to LLC DSAP as unknown and Wireshark is not able to identify EAP/EAPOL packets. The following are the screen shots from the capture. The two bytes highlighted are not a part “QOS Control” which is the last field in “IEEE 802.11 QoS Data”. The same packets are decoded properly with 26 bytes header by “WildPackets Omnipeek” as shown below. For packets captured over the air with sniffer laptops (default decoding and not PEEKREMOTE), the “IEEE 802.11 QoS Data” is correctly decoded with 26 bytes header as EAP/EAPOL is identified. Please provide your thoughts on how we can resolve this issue as we are seeing this in multiple sniffer setups using Wireshark.
Hi, Please attach your samples in bugtracker and specify your Wireshark release version
Thanks, Vignesh ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty Vignesh Viswanathan -X (vignevis - EMBED UR SYSTEMS at Cisco) (May 28)
- Re: Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty Alexis La Goutte (May 28)
- Re: Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty Guy Harris (May 28)
- Re: Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty Guy Harris (May 28)
- Re: Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty Guy Harris (May 28)
- Re: Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty Alexis La Goutte (May 28)