Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows

[Yang Luo <hsluoyb () gmail com>]

Hi Alexis,



On Wed, Apr 13, 2016 at 1:47 AM, Alexis La Goutte <alexis.lagoutte () gmail com
> wrote:

> On Tue, Apr 12, 2016 at 7:53 AM, Yang Luo <hsluoyb () gmail com> wrote:
>
> > Hi list,
> >
> > I have enabled 802.11 control and management frames capture on Windows
> > using Npcap. I found that the Beacon frames are marked as "Malformed
> > Packet" by Wireshark 2.0.2.
> >
> > The false trace of the No. 40 packet is here:
> > (BTW, is there any simple copy text method for a packet in Wireshark,
> > like copying all the protocol tree in text like below? I manually copied
> > all the fields and it's slow)
> >
> > IEEE 802.11 wireless LAN management frame
> >   Tagged parameters (213 bytes)
> >     Tag: Channel Usage
> >       Tag length: 175
> >         Expert Info (Error/Malformed): Tag Length is longer than
> > remaining payload
> >           Tag Length is longer than remaining payload
> >           Severity level: Error
> >           Group: Malformed
> >
> > The capture file with the error is:
> >
> > https://github.com/nmap/npcap/releases/download/v0.06-r15/npcap_beacon_error.pcapng.gz
> >
> > You can test this feature using this release:
> > https://github.com/nmap/npcap/releases
> >
> > I'm not an expert of 802.11 protocols, so can anyone point out what's
> > wrong here? Thanks!
> >
> >
> > --------------------------------------------------------
> > At last I paste the usage of this release here:
> >
> > Usage:
> >
> >    1. Install npcap-nmap-0.06-r15-wifi.exe.
> >    2. Run WlanHelper.exe with *Administrator* privilege. Type in the
> >    index of your wireless adapter (usually 0) and press Enter. Then type
> >    in 1 and press Enter to to switch on the *Monitor Mode*.
> >    3. Launch Wireshark and capture on the wireless adapter, you will see *all
> >    802.11 packets (data + control + management)*.
> >    4. If you need to return to *Managed Mode*, run WlanHelper.exe again
> >    and input the index of the adapter, then type in 0 and press Enter to
> >    to switch off the **Monitor Mode*.
> >
> > Notice:
> >
> > You need to use WlanHelper.exe tool to switch on the *Monitor Mode* in
> > order to see 802.11 control and management packets in Wireshark (also encrypted
> > 802.11 data packets, you need to specify thedecipher key in Wireshark in
> > order to decrypt those packets), otherwise you will only see 802.11 data
> > packets.
> >
> > Switching on the *Monitor Mode* will disconnect your wireless network
> > from the AP, you can switch back to *Managed Mode* (aka *ExtSTA* in
> > Microsoft's terminologies) using the same WlanHelper.exe tool.
> >
> > Awesome !
>
> Need to include support of directly switch to monitor mode on Wireshark :)

You bet! That will be the last step to do.
WlanHelper is currently a workaround for this feature. Monitor mode switch
on and off should be able to be done directly using Wireshark for friendly
use.
However, I'm also planning to provide the monitor switch in a API way too,
like integrated into NPFInstall.exe, so a program can switch on and off
Monitor mode too.

BTW, are there any options when setting to Monitor mode? Like channel no or
something. I haven't considered the options in WlanHelper but maybe for
future.



> About malformed packet, with Wireless monitor (like Airpcap), there is
> often some "wrong" packet...

This reminds me that "AirPcap" string is tagged in Wireshark "Interface
Details" (Media supported and Media in use).

The code is:
https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/ui/gtk/capture_if_details_dlg_win32.c
Line 324 to 326.

I don't know what's NdisMediumPpi, but Npcap is for sure able to
provide NdisMediumRadio80211 and NdisMediumBare80211 too. AirPcap is no
longer the only choice to use native 802.11 on Windows.
So is there any possibility to remove the "AirPcap" string in the UI?


Cheers,
Yang


> > Cheers,
> > Yang
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    https://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >              mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe