Re: Got "Radiotap data goes past the end of the radiotap header" for Npcap's radiotap header.

[Yang Luo <hsluoyb () gmail com>]

Hi Guy,


On Sat, Apr 9, 2016 at 5:33 PM, Guy Harris <guy () alum mit edu> wrote:

> On Apr 9, 2016, at 1:09 AM, Yang Luo <hsluoyb () gmail com> wrote:
>
> > However, most information of the radiotap header is zero like below. The
> most commonly seen TSFT field (I thought) is not there. Although I didn't
> implement some fields like "Rate" yet, but I still feel it's too blank?
> > Maybe this is because the underlying network card driver doesn't
> implement so many 802.11 OOB data,
>
> It could be:
>
>
> https://social.technet.microsoft.com/Forums/en-US/624a6148-f8ed-4be0-819e-924ae3cd3dda/wifi-in-netmon-dealing-with-broken-monitor-mode-implementations-in-the-drivers?forum=netmon
>
> Michael Berg of Tamosoft has also noted that the quality of the metadata
> supplied by Native Wi-Fi drivers for Windows... *varies*.  (Unfortunately,
> I think that was in some tweets he posted, and Twitter makes it *really
> hard* to search - it seems not to find reply tweets, which I think his
> comments were.)

I'm not surprised if the WiFi and monitor support will not work on all
hardwares. Even for the current wifi version Npcap with 802.11 data packets
enabled, some hardwares even cause crash in certain conditions. So I will
see how far this can go.


> > One of my 802.11 packet's radiotap header is like this:
> >
> > --------------------------------------------------------
> > Radiotap Header v0, Length 15
> >   Header revision: 0
> >   Header pad: 0
> >   Header length: 15
> >   Present flags
> >   Flags: 0x00
> >   Channel frequency: 0
>
> If the channel frequency is 0, that probably means that it's not supplied,
> so don't provide a Channel field.

Is this a good behavior of not providing Channel? I think Channel contains
two parts: 16 bits flags and 16 bits frequency. Even the frequency is
invalid, the flags is still there? If I remove Channel field, flags will
also be gone.


> >   Channel flags: 0x0000
> >   SSI Signal: -47 dBm
> > --------------------------------------------------------
> >
> >
> > The only field with non-zero values is SSI Signal.
> > sometimes -46 dBm, sometimes -47 dBm, most times is also 0 dBm.
>
> That might mean that it's not supplying a signal strength; it means "1
> milliwatt", which seems to be a lot stronger than the signals I typically
> see, so it's probably not a valid value.

OK. I think I will just leave it as it is for now.


Cheers,
Yang


> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe