Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows

[Yang Luo <hsluoyb () gmail com>]

Hi Graham,

This way works! Thanks!


Cheers,
Yang

On Tue, Apr 12, 2016 at 4:30 PM, Graham Bloice <graham.bloice () trihedral com>
wrote:

> On 12 April 2016 at 06:53, Yang Luo <hsluoyb () gmail com> wrote:
>
> > Hi list,
> >
> > I have enabled 802.11 control and management frames capture on Windows
> > using Npcap. I found that the Beacon frames are marked as "Malformed
> > Packet" by Wireshark 2.0.2.
> >
> > The false trace of the No. 40 packet is here:
> > (BTW, is there any simple copy text method for a packet in Wireshark,
> > like copying all the protocol tree in text like below? I manually copied
> > all the fields and it's slow)
> Select a packet (or mark if more than one) the packets of interest, expand
> the details you require in the packet details pane, then use File -> Export
> Packet Dissections -> As Plain Text..., in the Export dialog there are
> options to choose which packets to export and how to format the output.
>
> IEEE 802.11 wireless LAN management frame
> >   Tagged parameters (213 bytes)
> >     Tag: Channel Usage
> >       Tag length: 175
> >         Expert Info (Error/Malformed): Tag Length is longer than
> > remaining payload
> >           Tag Length is longer than remaining payload
> >           Severity level: Error
> >           Group: Malformed
> >
> > The capture file with the error is:
> >
> > https://github.com/nmap/npcap/releases/download/v0.06-r15/npcap_beacon_error.pcapng.gz
> >
> > You can test this feature using this release:
> > https://github.com/nmap/npcap/releases
> >
> > I'm not an expert of 802.11 protocols, so can anyone point out what's
> > wrong here? Thanks!
> >
> >
> > --------------------------------------------------------
> > At last I paste the usage of this release here:
> >
> > Usage:
> >
> >    1. Install npcap-nmap-0.06-r15-wifi.exe.
> >    2. Run WlanHelper.exe with *Administrator* privilege. Type in the
> >    index of your wireless adapter (usually 0) and press Enter. Then type
> >    in 1 and press Enter to to switch on the *Monitor Mode*.
> >    3. Launch Wireshark and capture on the wireless adapter, you will see *all
> >    802.11 packets (data + control + management)*.
> >    4. If you need to return to *Managed Mode*, run WlanHelper.exe again
> >    and input the index of the adapter, then type in 0 and press Enter to
> >    to switch off the **Monitor Mode*.
> >
> > Notice:
> >
> > You need to use WlanHelper.exe tool to switch on the *Monitor Mode* in
> > order to see 802.11 control and management packets in Wireshark (also encrypted
> > 802.11 data packets, you need to specify thedecipher key in Wireshark in
> > order to decrypt those packets), otherwise you will only see 802.11 data
> > packets.
> >
> > Switching on the *Monitor Mode* will disconnect your wireless network
> > from the AP, you can switch back to *Managed Mode* (aka *ExtSTA* in
> > Microsoft's terminologies) using the same WlanHelper.exe tool.
> >
> >
> > Cheers,
> > Yang
>
> --
> Graham Bloice
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe