Home page logo
/

wireshark logo Wireshark mailing list archives

Change of decoding for Airopeek/Omnipeek 802.11 header with Cisco APs
From: "Emburey Samrex Edward -X (emedward - EMBED UR SYSTEMS at Cisco)" <emedward () cisco com>
Date: Thu, 19 Dec 2013 15:26:37 +0000

Hi All,

Thanks for attention!

This is regd the PEEKREMOTE decoding of the header Airopeek/Omnipeek encapsulated IEEE 802.11.

On capturing the sniffed o/p of Cisco APs, with PEEKREMOTE decoding, the 802.11 headers are not properly classified. 
(refer wireshark_sample.jpg)
This must take place under the header Airopeek/Omnipeek encapsulated IEEE 802.11.

In contrast, in an Omnipeek capture, it is well classified (under one of its header Cisco AP 802.11n). (refer 
omnipeek_sample.jpg)

We rightly have the same hexdump been populated in wireshark, like that in omnipeek.

So, the existing classification/decoding for the header Airopeek/Omnipeek encapsulated IEEE 802.11, within wireshark 
would need to be scrutinized.
The file trunk/epan/dissectors/packet-peekremote.c handles the decoding for this header.

The following are the variables, behind the header
hf_peekremote_unknown1
hf_peekremote_unknown2
hf_peekremote_unknown3
hf_peekremote_unknown4
hf_peekremote_unknown5
hf_peekremote_unknown6
hf_peekremote_channel
hf_peekremote_timestamp

At the function dissect_peekremote() we can include more decoding for snr/rssi/datarate/channel/timestamp values, which 
can then be forwarded to proto_register_peekremote() appropriately.

There is also a TBD note at the starting note of this packet-peekremote.c file, that infers a similar case.
/*
* TODO: Decode meta information.
*       Check on fillup bytes in capture (fcs sometimes wrong)
* From:
* http://www.cisco.com/univercd/cc/td/doc/product/wireless/pahcont/oweb.pdf
* "It will include information on timestamp, signal strength, packet size
*  and so on"
*/

Can someone please clarify on the purpose of the existing decoding, and now adapt for this suggested one - so as to get 
a proper classification of the Airopeek/Omnipeek encapsulated IEEE 802.11 header with Cisco APs in wireshark.


Thanks in advance,
Emburey

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault