Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Change of decoding for Airopeek/Omnipeek 802.11 header with Cisco APs
From: Guy Harris <guy () alum mit edu>
Date: Thu, 19 Dec 2013 17:03:58 -0800


On Dec 19, 2013, at 11:54 AM, Guy Harris <guy () alum mit edu> wrote:

Now that you've provided an example of how Omnipeek dissects the same packet, we now have more data, probably 
sufficient to allow us to correctly dissect the packet, and can improve the dissection of the "Peek remote" protocol.

Unfortunately, it may not be sufficient.

The packets Joerg had when he was reverse-engineering the protocol were shorter, with a 20-byte "Peek remote" header 
rather than the 55-byte header in the packet you have.

Given that there's a "version" field in the header, and that Omnipeek reports "correct Header Size" for the value of 
55, and the header version in the packet you have is 2, perhaps, for each version of the header, there's a fixed size, 
and the "header size" field is there so that, if some program that receives packets gets a header version it doesn't 
understand, it can skip past the header and get to the 802.11 packet.

Do you happen to know whether that is the case?

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault