mailing list archives
Re: Change of decoding for Airopeek/Omnipeek 802.11 header with Cisco APs
From: Guy Harris <guy () alum mit edu>
Date: Thu, 19 Dec 2013 17:03:58 -0800
On Dec 19, 2013, at 11:54 AM, Guy Harris <guy () alum mit edu> wrote:
Now that you've provided an example of how Omnipeek dissects the same packet, we now have more data, probably
sufficient to allow us to correctly dissect the packet, and can improve the dissection of the "Peek remote" protocol.
Unfortunately, it may not be sufficient.
The packets Joerg had when he was reverse-engineering the protocol were shorter, with a 20-byte "Peek remote" header
rather than the 55-byte header in the packet you have.
Given that there's a "version" field in the header, and that Omnipeek reports "correct Header Size" for the value of
55, and the header version in the packet you have is 2, perhaps, for each version of the header, there's a fixed size,
and the "header size" field is there so that, if some program that receives packets gets a header version it doesn't
understand, it can skip past the header and get to the 802.11 packet.
Do you happen to know whether that is the case?
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe