Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Change of decoding for Airopeek/Omnipeek 802.11 header with Cisco APs
From: Guy Harris <guy () alum mit edu>
Date: Fri, 20 Dec 2013 11:21:08 -0800


On Dec 20, 2013, at 6:44 AM, "Emburey Samrex Edward -X (emedward - EMBED UR SYSTEMS at Cisco)" <emedward () cisco com> 
wrote:

I think, I should have mentioned this earlier.

Yes.
 
There does exist two different headers: a 20-byte (legacy) and a 55-byte (with additional, 802.11n support)

The legacy header does *not* appear to have a magic number, based on the capture file Joerg made available.

Do you have complete details on what it contains, so that we can finish the dissector for it?

To accommodate the 802.11n header, we would need a different dissection at dissect_peekremote(), apart from the way 
legacy header had been dealt.
May be, we can have the ‘magic number’ as reference from the obtained hex-dump, to choose between the two dissection 
methods.

We should probably:

        1) make a heuristic dissector for the new header, and have it check for the magic number, so that, for the new 
header, you *don't* have to use "Decode As...";

        2) have the port-number-based dissector call the heuristic dissector first and:

                if the heuristic dissector accepts the packet, just return;

                otherwise, dissect the legacy header.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault