Home page logo

wireshark logo Wireshark mailing list archives

Re: IEEE80211 Prism header dissecting problem ..
From: Guy Harris <guy () alum mit edu>
Date: Thu, 20 Mar 2014 10:50:04 -0700

On Mar 20, 2014, at 8:37 AM, Hadriel Kaplan <hadrielk () yahoo com> wrote:

I think the Prism dissector is being called, but then it hands it to normal 802.11 instead. I don't know anything 
about Prism packets, but the wireshark code appears to expect the Prism message codes (either 0x00000044 for type 1, 
or 0x00000041 for type 2) to be in little-endian order on-the-wire, whereas your packet has it in network-order (ie, 
big-endian) on-the-wire.

Actually, they're not "on-the-wire" at all - the Prism header is radio-level-information metadata generated by and 
written to the packet buffer by the driver.

So the byte order might depend on the driver and the CPU type; he said "mips" - there are both big-endian and 
little-endian MIPS systems, so perhaps

        1) this was a big-endian MIPS system


        2) the drivers put the Prism header in host byte order

in which case we need to have the Prism code support both byte orders.

(Yet another reason not to like Prism headers; radiotap:


specifies little-endian byte order, so a non-buggy driver would write out the radiotap header in little-endian order 
*even when running on a big-endian machine*.)
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]