tcpdump mailing list archives

Strange wireless frames

From: Greg Stark <gsstark () mit edu>
Date: 14 Jun 2003 11:46:47 -0400



I'm running tcpdump on a wlan0 interface using the hostap drivers. I'm seeing
some strange looking packets. They look to me like four-address inter-AP
packets but I'm not really sure what they should look like or how tcpdump
is supposed to display these. I've never done anything with wireless before.

The reason I say they look like four-address inter-AP packets is because I
know 0030 bd60 5e6b is the MAC address for a station on this network, and
tcpdump is showing that in the payload of the packets.

Is this type of packet supposed to be parsed by tcpdump and it's failing to
recognize it somehow? or is it behaving as expected and some code needs to be
written? Or is there something wrong with these packets?


15:23:22.529791 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 60: 
                         0802 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000
15:23:23.530428 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 62: 
                         a000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0200
                         0000 0000 0000 0000 0000 0000 0000 0400
15:23:24.530204 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 62: 
                         c000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0200
                         0000 0000 0000 0000 0000 0000 0000 0200

07:13:18.514697 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: 
                         b000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0600
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0200 0000
07:13:18.529177 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 
                         1000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0c00
                         0000 0000 0000 0000 0000 0000 0000 0100
                         0000 01c0 0104 8284 0b16
07:13:18.855134 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: 
                         b000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0600
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0200 0000
07:13:18.867212 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 
                         1000 0000 0030 bd60 5e6b 0006 25a7 432b
                         0006 25a7 432b 0000 0000 0000 0000 0c00
                         0000 0000 0000 0000 0000 0000 0000 0100
                         0000 01c0 0104 8284 0b16


-- 
greg

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Strange wireless frames Greg Stark (Jun 14)
- Re: Strange wireless frames Guy Harris (Jun 14)
  - Re: Strange wireless frames Greg Stark (Jun 15)
- Re: Strange wireless frames Hannes Gredler (Jun 14)
  - Re: Strange wireless frames Greg Stark (Jun 15)