Ethereal-users: Re: [Ethereal-users] Capture Header Decoding for Netxray (NetAsyst)
Ken Mann wrote:
I am attempting to decode the capture header for wireless sniffs output
by NetAsyst 1.0.003.
Specifically, I am trying to discern the information found in guint8
xxx[28] in the packet header structure.
I have been able to discern the Channel, Speed, % signal strength, and
the source MAC. There is a two byte field that seems to be non-zero
whenever an error is present (CRC and/or WEP ICV), but is not clear what
the different values mean (various combinations of either 1 or 5 in the
two bytes).
/* NetXRay format version 2.x data record format - followed by frame
data. */
struct netxrayrec_2_x_hdr {
guint32 timelo; /* lower 32 bits of time stamp */
guint32 timehi; /* upper 32 bits of time stamp */
guint16 orig_len; /* packet length */
guint16 incl_len; /* capture length */
guint8 xxx[28]; /* various data */
};
Well, it's probably the same as Wireless Sniffer. Presumably the
channel is xxx[12], the data rate is xxx[13], and the signal level is
xxx[14]; our code already knew that. The source MAC address is in the
packet data; perhaps, for some reason, they stuff it into the rest of
xxx[28] as well.
We don't know where the FCS is in 802.11 Sniffer captures, but in
Ethernet captures, it appears that the low-order bit of xxx[8] is 1 if
the packet has a bad FCS. Perhaps the same bit of the same byte
specifies a bad FCS in 802.11 captures. We don't know what the other
bits mean.
Let us know what you discover, so we can update our code for reading
Sniffer captures or, at least, our comments in that code.