Wireshark · Ethereal-users: Re: [Ethereal-users] RE: Capture Header Decoding for Netxray (NetAsyst)

Ethereal-users: Re: [Ethereal-users] RE: Capture Header Decoding for Netxray (NetAsyst)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Sat, 29 Jan 2005 02:47:29 -0800

Ken Mann wrote:

The structure below is what I have come up with. The noise level seemsto use different units from the signal strength, 127 = 100%, 0xFF =ignore it. dummy2[2] appears to be set to 5 when the packet is WEPencrypted. The errorFlag value is either 1 or 5 when there is a problemwith the packet (either CRC or WEP errors).
typedef struct
{
    UINT64  pktTimeuSec;
    SINT16  capLen;
    SINT16  pktLen;

Ethereal currently treats the first of the 16-bit integers as the actuallength of the packet and the second of them as the number of bytescaptured (that number can be smaller than the actual length because ofslicing, or whatever it's called in Sniffer).

The names you give them make it sound to me as if the first of them isthe number of bytes captured and the second is the actual length,instead; is that the case?

    UCHAR errorFlag;     // 802.11 only

That doesn't appear to be 802.11-only - I think we've seen Ethernetcaptures where, if the low-order bit is set, there's a bad FCS.

Do you happen to know what the difference between a value of 1 and 5here is? Both of them have the low-order bit set; one but not the otherhas 0x4 set. (If you can *generate* Sniffer files that the Sniffer canread, it might be interesting to experiment with different bits set inthis field.)

    UCHAR dummy2[3];     // Appear to always be zero

errorFlag and dummy2 could be a 4-byte little-endian flag word - or theycould be a 1-byte flag and 3 padding bytes, or a 2-byte little-endianflag word and 2 padding bytes. (Again, if you can generate Snifferfiles, it might be interesting to tweak various bits in dummy2[0-2].)

    UCHAR channel;       // 802.11 only
    UCHAR speed;         // 802.11 only
    UCHAR signalStrength;// 802.11 only
    UCHAR noiseLevel;    // FF (none reported) or 127 (0x7F) == 100%


What are the units of signalStrength?

Presumably noiseLevel is also 802.11-only.

    UCHAR dummy3[4];    // Meaning unknown, can be zeroed
    UCHAR srcMac[6];     // 802.11 only


Is that any different from the source MAC address in the 802.11 header?

References:
- [Ethereal-users] RE: Capture Header Decoding for Netxray (NetAsyst)
  - From: Ken Mann

Prev by Date: Re: [Ethereal-users] Capturing packets addressed to loopback interface
Next by Date: Re: [Ethereal-users] Problem in viewing IMAP Packets
Previous by thread: [Ethereal-users] RE: Capture Header Decoding for Netxray (NetAsyst)
Next by thread: [Ethereal-users] tiny patch for ethereal-0.10.9
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$