Wireshark · Wireshark-dev: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows

Wireshark-dev: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows

Date: Tue, 12 Apr 2016 13:53:19 +0800

Hi list,

I have enabled 802.11 control and management frames capture on Windows using Npcap. I found that the Beacon frames are marked as "Malformed Packet" by Wireshark 2.0.2.

The false trace of the No. 40 packet is here:

(BTW, is there any simple copy text method for a packet in Wireshark, like copying all the protocol tree in text like below? I manually copied all the fields and it's slow)

IEEE 802.11 wireless LAN management frame

Tagged parameters (213 bytes)

Tag: Channel Usage

Tag length: 175

Expert Info (Error/Malformed): Tag Length is longer than remaining payload

Tag Length is longer than remaining payload

Severity level: Error

Group: Malformed

The capture file with the error is:

https://github.com/nmap/npcap/releases/download/v0.06-r15/npcap_beacon_error.pcapng.gz

You can test this feature using this release:

https://github.com/nmap/npcap/releases

I'm not an expert of 802.11 protocols, so can anyone point out what's wrong here? Thanks!

--------------------------------------------------------

At last I paste the usage of this release here:

Usage:

Install npcap-nmap-0.06-r15-wifi.exe.
Run WlanHelper.exe with Administrator privilege. Type in the index of your wireless adapter (usually 0) and press Enter. Then type in 1 and press Enter to to switch on the Monitor Mode.
Launch Wireshark and capture on the wireless adapter, you will see all 802.11 packets (data + control + management).
If you need to return to Managed Mode, run WlanHelper.exe again and input the index of the adapter, then type in 0 and press Enter to to switch off the *Monitor Mode.

Notice:

You need to use WlanHelper.exe tool to switch on the Monitor Mode in order to see 802.11 control and management packets in Wireshark (also encrypted 802.11 data packets, you need to specify thedecipher key in Wireshark in order to decrypt those packets), otherwise you will only see 802.11 data packets.

Switching on the Monitor Mode will disconnect your wireless network from the AP, you can switch back to Managed Mode (aka ExtSTA in Microsoft's terminologies) using the same WlanHelper.exe tool.

Cheers,

Yang

Follow-Ups:
- Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows
  - From: Guy Harris
- Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows
  - From: Graham Bloice
- Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows
  - From: Alexis La Goutte

Prev by Date: [Wireshark-dev] Fake MAC addresses in text2pcap and "Import from hex dump"
Next by Date: Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows
Previous by thread: Re: [Wireshark-dev] Fake MAC addresses in text2pcap and "Import from hex dump"
Next by thread: Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows
Index(es):
- Date
- Thread