Peter Rabbitson wrote:
I am trying to capture only data packets from a 802.11b stream (no beacons, no control frames). Pages 50 and 51 of http://standards.ieee.org/getieee802/download/802.11-1999.pdf lead me to believe that I am looking for a packet with the first byte being 0001xxxx (in table 1 on page 51 the bit positions are listed in descending order). Hence I apply a filter 'wlan[0] & 0xF0 = 0x10' and I get nothing out. I try to capture beacons only (0000xxxx) so I do 'wlan[0] & 0xF0 = 0x0' I get nothing again. I do 'wlan[0] & 0x0F = 0x0' and I get beacons, however if I do 'wlan[0] & 0x0F = 0x1' I still don't get anything. Why this behavior? I understand somewhat the idea of endianness, however I suspect I am missing on something more trivial.
b0 is the low-order bit, and b15 is the high-order bit, of a two-byte little-endian quantity.
A data frame might have, as its first two bytes, 0x08 and 0x01, in order.
As a 16-bit little-endian quantity, that'd be 0x0108, or
0000000100001000
That'd be
B
1 B
5 00 0 0 0 0 0 0 1 0000 10 00
O W M P R M F T S T V
r E o w e o r o u y e
d P r r t r o b p r
e e r e m D t e s
r M y S y i
D g F D p o
a t r S e n
t a
a gYes, that's the reverse of the day it's displayed on page 35 (PDF document page 51) of IEEE 802.11-1999 - I guess the order they're in on that page is the order in which they're put onto the wire^H^H^H^Hair, or something such as that, because humans tend to put the most significant digit on the left, not the right (even in languages written right-to-left, which causes lots of fun for developers of text processing firmware and software).
The low-order 8 bits of that 2-byte quantity contain the protocol version, frame type, and frame subtype; those bits are in the low-order byte, which would be wlan[0].
The type field is the two bits above the two low-order bits, which is a bitmask of 0x0C. The values in the table on page 36 (PDF document page 52) are given with the bits in the normal human order - for example, the type value is given as "b3 b2", rather than as "b2 b3" which is the order in Figure 13 on page 35. Thus, the value to test against in those two bits is "1 0"; that'd be 0x08, with bits b1 and b0 being 0.
Thus, the correct filter expression for 802.11 data frames is
(wlan[0] & 0x0C) == 0x08
or, if you want to test the version number for 0 as well (as the version number is changed "only when a fundamental incompatibility exists between a new revision and the prior edition of this standard", which I infer means that the new revision could change the interpretation of rest of the frame control field), that'd be
(wlan[0] & 0x0F) == 0x08 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
