On Mar 8, 2012, at 4:47 PM, abhinav narain wrote:
> hi,
> I have seen tcpdump,wireshark both just print packet contents till mac
> header in monitor mode.
> In case of normal wireless interfaces (wlan0), they follow a different
> execution path.
> Can someone tell me what should I expect in the the frame after
> ieee80211_hdr (which comes after the radiotap header) ?
> According to my knowledge, I assume if the control frame bit with
> Is it an llc header with a general format :
> struct llc_hdr {
> uint8 dsap;
> uint8 ssap;
> struct {
> uint8 ui;
> uint8 org_code[3];
> uint16 ether_type;
> } snap;
> };
> so that i can jump it and get the ip header ?
Oh, and one more thing:
Some network adapters, when running in a mode where they supply an 802.11
header (such as monitor mode), put some padding in between the 802.11 header
and the payload, so the 802.2 LLC header in a data frame might not immediately
follow the 802.11 header (regardless of whether the payload is encrypted or
not). The radiotap header includes a flag for that - it's the 0x20 flag bit in
the Flags field:
http://www.radiotap.org/defined-fields/Flags
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
