Sten Daniel Soersdal wrote:
> Hi, i'm a new Wireshark user, old time Ethereal user.
Same program, just a different name.
> I noticed Wireshark cannot read properly the capture files captured by
> routeros (www.mikrotik.com).
Either that, or RouterOS isn't properly *writing* the capture files.
> It is only the 'radiotap header' that
> displays incorrectly.
>
> The packets' radiotap header shows:
>
> Header revision: 0
> Header pad: 0
> Header lenght: 14
>
> The data fields are not padded for WORD aligned like Wireshark seems to
> expect,
Wireshark expects it because that's how the radiotap header is *DEFINED*
to work. To quote the NetBSD man page for radiotap (the emphasis in the
quote is from the man page):
http://netbsd.gw.com/cgi-bin/man-cgi?ieee80211_radiotap+9+NetBSD-current
Radiotap capture fields *must be naturally aligned*. That is, 16-,
32-, and 64-bit fields must begin on 16-, 32-, and 64-bit boundaries,
respectively. In this way, drivers can avoid unaligned accesses to
radiotap capture fields. radiotap-compliant drivers must insert padding
before a capture field to ensure its natural alignment.
radiotap-compliant packet dissectors, such as tcpdump(8), expect the
padding.
The change to the Wireshark dissector to make it be radiotap-compliant,
and expect the padding, was made because David Young, one of the (if not
the) originator of the radiotap header, pointed out that it was required.
> Is anyone perhaps interested in adding this support?
I have no interest in breaking the radiotap dissector by making it
assume no padding. If there's a *reliable* mechanism for detecting
RouterOS's broken radiotap header, I'd be willing to accept a patch from
somebody for that, but I don't want to lose any ability to read correct
radiotap files.
The right fix is to RouterOS, to have it pad the data fields correctly;
complain to MikroTik.
_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users