This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I decode my mobile capture?

0

Hi,

I have this problem. To try and figure out what the problem is I have created two dumps, one over Wifi and one over 3G / HSDPA by running tcpdump on the Android device.

The Wifi dump is decoded by Wireshark no problem.

Wifi

But the 3G dump isn't very helpful.

3G / HSDPA

Does anyone know how I can get Wireshark to decode this data so I can figure out what the problem might be?

Thanks,

Ken

asked 15 Apr '12, 22:42

unclekennybobs's gravatar image

unclekennybobs
1111
accept rate: 0%

can you provide a sample trace e.g. on cloudshark with the 3g capture ?

(16 Apr '12, 06:42) Landi

Not really. It will contain private data. I'll have a look though and will update if I get a decent trace. Thanks.

(16 Apr '12, 09:54) unclekennybobs

One Answer:

0

Unfortunately, it appears that either tcpdump, libpcap, or the network software on your Android machine is buggy; the packets in the 3G capture almost certainly do NOT have an Ethernet packet header, but the capture file has a link-layer header type of "Ethernet".

The capture appears not to have any link-layer headers - the first octet of each packet is 0x45, which strongly suggests an IPv4 header ("4" for the IP version, "5" for the header length in 4-byte units, hence 20 bytes, which is the length of an IPv4 header with no options).

This is a common problem on Android - for various annoying reasons having to do, apparently, with DHCP software, some mobile-phone-network interfaces supply ARPHRD_ETHER as their ARPHRD_ type, rather than ARPHRD_NONE, even though they supply packets with no link-layer header.

I've checked into the trunk of libpcap a hack to work around this by checking the interface name. Hopefully that will end up in libpcap on various Android devices and make this problem show up less often.

The hack handles this the only way I know how to do so, namely to check the interface name against names known to have this problem. What was the name of the interface on which you captured the traffic?

answered 16 Apr '12, 11:01

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 21 Mar '14, 11:18