In Wireshark Version 1.8.2, I tried Edit -> Preferences... -> Columns -> Press "Add" button -> As "Field type" I choose "IEEE 802.11 RSSI" and finally I choose name "RSSI" and click on "Apply" button. The column appeared but there are no values in the column. After reading (http://ask.wireshark.org/questions/14963/how-to-get-the-field-did-unknown-4041-into-the-column), I compiled Wireshark Version 1.8.5 from source but still no values are appearing. The data was previously collected using pcap and I'm now opening it in Wireshark, how can I view the RSSI values ? asked 11 Feb '13, 06:11  heidi-ann |
2 Answers:
You're assuming the values are there to view. Note, first of all, that IEEE Std 802.11-2012 uses "RSSI" in at least two different senses:
There is no field in the set of defined radiotap fields that corresponds to the first of those two meanings; there are only fields that correspond to the signal strength as dB from an arbitrary point (useful only for comparing with other dB values on the same interface, as the arbitrary point may be different for different adapters but will be the same for all packets from the same adapter), and as dB relative to 1 milliwatt. The latter is the second of those two meanings. If your pcap has radiotap headers, then, with current versions of Wireshark, those values will be shown in the RSSI column, followed by "dB" or "dBm". Most *BSD and Linux drivers use radiotap, so, if you're capturing on FreeBSD, NetBSD, DragonFly BSD, or Linux, those are the values you will get. OpenBSD is using their own incompatible version of radiotap, which uses a defined value for another field for RSSI. I don't know whether Wireshark supports that. OS X drivers also use radiotap as one form of radio data. If your pcap has PPI headers, which are supported by AirPcap devices on Windows and with at least some drivers on some versions of OS X, those also only supply the RSSI as dBm. If your pcap has AVS headers, they might provide either "raw" RSSI values in the sense of the first definition, "normalized" versions of those values scaled to a range of 0-1000, or dBm values. Those will also be displayed in the RSSI column. If your pcap has Prism headers, they might also provide an RSSI value. All of those header formats allow a driver not to supply signal strength values, so the adapter or its driver might not be supplying them, in which case you can't see them in the capture. In addition, on Linux and OS X, you won't get any radio information unless the capture was done in monitor mode. So, unless the packet details show a radiotap, AVS, PPI, or Prism header, and that header includes an signal strength value, your pcap doesn't have any signal strength information in it to show, and there's nothing that Wireshark can do to show it. If your reference to this question means that you have Prism headers in your pcap (that's what the question is about), then note that no driver I saw for Linux that supplies Prism headers supplies any sort of signal strength indicator; in that case, you may have a network adapter that doesn't supply signal strength values to the host, or a driver for that adapter that doesn't supply those values in captured packets. What hardware were you doing this capture on, and what software was it running (if it's a Linux distribution, say which one)? answered 11 Feb '13, 18:39  Guy Harris ♦♦ edited 15 Feb '13, 11:48 |
As @Guy Harris said, maybe there are no RSSI values in your capture file. Please try the following capture file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Http.cap Now you should see RSSI values in the column (I do see the values with Wireshark 1.8.4 on Windows XP). If you still don't see those values on your system, please report back. BTW: Do you see a PPI header (next to the frame header) in your capture file? Regards answered 12 Feb '13, 04:21  Kurt Knochner ♦ edited 12 Feb '13, 04:22 Note that PPI headers are not guaranteed to contain an "RSSI" value, in the sense of a value described in the specification as "RSSI", or in the sense of "a value between 0 and RSSI_Max" - they contain dBm values, but not raw RSSI values, in captures on my MacBook Pro. (12 Feb '13, 12:11) Guy Harris ♦♦ Well, that's another problem ;-) (12 Feb '13, 12:14) Kurt Knochner ♦ |
I've now tried compiling wireshark-1.9.0-SVN-47630.tar.bz2 from http://www.wireshark.org/download/automated/src/ but that failed so now I'm trying wireshark-1.9.0-SVN-47626.tar.bz2
I've compiled wireshark-1.9.0-SVN-47626.tar.bz2 from source and there are still no RSSI values
Nobody here suggested compiling newer versions, because no matter WHAT version you compile, if you captured on an adapter the driver for which supplies radiotap, you will not get RSSI values, as those drivers do not something called "RSSI". They supply signal strength indicators in decibels; see my answer to your question. For PPI or AVS headers, they might provide RSSI values, or they might not.