A WLAN capture executed in monitor mode shows lots of wireless retransmissions occuring. Editcap is not able to remove the duplicates since the packets are not actually duplicates, the radiotap header changes for each packet. Could it be possible to improve editcap to specify from which header the duplicate analysis should be done? E.g. look for duplicates while ignoring header X,Y,Z (in decapsulation order). I filed bug 8511 but would like to have some input from the community. asked 21 Mar '13, 12:24  yul_analyzer |
One Answer:
Yes, that would be possible, but the code needs to be written by someone taking an interest in this functionality. answered 21 Mar '13, 13:07  SYN-bit ♦♦ |
Regarding the specific issue of ignoring/removing wireless retransmissions, the tshark "-y RAW" option will not capture the radiotap header hence creating real duplicates for retransmissions that can be easily removed with editcap afterwards.