This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does wireshark get Rate and channel for 802.11 WLAN packets in a pcap file?

0

The file format in http://wiki.wireshark.org/Development/LibpcapFileFormat has no field for rate or channel of the packets sniffed, i was wondering how wireshark extracts that information. Also please point me to how wireshark calculates the FCS for each packet.

Thank you.

asked 13 Sep '13, 16:41

emma's gravatar image

emma
6224
accept rate: 0%

One Answer:

1

The file format in http://wiki.wireshark.org/Development/LibpcapFileFormat has no field for rate or channel of the packets sniffed

It also has no field for the Ethernet address or type fields, or the PPP address and type fields, or the 802.11 frame control and address fields, or.... :-)

Per-link-layer type metadata, such as 802.11 radio information, is provided in "pseudo-headers" that are supplied as part of the packet data. The most common format for 802.11 radio information in pcap (and pcap-ng) files is the radiotap format, but there are some others that may be seen as well. See the tcpdump.org list of link-layer header types for details.

point me to how wireshark calculates the FCS for each packet.

If the capture data includes the FCS, Wireshark uses a 32-bit CRC routine (that routine is part of Wireshark) to calculate what the FCS should be, and compares that with the actual CRC to see whether there's a CRC error.

answered 13 Sep '13, 17:52

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I am wondering how i can get the packet airtime in microseconds, not the beginning (timestamp), i mean the length of the packet but in microseconds

(25 Sep '13, 17:39) emma
1

Well, if you're willing to calculate it based on the packet length and the packet data rate (as, for example, SkyBlueTero does; see the tshark command it runs in filter.py), you could parse the radiotap header (if present), looking for the data rate field, and use that, along with the packet length field from the packet's pcap header. (If the packet doesn't have a radio metadata header that gives the data rate, you can't do it).

(25 Sep '13, 17:47) Guy Harris ♦♦

That is exactly what i was trying to do and i noticed that some pcap files don't have the radio tap header. Thank you so much, you have been a great help :)

(26 Sep '13, 10:51) emma
1

i noticed that some pcap files don't have the radio tap header

If they start with an Ethernet header, they were probably not captured in monitor mode; on most OSes, you can only get radio information (and 802.11 headers rather than fake Ethernet headers) in monitor mode.

If they start with an 802.11 header, whoever captured it probably explicitly asked for just 802.11 headers without radiotap headers.

(26 Sep '13, 10:56) Guy Harris ♦♦