Hi, I'm using wireshark on Ubuntu 14.04 to decode wifi frames. I'm trying to decode the wifi frames between an AP and a windows PC acting as a wireless client, with wireshark under ubuntu running on a third, monitor pc. The wireless windows PC streams a youtube video. Wireshark is decoding QOS DATA frames from the wireless windows PC to the AP down to the TCP/IP level (see the attached screenshot frames 21281 and 21288). HOWEVER ALL QOS DATA FRAMES FROM THE AP TO THE WIRELESS WINDOWS PC (including the video data being streamed from youtube) ARE SHOWN BY WIRESHARK AS HAVING FCS ERRORS and hence are not being decoded by Wireshark. In fact, if I enter "TCP" into the display filter box and click apply, THERE ARE NO TCP FRAMES SHOWN GOING FROM THE AP TO THE WINDOWS CLIENT. All QOS DATA frames from the AP to the wireless windows client are shown by Wireshark as having FCS errors. I have enclosed a screenshot of wireshark showing the invalid FCS in a frame sent from the AP to the wireless windows station, frame 21285. See the screenshot at: https://onedrive.live.com/redir?resid=69BDC460109C8BE9!2182&authkey=!ABBDYPBcyDhnu30&v=3&ithint=photo%2c.png I have tried this with with two different APs, a TP-Link router and a comcast xfinity router, and I've gotten the same result. I have tried to google this and come up with no mention of anything like this anywhere. Has anybody else encountered this phonomenon? Why is Wireshark showing every QOS DATA frame from the AP to the Windows PC as having an invalid FCS? Thanks, Dave P.S. Just for clarity, note that I CAN DECRYPT THE SAMPLE CAPTURE FILE mentioned in the wireshark wi-fi wiki decrypt page down to TCP/IP and I do see 2-way traffic being decrypted. I'm capturing the wi-fi packets with wireshark on Ubuntu using monitor mode, the 4 EAPOL messages from attachment were captured, and the wireshark WPA2 decrypt information (ssid and password) are correclty configured in wireshark properties. asked 01 Jul '14, 01:20  dave444 edited 01 Jul '14, 01:22 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Do the packets in question have a radiotap header? If so, do they have a "Flags" field in the radiotap header and, if so, what are the values of the "FCS at end" and "Data pad" bits in the flags?
Hi,
Thank you for trying to help me. FCS at end is TRUE, Data Pad is FALSE, and Bad FCS is FALSE.
I included a wireshark screenshot of this portion of the decode of the wifi QoS Data frame.
Any help would be appreciated.
I found one link that seems to be a reference to the same problem: http://comments.gmane.org/gmane.network.wireshark.user/8147
Thanks, Dave
Here's the Wireshark screenshot showing FCS at end and Data Pad: https://onedrive.live.com/redir?resid=69BDC460109C8BE9!2184&authkey=!AIZAf_09RnNmOtk&v=3&ithint=photo%2c.jpg
I don't know what else to try. Can anybody from Wireshark tech support help me?
This is the line in the decode which indicates FCS error: 802.11 FCS: 0x32a42587 [incorrect, should be 0x334ac306]
I've had this same problem running wireshark on ubuntu on 2 other PCs and 2 different routers and Ubuntu versions 12.04 and 14.04, and 3 wireless adapters.
Could the routers (2 different routers) really be putting out frames with FCS errors? When I capture the wifi traffic as if it were pseudo-ethernet (where some fields of the wifi header are mapped by wireshark into the ethernet frame fields for display), there are no FCS errors.
Thanks, Dave