I downloaded a simple 802.11 beacon frames from link, the first few bytes in the frame/packet are 8000 0000 ffff ffff ffff 0013 460b 22ba 0013 460b 22ba 8054. The question is, how does wireshark know it's not a ordinary ethernet frame? Does the first two bytes "80 00" give wireshark a clue? Thanks. asked 09 May '15, 07:48  pktUser1001 |
One Answer:
Just found that pcap file header (24) has a field for data-link-type, this value will give wireshark a clue on how to decode the packet. answered 09 May '15, 07:52 pktUser1001 |
