This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

All Packets Malformed in Network Monitor 802.11 capture

0

I have been attempting to sniff the wifi transactions between two devices using monitor mode. I am running windows 10 currently (same issues on win7 tho), with wireshark 1.12.7. I have the airPcap library from the latest acrylic wifi release. Using either of my two wifi to usb devices (rnx-g1 and zew2500p) I appear to be able to sniff the transactions, but they are all malformed. Does anyone know what would cause this, and how it can be fixed? See the image below. alt text

asked 15 Oct '15, 10:37

phillipvanoss's gravatar image

phillipvanoss
6113
accept rate: 0%

edited 16 Oct '15, 12:41

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Link does not work.

(15 Oct '15, 11:01) Christian_R

Try this one http://imgur.com/JqBOjwA

(15 Oct '15, 11:05) phillipvanoss

Hiding trhe details of the frame in the screenhot does not help to give you an answer!

(15 Oct '15, 11:35) Kurt Knochner ♦
1

So did you capture the trace from the image above with Wireshark or with Microsoft Network Monitor?

(15 Oct '15, 14:21) Guy Harris ♦♦

This particular capture was done with Microsoft Network Monitor and then opened in Wireshark.

(16 Oct '15, 05:48) phillipvanoss

One Answer:

0

So AirPcap is irrelevant to this, as it wasn't used to capture the traffic.

Either Microsoft or the vendors of 802.11 drivers for Windows do a really bad job of consistently providing, or not providing, the FCS for frames. If you could file a bug on the Wireshark Bugzilla for this and, ideally, attach the capture file to the bug, we might be able to try to find something in the capture file to indicate whether frames have an FCS or not. To quote a comment in the code for Network Monitor files:

             * It appears to be the case that management
             * frames (and control and extension frames ?) may
             * or may not have an FCS and data frames don't.
             * (Netmon capture files have been seen for this
             *  encapsulation having management frames either
             *  completely with or without an FCS. Also: instances have been
             *  seen where both Management and Control frames
             *  do not have an FCS).
             * An "FCS length" of -2 means "NetMon weirdness".

answered 16 Oct '15, 12:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%