This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to see a wireless packet as different radio packets

0

Hi, I have a network setup only via wifi composed by 1 smartphone, 1 wifi router and 1 wireless device. The smartphone is sending a broadcast in the network, but sometimes doesn't reach my wireless device. I can see the broadcast in wireshark( captured with Airpcap) but I can't tell if my wifi router firewall did allow the broadcast to pass by to my device or not. In other words, how can I see that broadcast as 2 radio transmission(from phone to wifi router and from wifi router to device) instead of 1 that I'm seeing. Thanks

asked 22 Jan '16, 06:32

cristibalint91's gravatar image

cristibalint91
11114
accept rate: 0%


One Answer:

1

Use monitoring mode at your PC's wireless network adapter, which requires some pre-requisities to exist. See this link for further details; don't even bother opening it if you cannot use any other than Windows-running PC, as you'd need a specialized capture hardware in such case.

Sorry, I haven't noticed you already do have the Airpcap. Since Airpcap always runs in monitor mode, the fact that you can see only a single occurrence of the broadcast packet should indicate that the AP has not forwarded it. Can you check the transmitter MAC address and source MAC address match in the 802.11 frame you can see? If they do (which I suppose), it is the frame sent from the phone; if they differ, it is the frame forwarded by the AP (so the source address is the one of the phone and the transmitter address is the one of the AP).

answered 22 Jan '16, 07:51

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 22 Jan '16, 13:56

Thanks for the answer, you are right, that is the logic I'm using too, but the problem is that there is no difference between the times it works and it doesn't work. I can see that TA and SA are the same but I can't see the same packet once with RA == router MAC and second with RA == device MAC. Is there a setting need to be done in Wireshark to do this?

(27 Jan '16, 04:10) cristibalint91
1

To my best knowledge, no setting is necessary.

But in the case you've talked about, i.e. when the destination MAC address is a broadcast one, both wlan.da and wlan.ra are ff:ff:ff:ff:ff:ff for both frames (source device -> AP as well as AP -> all devices). So you have to look only at wlan.sa and wlan.ta in this case - if they match, it is the source frame (sent by the source device), if they don't match, it is the re-translated frame (re-sent by the AP).

I've just double-checked for a DHCP discover in a sample capture (no Apple, no Linux with WLAN, no AirPcap at my side).

Can you publish the capture(s) of both cases somewhere and post the link(s) to it (them) here? If you use encryption, you'll probably want to change your usual WPA passphrase before capturing and publishing the decryption information.

I would look for Rx level etc. as seen by the AirPcap for packets from different sources. I mean, are you sure you can see both frames, i.e. that the device or the AP are not so weak that the AirPcap would fail to demodulate one of the frames?

(27 Jan '16, 04:44) sindy