This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark:How to get the wlan management frame payload

0

I am trying to extract the complete wlan_mgt portion of a frame from a saved capture file using tshark. What is interesting is using the field "data" will dump the data layer of a data frame but using the field "wlan_mgt" just prints the text "wlan_mgt" in the output but is accepted by tshark as a valid field.

Using command: $ tshark -r wpa.full.cap -2 -O wlan -T fields -e wlan.fc.type -e wlan.fc.subtype -e wlan.fcs_good -e wlan_mgt -e data -E separator=,

I get:

0,8,,wlan_mgt,

0,4,,wlan_mgt,

0,5,,wlan_mgt,

0,11,,wlan_mgt,

0,11,,wlan_mgt,

0,0,,wlan_mgt,

0,1,,wlan_mgt,

2,0,,,

2,0,,,

2,0,,,

2,0,,,

2,0,,,3e71a281c4c01e01f06998bc85cb64a3189f078ab63f9a4e7a09765f5e8fa2d4f3b3db4a3fc0eeb7afc74317a502 f8c5e25979800f93501534bd29a28f730763f7eea056cb18988973e786ad2ede9e5f071d16ae9de80bdd80d142ce0734f4 159701299da1c983e45f5f0f05bf5adf3bf8924b6b79c9693276058b339246adacc874ab71f74fba491eaa0a4676a58f89 62e95005f22ba1

asked 04 Feb '16, 12:14

Ted%20Wards's gravatar image

Ted Wards
5114
accept rate: 0%

edited 04 Feb '16, 12:42


One Answer:

1

using the field "data" will dump the data layer of a data frame

Not necessarily:

$ tshark -V -r ~/captures/802.11/llc.cap
Frame 1: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
    Encapsulation type: IEEE 802.11 Wireless LAN (20)
   ...

IEEE 802.11 Data, Flags: ..m…F. Type/Subtype: Data (0x0020) Frame Control Field: 0x0822 …. ..00 = Version: 0 …. 10.. = Type: Data frame (2) 0000 …. = Subtype: 0 Flags: 0x22 …. ..10 = DS status: Frame from DS to a STA via AP(To DS: 0 From DS: 1) (0x2) …. .0.. = More Fragments: This is the last fragment …. 0… = Retry: Frame is not being retransmitted …0 …. = PWR MGT: STA will stay up ..1. …. = More Data: Data is buffered for STA at AP .0.. …. = Protected flag: Data is not protected 0… …. = Order flag: Not strictly ordered .000 0000 0000 0000 = Duration: 0 microseconds Receiver address: Broadcast (ff:ff:ff:ff:ff:ff) Destination address: Broadcast (ff:ff:ff:ff:ff:ff) Transmitter address: <censored> Source address: <censored> BSS Id: <censored> STA address: Broadcast (ff:ff:ff:ff:ff:ff) …. …. …. 0101 = Fragment number: 5 0000 0000 1010 …. = Sequence number: 10 Internetwork Packet eXchange Checksum: 0xffff Length: 40 bytes Transport Control: 0 hops Packet Type: RIP (0x01) Destination Network: 6 (0x00000006) Destination Node: Broadcast (ff:ff:ff:ff:ff:ff) Destination Socket: RIP (0x0453) Source Network: 6 (0x00000006) Source Node: <censored> Source Socket: RIP (0x0453) IPX Routing Information Protocol RIP packet type: Response (2) Route Vector: ABBAABBA (0xABBAABBA) Hops: 1 Ticks: 111 ms

     ...

$ ./tshark -T fields -e data -r ~/captures/802.11/llc.cap

$

Using the field “data” will dump anything shown as the protocol “data”, which is anything that can’t be dissected in any other fashion. Encrypted (WEP, WPA/WPA2) 802.11 payloads would be dissected as “data” if they can’t be decrypted, but any unencrypted 802.11 payload won’t be dissected as “data”, nor will any encrypted payloads that Wireshark/TShark can decrypt.

The management frames are probably not encrypted in your capture, and are therefore dissected as management frames, not as “data”, so “data” won’t show them.

There appears to be some inconsistency in the way “-T fields” handles “fields” that are protocols - “frame” shows the top-level line in the display of frame, “ipx”/“ipxrip”/“wlan_mgt”/etc. show the protocol’s “filter name”, and “data” shows the data. File a bug on this.

answered 04 Feb ‘16, 12:46

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Yes. In my example, the data frames(wlan.fc.type=2) which do not show any data have EAPOL protocol and therefore have no “data” layer (or protocol). The last frame is an encrypted frame so it does have the “data” layer(or protocol). It would be nice to have a consistent way to extract the byte string of all layers or protocols as well as the full frame. I guess I am blocked for now trying to do what I need with tshark.

(05 Feb ‘16, 03:58) Ted Wards

Thanks for filing bug 12086 on this.

(05 Feb ‘16, 11:39) Guy Harris ♦♦