This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to extract the complete wlan_mgt portion of a frame from a saved capture file using tshark. What is interesting is using the field "data" will dump the data layer of a data frame but using the field "wlan_mgt" just prints the text "wlan_mgt" in the output but is accepted by tshark as a valid field.

Using command: $ tshark -r wpa.full.cap -2 -O wlan -T fields -e wlan.fc.type -e wlan.fc.subtype -e wlan.fcs_good -e wlan_mgt -e data -E separator=,

I get:

0,8,,wlan_mgt,

0,4,,wlan_mgt,

0,5,,wlan_mgt,

0,11,,wlan_mgt,

0,11,,wlan_mgt,

0,0,,wlan_mgt,

0,1,,wlan_mgt,

2,0,,,

2,0,,,

2,0,,,

2,0,,,

2,0,,,3e71a281c4c01e01f06998bc85cb64a3189f078ab63f9a4e7a09765f5e8fa2d4f3b3db4a3fc0eeb7afc74317a502 f8c5e25979800f93501534bd29a28f730763f7eea056cb18988973e786ad2ede9e5f071d16ae9de80bdd80d142ce0734f4 159701299da1c983e45f5f0f05bf5adf3bf8924b6b79c9693276058b339246adacc874ab71f74fba491eaa0a4676a58f89 62e95005f22ba1

asked 04 Feb '16, 12:14

Ted%20Wards's gravatar image

Ted Wards
5114
accept rate: 0%

edited 04 Feb '16, 12:42


using the field "data" will dump the data layer of a data frame

Not necessarily:

$ tshark -V -r ~/captures/802.11/llc.cap
Frame 1: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
    Encapsulation type: IEEE 802.11 Wireless LAN (20)

       ...

IEEE 802.11 Data, Flags: ..m...F.
    Type/Subtype: Data (0x0020)
    Frame Control Field: 0x0822
        .... ..00 = Version: 0
        .... 10.. = Type: Data frame (2)
        0000 .... = Subtype: 0
        Flags: 0x22
            .... ..10 = DS status: Frame from DS to a STA via AP(To DS: 0 From DS: 1) (0x2)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..1. .... = More Data: Data is buffered for STA at AP
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    .000 0000 0000 0000 = Duration: 0 microseconds
    Receiver address: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
    Transmitter address: <censored>
    Source address: <censored>
    BSS Id: <censored>
    STA address: Broadcast (ff:ff:ff:ff:ff:ff)
    .... .... .... 0101 = Fragment number: 5
    0000 0000 1010 .... = Sequence number: 10
Internetwork Packet eXchange
    Checksum: 0xffff
    Length: 40 bytes
    Transport Control: 0 hops
    Packet Type: RIP (0x01)
    Destination Network: 6 (0x00000006)
    Destination Node: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination Socket: RIP (0x0453)
    Source Network: 6 (0x00000006)
    Source Node: <censored>
    Source Socket: RIP (0x0453)
IPX Routing Information Protocol
    RIP packet type: Response (2)
    Route Vector: ABBAABBA (0xABBAABBA)
    Hops: 1
    Ticks: 111 ms

         ...

$ ./tshark -T fields -e data -r ~/captures/802.11/llc.cap

$

Using the field "data" will dump anything shown as the protocol "data", which is anything that can't be dissected in any other fashion. Encrypted (WEP, WPA/WPA2) 802.11 payloads would be dissected as "data" if they can't be decrypted, but any unencrypted 802.11 payload won't be dissected as "data", nor will any encrypted payloads that Wireshark/TShark can decrypt.

The management frames are probably not encrypted in your capture, and are therefore dissected as management frames, not as "data", so "data" won't show them.

There appears to be some inconsistency in the way "-T fields" handles "fields" that are protocols - "frame" shows the top-level line in the display of frame, "ipx"/"ipxrip"/"wlan_mgt"/etc. show the protocol's "filter name", and "data" shows the data. File a bug on this.

permanent link

answered 04 Feb '16, 12:46

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Yes. In my example, the data frames(wlan.fc.type=2) which do not show any data have EAPOL protocol and therefore have no "data" layer (or protocol). The last frame is an encrypted frame so it does have the "data" layer(or protocol). It would be nice to have a consistent way to extract the byte string of all layers or protocols as well as the full frame. I guess I am blocked for now trying to do what I need with tshark.

(05 Feb '16, 03:58) Ted Wards

Thanks for filing bug 12086 on this.

(05 Feb '16, 11:39) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×76
×1

question asked: 04 Feb '16, 12:14

question was seen: 2,437 times

last updated: 05 Feb '16, 11:39

p​o​w​e​r​e​d by O​S​Q​A