This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Retrieving “wlan” header length

0

In a Lua script, I'm looking for the length of the "wlan" header in each packet, and I can't find any "wlan.length" value (the value "28 bytes" in attached screenshot)

I have frame.len, radiotap.length, data.len if packets are encrypted, and I can do some maths with that.

But for example if packets are not encrypted data packets with several data headers, I can't do my maths to retrieve the length of wlan header.

How does Wireshark retrieve that "28 bytes" value?

alt text

asked 15 Feb '16, 08:12

TomLaBaude's gravatar image

TomLaBaude
66171724
accept rate: 66%


2 Answers:

1

The header size is not directly available as a field of the wireless frame but comes out from the frame type wlan.fc_type and subtype wlan.fc_subtype in the frame control field wlan.fc. The existing IEEE 802.11 (wlan) dissector understands that information but does not generate a pseudo-field like wlan.length from it, so your only chance would be to build your own table of header sizes indexed by wlan.fc values (64 in total, ignoring the two bits reserved for version). You can look for information necessary to build that table into the IEEE 802.11 dissector's source code, or into the IEEE 802.11 standard, or you can build it manually from captures.

answered 15 Feb '16, 10:23

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 16 Feb '16, 01:12

Thanks Sindy (at the end, "reading the specs" always win ...)

(16 Feb '16, 00:58) TomLaBaude

1

If you can get wlan as a FieldInfo in your Lua script, you can use its len method, according to the Wireshark LUA API reference.

answered 16 Feb '16, 01:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Interesting, I tried to retrieve length of the tvb, but was not aware of FieldInfo. Gonna try right now

(16 Feb '16, 01:36) TomLaBaude

Something is wrong in FieldInfo length of wlan field, seems like the Frame Check Sequence (located at the end of the packet) interferes:

Ex for a QoS Data Packet: wlan (38 bytes) - shown on the GUI -> 34 bytes for the wlan header -> 4 bytes for the FCS (end of packet)

Lua: local wlan_f = Field.new("wlan") ... function .... print(wlan_f().len) -> 26

26 doesn't represent anything... There's a "jump" in the GUI looking for the FCS at the end, but in the case of a QoS Data packet, there are other fields after the FCS (QoS Control & CCMP parameters)

It seems that Lua doesn't count fully QoS Control (2 bytes) & CCMP parameters (8 bytes) 26 + 2 + 8 = 36 ... There are 2 bytes somewhere ...

Bug?

(16 Feb '16, 02:02) TomLaBaude