I've been doing some wifi performance analysis. Capture performed in monitor mode, exported using tshark as follows:
tshark -t r -n -r $1 -E header=y -E separator="|" -T fields -e frame.time_epoch -e wlan.ta -e wlan.sa -e wlan.ra -e wlan.da -e wlan.bssid -e radiotap.datarate -e radiotap.mcs.index -e radiotap.vht.datarate.0 -e radiotap.vht.mcs.0 -e radiotap.xchannel -e radiotap.channel.freq -e radiotap.dbm_antsignal -e _ws.col.Protocol -e frame.len -e _ws.col.Info | sed 's/||"/|NA|/g' | sed 's/||/|NA|/g' | sed 's/||/|NA|/g' | sed 's/||/|NA|/g' > $outFile
This is a downstream capture showing traffic from an
Reference PC on GigE 68:5b:35:cd:ef:ab
Router wirless interface on 5G: f4:f2:6d:ab:cd:ef
Client device (Mac Book Air): 8c:29:37:00:01:02
The data packets are showing up with two mac addresses in the SA and DA fields. For the wlan.sa field I see the router,reference PC: "f4:f2:6d:ab:cd:ef,68:5b:35:cd:ef:ab"
The wlan.da address shows up as: "8c:29:37:00:01:02,8c:29:37:00:01:02"
Here is a sample of the output from my tshark extraction routine 1466826268.835444000|f4:f2:6d:ab:cd:ef|f4:f2:6d:ab:cd:ef,68:5b:35:cd:ef:ab|8c:29:37:00:01:02|8c:29:37:00:01:02,8c:29:37:00:01:02|f4:f2:6d:ab:cd:ef|||526.6|6|149|5745||802.11|3128|QoS Data
Why do the wlan.sa and wlan.da fields have a 2nd MAC or is this a valid output?
Thanks!
John
asked 26 Jun '16, 21:49
jpomeroy
6●1●1●2
accept rate: 0%
edited 26 Jun '16, 23:23
sindy
6.0k●4●8●51