In these two frames the wlan_mgt.mysterious_olpc_stuff field is not there, or at least the (v2.2.4) dissector thinks so (ignoring the fact that all packets are ethereal). When looking at the raw data its clear the field is there, two bytes further look like the start of LLC (DSAP and SSAP), like in the other packets.
Looking at the dissector code at this point there is a bit of magic going on
So, if the packet doesn't start with 0xaa 0xaa:
we first use the same scheme that linux-wlan-ng does to detect
those encapsulated Ethernet frames, namely looking to see whether
the frame either starts with 6 octets that match the destination
address from the 802.11 header or has 6 octets that match the
source address from the 802.11 header following the first 6 octets,
and, if so, treat it as an encapsulated Ethernet frame;
otherwise, we use the same scheme that we use in the Ethernet
dissector to recognize Netware 802.3 frames, namely checking
whether the packet starts with 0xff 0xff and, if so, treat it
as an encapsulated IPX frame, and then check whether the
packet starts with 0x00 0x00 and, if so, treat it as an OLPC
frame.</code></pre></pre><p>This should be in a <a href="https://bugs.wireshark.org/bugzilla/">bug report</a>, so it can be further investigated.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>14 Feb '17, 07:07</strong></p><img src="https://secure.gravatar.com/avatar/2337f0406681e5c72ea0e6f1f0d6c0b0?s=32&d=identicon&r=g" class="gravatar" width="32" height="32" alt="Jaap's gravatar image" /><p><span>Jaap ♦</span><br />
11.7k●16●101
accept rate: 14%
Could you share a capture for both EAP-AKA and EAP-SIM exchanges?
You can place the capture on a shared drive such as Cloudshark or Google drive.
Thanks for quick response, please find it here: https://we.tl/LbkHnyIPWT
Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.