This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does Wireshark knows to byte swap the frame control of a IEEE80211

0

I have came across some capwap packets that seems to have two bytes of IEEE80211's frame control swapped.
Wireshark successfuly detects this and displays "Swapped" next to the frame control frame line.
I been looking through the code at epan/dissectors/packet-ieee80211.c to try to understand how does Wireshark know this but could not figure it out.

There seems to be a call to register_dissector dissect_ieee80211_bsfc but I could not understand when it is used over the other dissectors. (bsfc stands for byte-swapped frame control)

Please help me understand.

asked 09 Aug '17, 12:38

Guy%20Kroizman's gravatar image

Guy Kroizman
81247
accept rate: 0%


One Answer:

1

I asked the exaxt same question here:

https://ask.wireshark.org/questions/55804/capwap-80111-data-header-fcf-swapped-why

Basic Answer: if 802.11 frame control is carried over CAPWAP, bytes are simply swapped. No other indicator. It's what I do in TraceWrangler now, and it works 100% so far.

answered 09 Aug '17, 14:10

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%