This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get the field “DID unknown 4041” into the column

0

Hello everybody,

I am trying to analyze the up-link Wireless traffic generated by my Sony Ericsson phone and captured by my D-Link router, on which I installed the DD-WRT firmware. To do this, first I log in the router and enable the prism0 interface by typing the command:

wl -i eth1 monitor 1

and then I start to capture the packets by typing:

tcpdump -i prism0 ether src xx:xx:xx:xx:xx:xx -s0 -w /tmp/smbshare/sony_ericsson_test.pcap

where xx:xx:xx:xx:xx:xx is the MAC address of my Sony Ericsson phone. After a while I transfer the sony_ericsson_test.pcap file to my computer and open it with Wireshark program. The RSSI values for each packet are present under "Prism capture header" -> "DID unknown 4041" as displayed in the attached image:

alt text

in this case the RSSI value for this packet is: 0xfffffffc7.

Is there a way to filter these values and inflate them into the column "Power"?

I tried already to do the following procedure but without success: Edit -> Preferences... -> Columns -> Press "Add" button -> As "Field type" I choose "IEEE 802.11 RSSI" and finally I choose name "Power" and click on "Apply" button.

Thanks in advance for the help!

Giovanni

asked 12 Oct '12, 06:21

Giovanni%20Soldi's gravatar image

Giovanni Soldi
6335
accept rate: 0%


2 Answers:

3

The current code that analyzes Prism radio headers is not treating 0x00004041 as the DID value for the RSSI, it's looking for 0x00040044 instead (and the same applies to some of the other values). There is at least one capture where 0x00040044 is correct, but, in your capture, 0x00004041 is correct, and this header file seems to say 0x00004041 is correct.

That code should check for both values, which should fix your problem without breaking other capture files. I'll check in a fix for that, and schedule it for the next 1.6.x and 1.8.x release.

answered 12 Oct '12, 18:07

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 12 Oct '12, 18:29

Thanks for the answer! Great! Do you know already when the next release will be ready with this fix?

(13 Oct '12, 15:35) Giovanni Soldi

According to the development roadmap, the next 1.8.x and 1.6.x releases aren't scheduled yet, as of 2012-10-13.

(13 Oct '12, 15:44) Guy Harris ♦♦

After Guy has committed the change you'll be able to pick up a nightly build from the automated build area, or build yourself from trunk, but beware that both these options are on the bleeding edge of Wireshark development.

(14 Oct '12, 01:40) grahamb ♦

Okay! I'll try it that release then! I just need to use Wireshark to read the pcap files and export the data into MATLAB but I need to be able to read the RSSI values. Where can I monitor the commits history so that I don't continue to bother you on when it's fixed? Or, can you just simply write me here when it's ready? Thanks you very much!

(15 Oct '12, 04:27) Giovanni Soldi

Way cool! I picked up this version Wireshark 1.9.0-SVN-45556 PPC 32.dmg and it seems to work perfectly. Thanks a lot! :)

(15 Oct '12, 04:35) Giovanni Soldi

Glad to be of help. If your question has been answered can you mark the question as such by clicking the checkmark icon next to the answer?

(15 Oct '12, 04:44) grahamb ♦

Hi! I have another question! After I get displayed RSSI values into the column I try to export my data into CSV format but the RSSI values don't show up in the output file. Probably, it hasn't been fixed yet, right? Would it be possible to include this fix in the next nightly build? Thanks again for the help!

(16 Oct '12, 06:29) Giovanni Soldi
showing 5 of 7 show 2 more comments

1

Did you try selecting the field (just like in the screenshot) and using the popup menu selecting "Apply as column"? It should do what you need.

answered 12 Oct '12, 14:12

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for the answer! I tried but I get also all the other DID unknown fields into the column.

(13 Oct '12, 15:26) Giovanni Soldi