I use tshark to capture packets at 20 to 30 MB/s, then a lot of malformed and unresolved(e.g. 802.11 association packet whose body only shows data) packets appears. How to solve the problem? Or what's tshark/dumpcap 's capture limitation? asked 13 Apr '14, 18:04  metamatrix edited 14 Apr '14, 01:43  Guy Harris ♦♦ |
One Answer:
This has nothing whatsoever to do with TShark's, dumpcap's, or libpcap's/WinPcap's abilities. The 802.11 frames are encapsulated within LWAPP packets. LWAPP is described by RFC 5412; as section 2, "Protocol Overview", or RFC 5412 says, "LWAPP data messages are forwarded wireless frames.". Those forwarded frames are what are being transported here over UDP. Either the device sending out the LWAPP data messages is putting malformed packets into the LWAPP data messages, or they are getting mangled by one of the networks over which the packets are being transported. I suspect it's the first of those. There are several types of bad packets in the capture:
answered 14 Apr '14, 01:53 Guy Harris ♦♦ I'm afraid they are neither neither malformed nor unresolved packets. In fact, they're fragment http packets which are wrongly identified to 802.11 packets by wireshark. (09 May '14, 00:08) metamatrix |
Do those packets have a radiotap header? If so, do those packets have the "Flags" field in the radiotap header ("Flags", not "Present flags") and, if so, is the "Bad FCS" flag set for those packets?
Also, do those packets have the "Protected flag" set in the Flags field of the 802.11 header?
There seems no such flags, I upload first 2000 packets' file (https://www.cloudshark.org/captures/86c0d8f568e4 ). It contains lwapp encapsulated wlan packets(using "wlan.fc.type eq 0 and wlan.fc.subtype eq 0" to see association packets)