Ask Your Question
0

TShark command to decode WSMP?

asked 2020-11-10 15:18:11 +0000

Ken Whitesell gravatar image

What is the command to have tshark decode the WSMP portion of a packet?

I have a pcap file (sample available) that I can open with Wireshark. Wireshark shows the WSMP portion of the packet. (Image available showing this, but I don't have enough karma to upload it.)

But when I decode the packets using tshark, it only shows "Data" for that portion of the packet.

I've tried various combinations of the -d argument, but all the different combinations I've tried result in either the "unknown layer type" error or "Protocol "wsmp" isn't valid for layer type ..." for any of the layer types I've tried. So I haven't been able to find the right parameters.

Any tips, pointers, suggestions, ideas would be greatly appreciated.

Thanks!

Ken

Notes:

I think it should be possible to do this, because the output from:

tshark -G protocols | grep -i wsmp

shows:

Wave Short Message Protocol(IEEE P1609.3)       WSMP    wsmp

But, the following command:

tshark -r /mnt/e/work/work/TC2/SpatSample.pcap -2 -c 1 -V

Produces this output:

Frame 1: 366 bytes on wire (2928 bits), 366 bytes captured (2928 bits)
    Encapsulation type: IEEE 802.11 plus Prism II monitor mode radio header (21)
    Arrival Time: Oct  9, 2020 11:10:46.540759000 EDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1602256246.540759000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 366 bytes (2928 bits)
    Capture Length: 366 bytes (2928 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: prism:wlan_radio:wlan:llc:data]
Prism capture header
    Message Code: 0x00000044
    Message Length: 144
    Device Name: wifi1vap0
    DID Host Time 719685155
        DID: Host Time (0x00010044)
        Status: Supplied (0)
        Length: 4
        Host Time: 719685155
    DID Mac Time 1508234676
        DID: Mac Time (0x00020044)
        Status: Supplied (0)
        Length: 4
        MAC timestamp (lower 32 bits): 1508234676
    DID Channel 172
        DID: Channel (0x00030044)
        Status: Supplied (0)
        Length: 4
        Channel: 172
    DID RSSI 0
        DID: RSSI (0x00040044)
        Status: Supplied (0)
        Length: 4
        RSSI: 0
    DID SQ 0x0
        DID: SQ (0x00050044)
        Status: Supplied (0)
        Length: 4
        Signal Quality: 0
    DID Signal 0x41
        DID: Signal (0x00060044)
        Status: Supplied (0)
        Length: 4
        Signal: 65
    DID Noise 0x0
        DID: Noise (0x00070044)
        Status: Supplied (0)
        Length: 4
        Noise: 0
    DID Rate 6.0 Mb/s
        DID: Rate (0x00080044)
        Status: Supplied (0)
        Length: 4
        Data rate (Mb/s): 6.0
    DID Is Tx 0x1
        DID: Is Tx (0x00090044)
        Status: Supplied (0)
        Length: 4
        IsTX: Tx Packet (0x00000001)
    DID Frame Length 53
        DID: Frame Length (0x000a0044)
        Status: Supplied (0)
        Length: 4
        Frame Length: 53
802.11 radio information
    Data rate: 6.0 Mb/s
    Channel: 172
    Signal strength (dBm): 0dBm
    TSF timestamp: 1508234676
    [Duration: 320µs]
        [Preamble: 20µs]
IEEE 802.11 Data, Flags: ........
    Type/Subtype: Data (0x0020)
    Frame Control Field: 0x0800
        .... ..00 = Version: 0
        .... 10.. = Type: Data frame (2)
        0000 ...
(more)
edit retag flag offensive close merge delete

Comments

Wow. Thank you (seriously) for reminding me to supply information that I should have remembered to supply in the first place. (Yes, I'm saying this all in good humor. I can't count the number of times I've asked that question in the past.)

Anyway, it's a WSL Ubuntu 18.04 image -

wireshark -v

Wireshark 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)
Built using gcc 7.4.0.

tshark -v

TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Which would appear likely to be earlier than the referenced patch above.

So my next step will be to build a current version and see how it goes. (Or, grab one of my Ubuntu 20 systems around here and try it there.) Either way, I'll report back when I have more ...(more)

Ken Whitesell gravatar imageKen Whitesell ( 2020-11-11 02:03:00 +0000 )edit

Bingo! That was it. Trying it on an Ubuntu 20.04 system worked perfect. If it's of any value to you to post that as an answer I'd love to give you credit for it. (I can't upvote your comment.)

Ken Whitesell gravatar imageKen Whitesell ( 2020-11-11 02:18:38 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2020-11-10 16:38:16 +0000

Anders gravatar image

What version of Wireshark and what version of Tshark are you using? I suspect https://code.wireshark.org/review/29982 is not implemented in your version of tshark.

edit flag offensive delete link more

Comments

Yep, that was it. The version of Wireshark supplied in Ubuntu 18.04.2 is too old. Either running this on Ubuntu 20 or building from source on Ubuntu 18 allows this to work as expected. Thanks again!

Ken Whitesell gravatar imageKen Whitesell ( 2020-11-12 01:42:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-11-10 15:18:11 +0000

Seen: 378 times

Last updated: Nov 10 '20