Ask Your Question
0

Extracting mesh fields from 802.11 QoS control

asked 2022-05-10 11:02:16 +0000

Avidan gravatar image

I'm using wireshark to dissect captured data. The captured data comes as a byte stream.

Wireshark seems to always open up the QoS control field as follows:

      "wlan.qos": "0x00000187",
      "wlan.qos_tree": {
        "wlan.qos.tid": "7",
        "wlan.qos.priority": "7",
        "wlan.qos.eosp": "0",
        "wlan.qos.ack": "0x00000000",
        "wlan.qos.amsdupresent": "1",
        "wlan.qos.ps_buf_state": "0x00000001",
        "wlan.qos.ps_buf_state_tree": {
          "wlan.qos.buf_state_indicated": "0"
        }
      },

However in 802.11 standard, it says that if traffic comes from a mesh station, bits 8-15 are opened differently. How can I tell wireshark that the traffic is coming from a mesh station? should this be a part of my capture file somehow?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-05-10 14:22:18 +0000

Chuckc gravatar image

Can you share a pcap on a public file share and update the question with a link to it?
Looks like Wireshark does it's best with mesh but YMMV.

packet-ieee80211.c:

   /*
     * Does it look as if we have a mesh header?
     *
     * For locally originated mesh frames, the QoS header may be added
     * by the hardware, and no present in wireshark captures.  This
     * poses a problem as the QoS header indicates the presence of the
     * mesh control header.
     *
     * In addition, we have examples of mesh captures where the QoS
     * field indicates that there is no mesh control header, yet there
     * is one.
     *
     * Instead of QoS, we use a few heuristics to determine the presence
     * of the mesh control header, which is tricky because it can have a
     * variable length. We fall back to using the QoS field if it exists
     * and the packet isn't long enough (due to truncation or something
     * malformed that should be flagged.)
     *
     * Assume minimal length, and then correct if wrong.
     */

edit flag offensive delete link more

Comments

BTW. I see that the wireshark sample captures page has a mesh.pcap file here: https://wiki.wireshark.org/uploads/__... but I'm not able to find the mesh packets in it (probably because I'm just making my first steps with wireshark)

Avidan gravatar imageAvidan ( 2022-05-11 10:11:27 +0000 )edit

Thanks a lot for this answer - a very good lead. Wish I could upvote it. let me check if I can make forward progress using it.

Avidan gravatar imageAvidan ( 2022-05-11 10:12:51 +0000 )edit

(Good catch on the sample file - being able to recreate with a common pcap is always a good first step)
What version of Wireshark/tshark are you using? Here is frame 133 from the sample pcap:

TShark (Wireshark) 3.6.3 (v3.6.3-0-g6d348e4611e2)
-------------------------------------------------
          "wlan.qos": "0x0000",
          "wlan.qos_tree": {
            "wlan.qos.tid": "0",
            "wlan.qos.priority": "0",
            "wlan.qos.eosp": "0",
            "wlan.qos.ack": "0x0000",
            "wlan.qos.amsdupresent": "0",
            "wlan.qos.mesh_ctl_present": "0",
            "wlan.qos.mesh_ps.reserved": "0",
            "wlan.qos.mesh_rspi": "0"
          },
          "wlan.mesh.control_field": {
            "wlan.fixed.mesh_flags": "0x01",
            "wlan.fixed.mesh_ttl": "0x1e",
            "wlan.fixed.mesh_sequence": "0x00000533",
            "wlan.fixed.mesh_addr4": "00:19:e3:d3:53:52"
          }
        },


TShark (Wireshark) 3.4.0 (v3.4.0-0-g9733f173ea5e)
--------------------------------------
          "wlan.qos": "0x00000000",
          "wlan.qos_tree": {
            "wlan.qos.tid": "0",
            "wlan.qos.priority": "0",
            "wlan.qos.eosp": "0",
            "wlan.qos.ack": "0x00000000",
            "wlan.qos.amsdupresent": "0",
            "wlan.qos.ps_buf_state": "0x00000000",
            "wlan.qos.ps_buf_state_tree": {
              "wlan.qos.buf_state_indicated": "0"
            }
          }
Chuckc gravatar imageChuckc ( 2022-05-11 15:28:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-05-10 11:02:16 +0000

Seen: 434 times

Last updated: May 10 '22