First time here? Check out the FAQ!

Sorry, this content is no longer available

Ask Your Question
0

Wlan packet radio duration sometimes larger than inter-packet delay
 
  
 
  
 
 
 
 
 
 
    
        
        asked Oct 30 '17  
 
 mi gravatar image  
 
 
 
 
    
        
        updated Nov 1 '17  
 
 
 
 
 
In my .pcap file captured in WLAN, I am getting the duration of the current packet more than the difference between capture times of current and next packets.
 
How come is it possible? If such a thing happened, it will mean that the first packet was still being captured when the next packet arrived. For example, for two packets, capture times are T1=0.002124s, T2=0.003407s, so T2-T1=0.001283s, and the duration of the first packet (given by the wlan_radio.duration display filter), D=0.002112s, which makes D>T2-T1.  So, which one is correct: the duration field displayed by the Wireshark, or the packet capture times?
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 2 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
1
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Nov 1 '17  
 
 Jim Young gravatar image  
 
 
 
 
 
You might need to disable the 802.11 radio information preference "TSF indicates the end of the PPDU". This preference is enabled by default.  The fly-over comment associated with this option states "Some generators timestamp the end of the PPDU rather then the start of the (A)MPDU."   In this context "generators" meaning the the device that created the wlan packet capture.  I need to disable this preference for captures generated by my MacBook to avoid the same issue you appear to be having.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Can you please tell me where to disable preference, as I can see under the Edit->Preferences->.protocols a menu name IEEE802.11 and IEEERariotap, but I can't find the  "TSF indicates the end of the PPDU" preference under these.
mi gravatar imagemi (
    
        Nov 1 '17
    )
You'll find it at '802.11 Radio' protocol preferences.
Jaap gravatar imageJaap (
    
        Nov 1 '17
    )
In the preferences under Edit menu, there is only 'IEEE Raditap' protocol preference, and that shows only two fields: 'Assume bit 14 means FCS in header' and 'Interpret High rates as MCS'. Is there any other path?
mi gravatar imagemi (
    
        Nov 1 '17
    )
Wireshark version?
Jaap gravatar imageJaap (
    
        Nov 1 '17
    )
Version 2.2.6, running on Ubuntu 16.06
mi gravatar imagemi (
    
        Nov 1 '17
    )

            
                see more comments
            
        
 
 
 
 
   
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Nov 3 '17  
 
 Jim Young gravatar image  
 
 
 
 
    
        
        updated Nov 3 '17  
 
 Jaap gravatar image  
 
 
 
 
 
Your T1 and T2 values are the timestamps of the packets as recorded by the OS.  Packet timestamps are not necessarily the instant that the start of the packets were seen by the WLAN interface.   CPU scheduling and processing overhead can delay when the packets are timestamped causing the reported delay between two packets to be shorter or longer than was actually seen at the NIC.  In the case of the WLAN packets, depending on the hardware and software, there's the opportunity of recording and reporting of the NIC's TSF value.  The Radiotap header tree may include the TSF value as the MAC timestamp (radiotap.mactime) and the 802.11 radio information tree may include this value as the TSF timestamp (wlanradio.timestamp).   The WLAN Duration field (wlanradio.duration) is a best effort calculated field based on the TSF.  Recent enhancements to the 802.11 dissector have improved the calculation of the Duration field and includes some extra fields to help confirm the math.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Thank you. I will see it.
mi gravatar imagemi (
    
        Nov 3 '17
    )
add a comment
 
 
 
 
 
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 
 
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Oct 30 '17  
 
 
        Seen: 1,429 times 
 

        Last updated: Nov 03 '17 
 
 
 
Related questions
 
 
 Capture incoming packets from remote web server 
 
 How to set packet metadata in realtime? 
 
 Monitor device 
 
 Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets 
 
 What is wrong with my internets?! 
 
 How do I dissect multiple packets? 
 
 How do I get relative ack number greater than sequence number? 
 
 How do I use the fragment_add_seq_check function in UDP packet reassembly? 
 
 Is it possible to use reassembly on non-split packets? 
 
 How do I dissect packets if the dissection depends on information from earlier packets?