How are wlan.bssid and wlan.staa obtained? [closed]

asked 2018-11-23 02:26:43 +0000

anonymous user

Anonymous

updated 2018-11-23 03:08:54 +0000

I'm digging around wlan analysis currently, and was not able to grasp - how are those two fields (wlan.bssid and wlan.staa) get obtained? For example, here are two images presenting only packets, available for analysis:

bssid:

https://i.imgur.com/Y1acfak.png

staa (hidden the IP's):

https://i.imgur.com/H5SXS9o.png

How does wireshark know, that those packets originate from a AP or station? I thought only way was to see if its a beacon/probe resp for an AP, and probe request for station. The whole idea is to differetiate between station and AP by the most available clues there are.

I've digged around source code to try to understand how, but was not succesfull.

EDIT: I was able to find a picture, that derives the bssid from to ds/from ds fields. Maybe thats exactly the way? How is STAA obtained is still a question. imgur

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by wirequestion
close date 2018-11-29 09:40:22.543054

Comments

How does wireshark know, that those packets originate from a AP or station?

If you look in the frame control field, you will see bit(s) indicating direction. Many of these frames indicate which direction: FromDS or ToDS. There is a filter for these:

wlan.fc.fromds == 1
wlan.fc.tods == 1

The picture from the specification related to bits/bytes seems to answer your question - how the addresses are interpreted, but perhaps the confusion is that first trace picture?

Something looks unusual with your first picture - how are you capturing these? There is no radiotap (or other type) of header (which is a little unusual, but not unheard of), and all the fields are not filled in as they usually are with real traffic. Are you using and capturing from the same adapter, at the same time?

Bob Jones gravatar imageBob Jones ( 2018-11-23 13:32:53 +0000 )edit

Something looks unusual with your first picture - how are you capturing these? There is no radiotap (or other type) of header (which is a little unusual, but not unheard of), and all the fields are not filled in as they usually are with real traffic. Are you using and capturing from the same adapter, at the same time?

Thank you for your answer. It became somehow clear to me that those STA and BSSID fields are only filled for data packets, so yeah, looks like tods/fromds is enought to determine the MAC's. I thought those can be populated for management frames too, but sadly no. Those were captured a long time ago with a mobile with custom kernel for those capturing needs, so I guess no raditap is ok.

I don't know the exact reason of those strange self sent packets in the first pic - this was ...(more)

wirequestion gravatar imagewirequestion ( 2018-11-25 04:06:38 +0000 )edit
add a comment