Ask Your Question
0

What does "absent" mean on some fields of the radiotap header?

asked 2019-03-22 06:14:40 +0000

yanbo gravatar image

Hi,

To see the detailed PHY information of the 802.11ac packets, I am using wireshark to parse the .pcap file, which is captured by tcpdump.

However, some of my interested fields under radiotap header appear to be "absent". By "absent", I cannot know whether it means true or false.

So what does "absent" exactly mean? Can I interpret that as false?

Yanbo

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-22 07:11:03 +0000

Guy Harris gravatar image

However, some of my interested fields under radiotap header appear to be "absent". By "absent", I cannot know whether it means true or false.

That is correct. If a field that happens to be a 1-bit Boolean flag is absent, it is completely unknown whether it's true or false - it's absent, meaning the flag's value is not specified.

(Not all radiotap fields are 1-bit Boolean flags, so not all radiotap fields are true or false - the rate field, for example, is a data rate, in units of 500 Kb/second, so it does not have a value that's "true" or "false".)

So what does "absent" exactly mean?

It means that the whatever generated the radiotap header did not specify the value of the field, perhaps because it was unable to determine the value of the field; as such, you (and Wireshark - or tcpdump, or whatever program is reading the captured packets) do not know the value of the field and cannot know the value of the field.

Can I interpret that as false?

You should not do so; you should interpret it as "unknown whether it's true or false", if it's a 1-bit Boolean flag, just as you should, for example, interpret an absent "rate" field as "unknown what the data rate was", not as "500 Kb/s" or any other known value.

edit flag offensive delete link more

Comments

Hi Harris,

Thank you for your reply. It helps a lot.

So what do you think the reason that cause the "absent" may be? Maybe it is because the firmware of the device used for capturing the packet doesn't support the function that is corresponding to the field I am interested in?

Actually, the field I want to check is "beamformed", under the "vht capacity information" item of radiotap header. By spying on this boolean field, I can know whether the captured packet is using beamforming (an 802.11 PHY technique that is used to improve the link quality) or not. The firmware of the transmitter and receiver is proved to support this beamforming function, but the firmware of the sniffer seems doesn't. Therefore, the sniffer cannot interpret this field. Do you think my point is correct?

Yanbo

yanbo gravatar imageyanbo ( 2019-03-22 09:04:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-03-22 06:14:40 +0000

Seen: 89 times

Last updated: Mar 22