I'm capturing on an Open SSID, predicting that I would be see the IP payload. But I don't.
I see frames RTS & CTS frames ... and I see frames which are 1702 bytes in length, which suggest to me that they are carrying a payload ... the Decode window shows me these layers PPI 802.11 Radio Informaion IEEE 802.11 QoS Data Data
No IP layer
What might be happening?
Hypothesis #1 Perhaps this SSID isn't as open as I believe it is (although, I've configured it to be Open, my AirCheck G2 tells me that it is Open, and I'm not challenged for credentials when I connect from a WiFi client). I'm comparing this pcap with one taken against an SSID employing WPA2 -- I don't see anything in the PPI / 802.11 / IEEE 80211 Radio Information layers which would tip me off to whether or not encryption is employed. Am I missing something? Or are there in fact no flags in the lower layers to signal encryption?
Hypothesis #2 Perhaps I'm just seeing Mgmt & Control Plane traffic ... no payloads. So I apply this Display Filter: wlan.fc.type_subtype in {0x20 0x28} And now all I see are 1702 Byte frames, emitted from the WAP to the Client. I have a suspicion, BTW, that the only IP-layer frames I will see in this pcap are DHCP Offers, emitted from the WAP to the Client ... but the 1702 byte length puzzles me, as I don't see how a weenie little DHCP Offer would consume so many bytes in the air. But in any case, this suggests that I do have Data packets in this pcap
Suggestions?
A sample pcap taken on the open SSID is visible at: https://drive.google.com/drive/folders/1oEmsbuPuG3O-0VRhTtcno85l_sFHUkp5?usp=sharing
--sk
