This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Testing a WiFi management frame to see if its sender supports 802.11n

0

I'm using Wireshark to capture packets of wireless communication. Using the display filter's parameters wlan_mgt.extented_supported_rates and wlan_mgt.supported_rates, it's possible to filter out packets that match the network modes B and G.

How do I test if a packet belongs to an AP that's configured with a network mode N?

asked 13 Mar '14, 01:09

Dor_lan's gravatar image

Dor_lan
21338
accept rate: 0%

edited 18 Mar '14, 01:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

1

"Belongs to" in what sense? Do you mean "is this a packet from an AP that's configured to support 802.11n, containing parameters for that AP", such as a beacon from that AP?

(13 Mar '14, 15:46) Guy Harris ♦♦

@Guy Harris: Exactly!

(16 Mar '14, 00:19) Dor_lan

2 Answers:

1

Though I found the field wlan_mgt.tag with display value of Tag: HT Information (802.11n D1.10); Can I rely on this field?

I don't know whether you can rely on that field for certain (I'd have to go back and read 802.11-2012), but I suspect a device that doesn't support 802.11n isn't going to give 802.11n information in its beacon frames (there's no reason for it to do so, and I'm not sure any form of that information can say "I don't do 802.11n"), so try the filter

wlan_mgt.tag.number == 45

to look for frames with that tag.

answered 18 Mar '14, 01:35

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

There are some fields in the Radiotap and PPI headers

radiotap.channel.type
ppi.80211-common.chan.type

See:

http://www.wireshark.org/docs/dfref/r/radiotap.html
http://www.wireshark.org/docs/dfref/p/ppi.html

There are other fields in the Radiotap/PPI header that should help to identify 802.11n, like frequency used (2GHz versus 5Ghz) or the data rate.

Regards
Kurt

answered 16 Mar '14, 13:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Sorry but I didn't find these fields either in BG or BGN packet (both are in PDML format if it matters)

(17 Mar '14, 03:04) Dor_lan

can you post some sample frames in pcap format on google drive, dropbox or cloudshark.org?

(17 Mar '14, 03:06) Kurt Knochner ♦

My mistake! :) The field radiotap.channel.type exists in both packets (BG & BGN) and in both it equals to 0xa000 (display value is Channel type: 802.11b (0x00a0)). The field ppi.80211-common.chan.type doesn't exists in either of them, nor merely ppi. Though I found the field wlan_mgt.tag with display value of Tag: HT Information (802.11n D1.10); Can I rely on this field? Sorry but I can't post the whole packet (has sensitive info).

(17 Mar '14, 04:35) Dor_lan

doesn't exists in either of them, nor merely ppi.

Ususally you will only have a radiotap or a ppi header.

Sorry but I can't post the whole packet (has sensitive info).

that isn't necessary as you've found the fields yourself.

(17 Mar '14, 06:07) Kurt Knochner ♦

Checking whether a given frame is an 802.11n frame can tell you if the sender supports 802.11n (if the frame is an 802.11n frame, obviously the sender supports 802.11n), but 802.11n-capable machines can end out non-802.11n packets - I have a capture in front of me in which our 802.11n-capable AirPort Express sent out a non-11n beacon frame (so that non-11n-capable machines, such as my ancient first-generation iPhone, can see it) that advertises its ability to handle 11n (that's the frame from which I determined the display filter in my answer).

(18 Mar '14, 01:39) Guy Harris ♦♦