This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TZSP dissector

0

Hello, Everyone! We need to capture TZSP traffic from our wifi access points. We create capture filter but i found error in default TZSP dissector in tzsp.wlan.signal field. Our AP's send signal strength in 2 byte format field but wireshark decodes it as 1 byte field. Where can i change field size in packet-tzsp.c source file? Wireshark Interpretation: alt text

Correct Interpretation:

alt text

asked 21 Apr '15, 07:06

Michael%20Bychkov's gravatar image

Michael Bychkov
1112
accept rate: 0%

edited 21 Apr '15, 07:08


One Answer:

0

packet-tzsp.c refers to http://web.archive.org/web/20050404125022/http://www.networkchemistry.com/support/appnotes/an001_tzsp.html

Which specify WLAN_RADIO_HDR_SIGNAL 10 Signal strength of the received packet. Signed byte.

Which seems to imply a one byte value... On the other hand it also says "the tag is followed by one byte containing the length of the value field in bytes"

If you want to change the code You have to edit these lines

proto_tree_add_item(tag_tree, hf_signal, tvb, pos, 1, ENC_BIG_ENDIAN);

    `{ &hf_signal, {
        "Signal", "tzsp.wlan.signal", FT_INT8, BASE_DEC,
        NULL, 0, NULL, HFILL }},`

to

`proto_tree_add_item(tag_tree, hf_signal, tvb, pos, length, ENC_BIG_ENDIAN);`
    `{ &hf_signal, {
        "Signal", "tzsp.wlan.signal", FT_INT16, BASE_DEC,
        NULL, 0, NULL, HFILL }},`

Note that this will not work for length > 2

answered 21 Apr '15, 07:37

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

And it will not work if the Length is indeed 1 byte. So this cannot be a generic solution.

(21 Apr '15, 07:47) Jaap ♦

Why wouldn't it work with one byte?

(21 Apr '15, 08:36) Anders ♦

Gah because of int type (negative values), ok so use..add_int.. And do lengt check etc before adding the value

(21 Apr '15, 08:40) Anders ♦

Doesn't the description imply a variable length field, in which case you need to read the length and then add the appropriately sized value?

Having a capture with that packet in would help.

(21 Apr '15, 08:53) grahamb ♦

Juniper's WLA send two bytes in that field.

(21 Apr '15, 08:55) Michael Bychkov

Please file a bug on the Wireshark Bugzilla and attach a capture to the bug for use when testing the fix.

(21 Apr '15, 14:16) Guy Harris ♦♦

I tried to change from:

 proto_tree_add_item(tag_tree, hf_signal, tvb, pos, 1, ENC_BIG_ENDIAN);

{ &hf_signal, { "Signal", "tzsp.wlan.signal", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL }},

to

proto_tree_add_item(tag_tree, hf_signal, tvb, pos, length, ENC_BIG_ENDIAN);

{ &hf_signal, { "Signal", "tzsp.wlan.signal", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL }},

But it doesn’t work also.

(22 Apr ‘15, 05:37) Michael Bychkov

What does it do instead of working?

Note that the “Silence” value also appears to be 2 bytes, so you’d need to change that as well, if by “doesn’t work” means “Signal is now OK, but Silence isn’t OK”.

(22 Apr ‘15, 10:51) Guy Harris ♦♦

Ok, How can i put into output file fields in HEX from tcpdump?

(27 Apr ‘15, 05:52) Michael Bychkov
showing 5 of 9 show 4 more comments