This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireless Partial Virtual Bitmap

0

Does anyone know of an easy way to filter on a specific AID (association ID) for a WLAN client to see if it is in the partial virtual bitmap (PVM)? With a only a limited number of devices and low AID values, I can do some simple comparisons, if I know how large the bitmap could be:

((wlan_mgt.tim.partial_virtual_bitmap & 02) or (wlan_mgt.tim.partial_virtual_bitmap & 2:00))

However, on some systems, my AID values could be in the 100s, so I want to filter on AID == 132 (or whatever), and have it match if that bit is high. The problem is the IE for TIM includes a length and an offset, so I may get a couple of bytes or many bytes, depending on how many stations have data waiting for them, and we need the offset to determine where this particular device is. I can decode by hand, but would be great if Wireshark could tell me.

The natural choice is wlan.aid == 132 (or whatever), but this does not match the partial virtual bitmap. However, this filter works well to pick up the PS-Poll frames, but to verify proper 802.11 operation, I should see the device AID in the PVM, then the PS-Poll frame.

Some sample results:

One beacon might give this to me as the PVM

Length: 15
Offset: 4
PVM: 0x020000000000000010002000

AID   64 ->    01000000
AID   72 ->    00000000
AID   80 ->    00000000
AID   88 ->    00000000
AID   96 ->    00000000
AID  104 ->    00000000
AID  112 ->    00000000
AID  120 ->    00000000
AID  128 ->    00001000    <– device 132 indicates data waiting
AID  136 ->    00000000
AID  144 ->    00000100
AID  152 ->    00000000

So I know device 132 has data waiting.

Another beacon a little while later -

Length: 7
Offset: 8
PVM: 0x10000000


AID  128 ->    00001000   <– device 132 indicates data waiting
AID  136 ->    00000000
AID  144 ->    00000000
AID  152 ->    00000000

Again, device 132 has data waiting.

Reference: http://processors.wiki.ti.com/index.php/OMAP_Wireless_Connectivity_Power_Save

asked 12 Jan ‘16, 09:51

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

can you provide a small sample pcap?

(12 Jan ‘16, 10:32) Kurt Knochner ♦

Trace is here:

https://www.cloudshark.org/captures/169a75f46227

Two packets - a beacon with TIM IE, and a PS Poll frame.

For this example, this is what I have for the TIM map:

     length  15
     offset  4
     pvm     200000000000000010002000
     Bytes:  [12] 8...19
     Bits:   64...159
     pvm as decimal: 9903520314283042199461437440

AID 64 -> 00000100 AID 72 -> 00000000 AID 80 -> 00000000 AID 88 -> 00000000 AID 96 -> 00000000 AID 104 -> 00000000 AID 112 -> 00000000 AID 120 -> 00000000 AID 128 -> 00001000 <--- device 132, per AID in PS-Poll AID 136 -> 00000000 AID 144 -> 00000100 AID 152 -> 00000000

None of the anonymizer tools seemed to work on wlan addresses. I had to edit hex manually. Know of a tool like tracewrangler for 802.11 capture files?

(12 Jan '16, 12:10) Bob Jones

Bump.

I ran into this again at a customer site last week with a large wifi infrastructure - more than 1200 APs. I have to feed the packet captures into OmniPeek as it decodes the actual AIDs in the TIM map. Any tips for Wireshark, or would this be a new feature request to enhance the TIM IE decoding?

(05 Jun '16, 10:11) Bob Jones

Would a Lua post-dissector creating up to thousands of individual pseudo-fields out of the individual bits of the TIM submap help you? Display filters do not support arithmetic to calculate offsets and protocol fields cannot be organized into arrays.

Or, as I think about it, rather a duplicate copy of the original bitmap which would be left-stuffed with 0s to allow use of a fixed offset, so for AID 132, you could always use xxx.xxx.my_bitmap[16:1] & 8

(05 Jun '16, 11:45) sindy

Or, as I think about it, rather a duplicate copy of the original bitmap which would be left-stuffed with 0s to allow use of a fixed offset, so for AID 132, you could always use xxx.xxx.my_bitmap[16:1] & 8

This sounds like it would do. What I observe is something like this...

  1. There is WiFi data loss
  2. So I ... capture WiFi traffic
  3. Notice client stops sending PS-Poll frames for a period off time

So root cause of data loss is that no data is sent FromDS for this period, as client is not requesting it. But it's not really root cause: client will only send PS-Poll if informed that data is buffered at the AP with the TIM map entry, so to figure which device is at fault, we need to look at the TIM map to see if the AP is indicating data is waiting. If the bit is set, and no PS-Poll, it's a client issue. If not set, then need a wired trace to prove wired data arrives at AP, but it does not set the TIM map.

So a Lua dissector, as you describe, would allow me to filter by PS-Poll and then by Beacons that had this bit set, so Wireshark will easily show periods of no PS-Poll - and then whether there are beacons or not during that period.

I have not done any Lua with Wireshark before, so sounds like I need to get on it. I'll start the Lua tutorial for a dissector and see how far I get.

(06 Jun '16, 03:17) Bob Jones

Well, I was afraid of posting an optimistic nonsense so I'd better checked I haven't... so if you don't want to use this as an impulse to dive into Lua, you may have my proof of concept code :-)

(06 Jun '16, 03:26) sindy

Proof of concept code would be gladly accepted and greatly appreciated, but I don't want to expect that others would just do it if I won't try first. Thanks for any help you could provide, anyway. I am not sure what the learning curve might be...

(06 Jun '16, 05:19) Bob Jones

OK. So I don't delete those 16 lines of Lua code until you state clearly either that you want them or that you have written your own ones.

Just an idea if you're going to take Lua programming seriously: I was thinking of an alternative solution consisting in creation of a value-less pseudofield for each bit which has a value of 1. This would make the addressing in the display filter expression more convenient as you wouldn't have to manually calculate the byte offset and bit position, but it could cost quite some CPU time. The display filter condition would then look just like wlan_mgt.tim.data_waiting.aid_132 (no == 1 necessary).

(06 Jun '16, 06:13) sindy

Please share!

(06 Jun '16, 17:37) Bob Jones
showing 5 of 9 show 4 more comments

2 Answers:

1

A Lua post-dissector, creating a pseudo-field which is a duplicate copy of the original bitmap left-stuffed with 0s in order to allow use of a fixed bit address in the display filter, is below.

The display filter condition is tim.bitmap[X:1]&x, where

  • X is AID div 8 in decadic notation (unless specified otherwise using 0x or 0 prefix),

  • if I got the explanation regarding LSB/MSB meaning correctly from the reference, x is 2^(AID rem 8), this time hexadecimal notation is the only possibility and no prefix is required or possible.

So for AID=132, it would be tim.bitmap[16:1]&10.

The Lua script itself, to be placed into a .lua file in your plugin directory, is:

-- Define functions to import already dissected values:
OrigBitmap=Field.new("wlan_mgt.tim.partial_virtual_bitmap")
OrigOffset=Field.new("wlan_mgt.tim.bmapctl.offset")

– Export "protocol" 'tim' and its only field
MyProto = Proto("tim","TIM pseudo-protocol")
MyBitmap = ProtoField.bytes("tim.bitmap","Extended bitmap")
MyProto.fields = { MyBitmap }


– The (post-)dissector function itself
function MyProto.dissector(buffer,pinfo,tree)
if OrigBitmap() then
local MyArray = ByteArray.new("00")
MyArray:set_size(2*OrigOffset().value)
MyArray:append(OrigBitmap().value)
local MyTvb = ByteArray.tvb(MyArray,"extended bitmap")
local subtree = tree:add(MyProto,"TIM buffer expanded")
subtree:add(MyBitmap,MyTvb:range(0))
end
end


– register the postdissector for our "protocol"
register_postdissector(MyProto)

answered 06 Jun ‘16, 22:21

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 11 Jun ‘16, 04:18

Thanks - I owe you a beer. I’m out of the office this week on business, but I will try this as soon as I get a chance.

(07 Jun ‘16, 03:09) Bob Jones

I tested this and it looks good. Thanks for your help.

I validated with a couple of different cases: AID of 16 and AID of 1 - two simple cases I could inspect to be sure, it works.

(11 Jun ‘16, 01:21) Bob Jones

1

Please open an enhancement bug at bugs.wireshark.org, attach a sample capture that contains (at least) two beacons: one with no offset into the tim map and one with an offset. If you are worried about keeping the information non-public set the attachment to private. Last but not least: assign the bug to me: [email protected] I will add proper decoding and thus filtering but I need some captures to test against.

answered 17 Jun '16, 16:26

jmayer's gravatar image

jmayer
262
accept rate: 0%

This is great, thanks. Enhancement request is done:

Bug 12545 - Enhancement: Decode TIM Map in 802.11 Beacon Frame

If you need a tester, let me know. I have plenty of traces to test against.

(18 Jun '16, 02:02) Bob Jones