OSQA is unmaintained. Help us figure out where to go from here.

I have came across some capwap packets that seems to have two bytes of IEEE80211's frame control swapped.
Wireshark successfuly detects this and displays "Swapped" next to the frame control frame line.
I been looking through the code at epan/dissectors/packet-ieee80211.c to try to understand how does Wireshark know this but could not figure it out.

There seems to be a call to register_dissector dissect_ieee80211_bsfc but I could not understand when it is used over the other dissectors. (bsfc stands for byte-swapped frame control)

Please help me understand.

asked 09 Aug, 12:38

Guy%20Kroizman's gravatar image

Guy Kroizman
8127
accept rate: 0%


I asked the exaxt same question here:

https://ask.wireshark.org/questions/55804/capwap-80111-data-header-fcf-swapped-why

Basic Answer: if 802.11 frame control is carried over CAPWAP, bytes are simply swapped. No other indicator. It's what I do in TraceWrangler now, and it works 100% so far.

permanent link

answered 09 Aug, 14:10

Jasper's gravatar image

Jasper ♦♦
23.6k551283
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×14
×6

question asked: 09 Aug, 12:38

question was seen: 126 times

last updated: 09 Aug, 14:10

p​o​w​e​r​e​d by O​S​Q​A