Ask Your Question

Ken Whitesell's profile - activity

2020-11-12 01:42:59 +0000 commented answer TShark command to decode WSMP?

Yep, that was it. The version of Wireshark supplied in Ubuntu 18.04.2 is too old. Either running this on Ubuntu 20 or bu

2020-11-12 01:40:35 +0000 marked best answer TShark command to decode WSMP?

What is the command to have tshark decode the WSMP portion of a packet?

I have a pcap file (sample available) that I can open with Wireshark. Wireshark shows the WSMP portion of the packet. (Image available showing this, but I don't have enough karma to upload it.)

But when I decode the packets using tshark, it only shows "Data" for that portion of the packet.

I've tried various combinations of the -d argument, but all the different combinations I've tried result in either the "unknown layer type" error or "Protocol "wsmp" isn't valid for layer type ..." for any of the layer types I've tried. So I haven't been able to find the right parameters.

Any tips, pointers, suggestions, ideas would be greatly appreciated.

Thanks!

Ken

Notes:

I think it should be possible to do this, because the output from:

tshark -G protocols | grep -i wsmp

shows:

Wave Short Message Protocol(IEEE P1609.3)       WSMP    wsmp

But, the following command:

tshark -r /mnt/e/work/work/TC2/SpatSample.pcap -2 -c 1 -V

Produces this output:

Frame 1: 366 bytes on wire (2928 bits), 366 bytes captured (2928 bits)
    Encapsulation type: IEEE 802.11 plus Prism II monitor mode radio header (21)
    Arrival Time: Oct  9, 2020 11:10:46.540759000 EDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1602256246.540759000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 366 bytes (2928 bits)
    Capture Length: 366 bytes (2928 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: prism:wlan_radio:wlan:llc:data]
Prism capture header
    Message Code: 0x00000044
    Message Length: 144
    Device Name: wifi1vap0
    DID Host Time 719685155
        DID: Host Time (0x00010044)
        Status: Supplied (0)
        Length: 4
        Host Time: 719685155
    DID Mac Time 1508234676
        DID: Mac Time (0x00020044)
        Status: Supplied (0)
        Length: 4
        MAC timestamp (lower 32 bits): 1508234676
    DID Channel 172
        DID: Channel (0x00030044)
        Status: Supplied (0)
        Length: 4
        Channel: 172
    DID RSSI 0
        DID: RSSI (0x00040044)
        Status: Supplied (0)
        Length: 4
        RSSI: 0
    DID SQ 0x0
        DID: SQ (0x00050044)
        Status: Supplied (0)
        Length: 4
        Signal Quality: 0
    DID Signal 0x41
        DID: Signal (0x00060044)
        Status: Supplied (0)
        Length: 4
        Signal: 65
    DID Noise 0x0
        DID: Noise (0x00070044)
        Status: Supplied (0)
        Length: 4
        Noise: 0
    DID Rate 6.0 Mb/s
        DID: Rate (0x00080044)
        Status: Supplied (0)
        Length: 4
        Data rate (Mb/s): 6.0
    DID Is Tx 0x1
        DID: Is Tx (0x00090044)
        Status: Supplied (0)
        Length: 4
        IsTX: Tx Packet (0x00000001)
    DID Frame Length 53
        DID: Frame Length (0x000a0044)
        Status: Supplied (0)
        Length: 4
        Frame Length: 53
802.11 radio information
    Data rate: 6.0 Mb/s
    Channel: 172
    Signal strength (dBm): 0dBm
    TSF timestamp: 1508234676
    [Duration: 320µs]
        [Preamble: 20µs]
IEEE 802.11 Data, Flags: ........
    Type/Subtype: Data (0x0020)
    Frame Control Field: 0x0800
        .... ..00 = Version: 0
        .... 10.. = Type: Data frame (2)
        0000 ...
(more)
2020-11-12 01:40:35 +0000 received badge  Scholar (source)
2020-11-11 02:18:38 +0000 commented question TShark command to decode WSMP?

Bingo! That was it. Trying it on an Ubuntu 20.04 system worked perfect. If it's of any value to you to post that as an a

2020-11-11 02:03:00 +0000 commented question TShark command to decode WSMP?

Wow. Thank you (seriously) for reminding me to supply information that I should have remembered to supply in the first p

2020-11-10 15:18:11 +0000 asked a question TShark command to decode WSMP?

TShark command to decode WSMP? What is the command to have tshark decode the WSMP portion of a packet? I have a pcap fi