tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange wireless frames

From: Hannes Gredler <hannes () juniper net>
Date: Sat, 14 Jun 2003 22:42:35 +0200
On Sat, Jun 14, 2003 at 11:46:47AM -0400, Greg Stark wrote:
| 
| 
| I'm running tcpdump on a wlan0 interface using the hostap drivers. I'm seeing
| some strange looking packets. They look to me like four-address inter-AP
| packets but I'm not really sure what they should look like or how tcpdump
| is supposed to display these. I've never done anything with wireless before.
| 
| The reason I say they look like four-address inter-AP packets is because I
| know 0030 bd60 5e6b is the MAC address for a station on this network, and
| tcpdump is showing that in the payload of the packets.
| 
| Is this type of packet supposed to be parsed by tcpdump and it's failing to
| recognize it somehow? or is it behaving as expected and some code needs to be
| written? Or is there something wrong with these packets?
| 
| 
| 15:23:22.529791 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 60: 
|                        0802 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0000
|                        0000 0000 0000 0000 0000 0000 0000
| 15:23:23.530428 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 62: 
|                        a000 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0200
|                        0000 0000 0000 0000 0000 0000 0000 0400
| 15:23:24.530204 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0c00, length 62: 
|                        c000 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0200
|                        0000 0000 0000 0000 0000 0000 0000 0200
| 
| 07:13:18.514697 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: 
|                        b000 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0600
|                        0000 0000 0000 0000 0000 0000 0000 0000
|                        0200 0000
| 07:13:18.529177 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 
|                        1000 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0c00
|                        0000 0000 0000 0000 0000 0000 0000 0100
|                        0000 01c0 0104 8284 0b16
| 07:13:18.855134 01:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 66: 
|                        b000 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0600
|                        0000 0000 0000 0000 0000 0000 0000 0000
|                        0200 0000
| 07:13:18.867212 02:00:00:00:00:00 > 00:00:00:00:00:00, ethertype 0x0e00, length 72: 
|                        1000 0000 0030 bd60 5e6b 0006 25a7 432b
|                        0006 25a7 432b 0000 0000 0000 0000 0c00
|                        0000 0000 0000 0000 0000 0000 0000 0100
|                        0000 01c0 0104 8284 0b16

greg,

out of curiosity: what DLT are your frames ?
pls, use the latest CVS version which displays the link type;

/hannes
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: