Wireshark PEEKREMOTE decoding packets from Cisco Sniffer APs incorrecty

["Vignesh Viswanathan -X (vignevis - EMBED UR SYSTEMS at Cisco)" <vignevis () cisco com>]

Hi All,

We see an issue when decoding packets sniffed from a Cisco Sniffer AP using PEEKREMOTE.

The header for "IEEE 802.11 QoS Data" under "AiroPeek/OmniPeek encapsulated IEEE 802.11" is found to be of 28 bytes in 
length. Whereas the same ""IEEE 802.11 QoS Data" under default decoding is 26 bytes for "LLC" packets. This leads to 
the fist 2 bytes of LLC to go wrongly under "IEEE 802.11 QoS Data", which in turn leads to LLC DSAP as unknown and 
Wireshark is not able to identify EAP/EAPOL packets.

The following are the screen shots from the capture.

[cid:image001.png@01CF7AA4.D3A45060]

The two bytes highlighted are not a part "QOS Control" which is the last field in "IEEE 802.11 QoS Data".

[cid:image002.png@01CF7AA4.D3A45060]
The same packets are decoded properly with 26 bytes header by "WildPackets Omnipeek" as shown below.
[cid:image004.png@01CF7AA5.8EAA9450]

For packets captured over the air with sniffer laptops (default decoding and not PEEKREMOTE), the "IEEE 802.11 QoS 
Data" is correctly decoded with 26 bytes header as EAP/EAPOL is identified.

[cid:image003.png@01CF7AA5.3832A770]

Please provide your thoughts on how we can resolve this issue as we are seeing this in multiple sniffer setups using 
Wireshark.

Thanks,
Vignesh

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe