Wireshark mailing list archives

Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows

From: Yang Luo <hsluoyb () gmail com>
Date: Tue, 12 Apr 2016 15:06:27 +0800

Hi Guy,

Thanks a lot! I must admit that your help has greatly saved my efforts.

As you have said in a previous post:

*provide a radiotap Flags field with 0x10 set if the frame includes the FCS
(you'll probably have to experiment a bit to see whether you get the FCS or
not - the answer might differ for data and management frames, based on
Network Monitor's behavior) and with 0x40 set if
DOT11_RECV_FLAG_RAW_PACKET_FCS_FAILURE is set in uReceiveFlags;*

So the question is how to determine if the 802.11 packet has FCS or not?

In that capture file, I found that only Beacon (like Frame 40) and
Reassociation Response (like Frame 47) packets have the "Malformed Packet"
error ( I guest Reassociation Response is the same error?).
But I don't think determination based on whether the packet is Beacon
or Reassociation
Response is good. Because maybe for another wireless adapter, this behavior
might change. And it's inappropriate for Npcap to parse the contents of a
packet so deep.


Cheers,
Yang



On Tue, Apr 12, 2016 at 2:18 PM, Guy Harris <guy () alum mit edu> wrote:

On Apr 11, 2016, at 10:53 PM, Yang Luo <hsluoyb () gmail com> wrote:

I'm not an expert of 802.11 protocols, so can anyone point out what's

wrong here?

Frame 40 has an FCS, but the "FCS at end" flag in the Flags field of the
radiotap header is 0, and Wireshark thus doesn't think it has an FCS at the
end, and thinks it has an extra 4 bytes of payload.

Try, by default, turning that flag *on*, and then see if any packets that
don't have a valid FCS don't have an FCS at all, rather than having an
invalid FCS.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Get "Malformed Packet" for 802.11 Beacon frames on Windows Yang Luo (Apr 11)
- Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Guy Harris (Apr 11)
  - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Yang Luo (Apr 12)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Guy Harris (Apr 12)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Yang Luo (Apr 12)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Guy Harris (Apr 12)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Guy Harris (Apr 12)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Yang Luo (Apr 12)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Guy Harris (Apr 13)
    - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Yang Luo (Apr 13)
- Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Graham Bloice (Apr 12)
  - Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Yang Luo (Apr 12)
- Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows Alexis La Goutte (Apr 12)

(Thread continues...)