subject:"Re\: \[Wireshark\-users\] WLAN APC file and RSSI"

Re: [Wireshark-users] WLAN APC file and RSSI

2008-01-23 Thread Avi Berkovich

Well, I went through the wiretap library code and saw that while it's aware of 
the dBm tag (it has it's own switch case), it just doesn't read it.
Very funny indeed.

I'll see about uploading a capture file.

 Date: Tue, 22 Jan 2008 17:26:44 -0800
 From: [EMAIL PROTECTED]
 To: wireshark-users@wireshark.org
 Subject: Re: [Wireshark-users] WLAN APC file and RSSI

 It looks like the dBm tag isn't supported in Wireshark. Do you have a capture 
 file you can send to the list or upload to the wiki?

 Avi Berkovich wrote:
  First, thanks for the link.

  As for the dBm value, it is present in the capture file (stored right 
  after the percentage value in the packet header).

Date: Tue, 22 Jan 2008 09:34:55 -0800
From: [EMAIL PROTECTED]
To: wireshark-users@wireshark.org
Subject: Re: [Wireshark-users] WLAN APC file and RSSI

Avi Berkovich wrote:
 Hello,

 Wireshark doesn't display the RSSI value in dBm, only in percent.
 This happens with APC files captured with Airopeek.

 Is this a limitation?

Are you sure the dBm values are present in the capture file? 
  According to

  http://www.wildpackets.com/elements/whitepapers/Converting_Signal_Strength.pdf,

WildPackets prefers to use percentage values.
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

  Express yourself instantly with MSN Messenger! MSN Messenger 
  http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/

  ___
  Wireshark-users mailing list
  Wireshark-users@wireshark.org
  http://www.wireshark.org/mailman/listinfo/wireshark-users

 ___
 Wireshark-users mailing list
 Wireshark-users@wireshark.org
 http://www.wireshark.org/mailman/listinfo/wireshark-users

_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] WLAN APC file and RSSI

2008-01-23 Thread Guy Harris

Avi Berkovich wrote:
 Well, I went through the wiretap library code and saw that while it's 
 aware of the dBm tag (it has it's own switch case), it just doesn't 
 read it.

The problem is that, for 802.11 radio information other than in libpcap 
files (where the radio information appears in the packet data as a 
header preceding the 802.11 header), it's presented to the 802.11 
dissector as a pseudo-header.

That pseudo-header was originally introduced for the file format used by 
AiroPeek before *Peek switched to the new file format (the old file 
format is handled by wiretap/etherpeek.c, because the code to handle it 
was first added to handle files from EtherPeek; the new file format is 
handled by wiretap/airopeek9.c, because the code to handle it was first 
added to handle files from a later version of AiroPeek (the URL 
mentioned in airopeek9.c says 2.0.1)).

The older versions of AiroPeek had a fixed-length radio header, with a 
1-byte data rate value in 500Kb/s units, a 1-byte channel value with a 
channel number and a 1-byte signal level value as a percentage.  Those 
were the only values put into the pseudo-header; some other file formats 
also use it.

The newer versions of EtherPeek, AiroPeek, and presumably OmniPeek, have 
a variable-length TLV-based pseudo-header, with tags for both signal and 
noise as a percentage and as a dBm value, as well as other tags 
(including one mysterious one seen in an EtherPeek capture).  The 
current pseudo-header has no provision for most of those values, so most 
of them are ignored.

There are a couple of ways to handle this:

1) have a new pseudo-header that can handle all the radio 
pseudo-information found in capture files - including in the Prism, AVS, 
and radiotap headers in libpcap - and funnel all radio information 
through that.

2) have some mechanism for supplying the raw new-style *Peek TLV header 
and have a dissector for it - and perhaps even use that for the 
old-style *Peek header, CommView header, etc..

1) has the advantage that all the code that knows about particular forms 
of radio information is in Wiretap, and no dissectors or taps need know 
those details.

2) has the advantages that:

1) we could have an option in the 802.11 dissector to have it either 
just display the extracted radio information (just the values) or 
display a dissection of the raw header - the former is probably what 
most users want (they don't care about the gory details of how a 
radiotap, AVS, or Prism header encodes that information), and the latter 
would be useful if you're debugging a driver generating a radiotap or 
AVS header or are trying to reverse-engineer a radio header);

2) there's no loss of information from transforming the header to a 
pseudo-header, so if you save packets from a capture the radio 
information will be saved as is.

You *would* need multiple radio-information dissectors, but those could, 
at least, build a pseudo-header to hand to taps, so the taps would be 
independent of the capture file you're reading.
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] WLAN APC file and RSSI

2008-01-23 Thread Guy Harris


On Jan 23, 2008, at 1:15 PM, Guy Harris wrote:

 The newer versions of EtherPeek, AiroPeek, and presumably OmniPeek,  
 have
 a variable-length TLV-based pseudo-header, with tags for both signal  
 and
 noise as a percentage and as a dBm value, as well as other tags
 (including one mysterious one seen in an EtherPeek capture).  The
 current pseudo-header has no provision for most of those values, so  
 most
 of them are ignored.

...as was, in fact, noted in the comment in front of  
airopeekv9_process_header():

  * XXX - we should supply the additional radio information;
  * the pseudo-header should probably be supplied in a fashion
  * similar to the new BSD radio header, so that the 802.11
  * dissector can determine which, if any, information items
  * are present.

 2) has the advantages that:

   1) we could have an option in the 802.11 dissector to have it either
 just display the extracted radio information (just the values) or
 display a dissection of the raw header - the former is probably what
 most users want (they don't care about the gory details of how a
 radiotap, AVS, or Prism header encodes that information), and the  
 latter
 would be useful if you're debugging a driver generating a radiotap or
 AVS header or are trying to reverse-engineer a radio header);

   2) there's no loss of information from transforming the header to a
 pseudo-header, so if you save packets from a capture the radio
 information will be saved as is.

...although Wiretap has to parse the new-style *Peek TLV header  
*anyway*, as the packet length and slice length (captured length) are  
part of that header.

It might be that going with a new-style pseudo-header is good enough -  
yes, if we use that for libpcap, it would mean that you can't just use  
Wireshark to debug your wireless adapter driver if it's generating a  
mangled radiotap/AVS/Prism header, but I'm not sure whether that's  
worth worrying about.  There is some risk of loss of information if we  
don't handle some particular attribute in a particular capture file  
format, but it might be that the right way to fix that is to add said  
support if we run into such a capture file.

(Another alternative is to supply both the raw radio information *and*  
the parsed radio information as pseudo-headers, have different  
WTAP_ENCAP types for different forms of raw radio information, and  
supply both forms of radio information when writing a capture; that way

1) you'd still have the raw radio information for those users who  
want to see it

and

2) at least when writing out packets in the format of the file from  
which they're read, we can just pass the raw radio information  
through, and not lose any information.)
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] WLAN APC file and RSSI

2008-01-22 Thread Avi Berkovich

First, thanks for the link.

As for the dBm value, it is present in the capture file (stored right after the 
percentage value in the packet header).

 Date: Tue, 22 Jan 2008 09:34:55 -0800
 From: [EMAIL PROTECTED]
 To: wireshark-users@wireshark.org
 Subject: Re: [Wireshark-users] WLAN APC file and RSSI

 Avi Berkovich wrote:
  Hello,

  Wireshark doesn't display the RSSI value in dBm, only in percent.
  This happens with APC files captured with Airopeek.

  Is this a limitation?

 Are you sure the dBm values are present in the capture file? According to 
 http://www.wildpackets.com/elements/whitepapers/Converting_Signal_Strength.pdf,

 WildPackets prefers to use percentage values.
 ___
 Wireshark-users mailing list
 Wireshark-users@wireshark.org
 http://www.wireshark.org/mailman/listinfo/wireshark-users

_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] WLAN APC file and RSSI

2008-01-22 Thread Gerald Combs

Avi Berkovich wrote:
 Hello,
 
 Wireshark doesn't display the RSSI value in dBm, only in percent.
 This happens with APC files captured with Airopeek.
 
 Is this a limitation?

Are you sure the dBm values are present in the capture file? According to 
http://www.wildpackets.com/elements/whitepapers/Converting_Signal_Strength.pdf, 
WildPackets prefers to use percentage values.
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] WLAN APC file and RSSI

2008-01-22 Thread Gerald Combs

It looks like the dBm tag isn't supported in Wireshark. Do you have a capture 
file you can send to the list or upload to the wiki?

Avi Berkovich wrote:
 First, thanks for the link.
 
 As for the dBm value, it is present in the capture file (stored right 
 after the percentage value in the packet header).
 
 
 
   Date: Tue, 22 Jan 2008 09:34:55 -0800
   From: [EMAIL PROTECTED]
   To: wireshark-users@wireshark.org
   Subject: Re: [Wireshark-users] WLAN APC file and RSSI
  
   Avi Berkovich wrote:
Hello,
   
Wireshark doesn't display the RSSI value in dBm, only in percent.
This happens with APC files captured with Airopeek.
   
Is this a limitation?
  
   Are you sure the dBm values are present in the capture file? 
 According to
   
 http://www.wildpackets.com/elements/whitepapers/Converting_Signal_Strength.pdf,
  
 
   WildPackets prefers to use percentage values.
   ___
   Wireshark-users mailing list
   Wireshark-users@wireshark.org
   http://www.wireshark.org/mailman/listinfo/wireshark-users
 
 
 Express yourself instantly with MSN Messenger! MSN Messenger 
 http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/
 
 
 
 
 ___
 Wireshark-users mailing list
 Wireshark-users@wireshark.org
 http://www.wireshark.org/mailman/listinfo/wireshark-users

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] WLAN APC file and RSSI

Re: [Wireshark-users] WLAN APC file and RSSI

Re: [Wireshark-users] WLAN APC file and RSSI

Re: [Wireshark-users] WLAN APC file and RSSI

Re: [Wireshark-users] WLAN APC file and RSSI

Re: [Wireshark-users] WLAN APC file and RSSI

6 matches

Site Navigation

Mail list logo

Footer information