解释802.11 Wireshark跟踪中的帧控制字节 [英] Interpreting Frame Control bytes in 802.11 Wireshark trace

问题描述

我正在分析一个Wi-Fi捕获（ .pcap ），发现我发现802.11规范与Wireshark的解释之间存在不一致之处的数据。具体来说，我要拉开的是2字节802.11 Frame Control 字段。

I have a Wi-Fi capture (.pcap) that I'm analysing and have run across what appear to me to be inconsistencies between the 802.11 spec and Wireshark's interpretation of the data. Specifically what I'm trying to pull apart is the 2-byte 802.11 Frame Control field.

来自 http://www4.ncsu.edu/~aliu3/802.bmp ，即帧控制字段子字段的格式如下：

Taken from http://www4.ncsu.edu/~aliu3/802.bmp, the format of the Frame Control field's subfields are as follows:

下面是让我感到困惑的数据包的Wireshark屏幕盖：

And below is a Wireshark screen cap of the packet that has me confused:

因此，根据Wireshark屏幕截图，标记部分帧控制字段的（最后8位）为0x22，可以。我感到困惑的是 0x08 的版本/类型/子类型与Wireshark对框架的描述如何匹配。

So as per the Wireshark screenshot, the flags portion (last 8 bits) of the Frame Control field is 0x22, which is fine. How the Version/Type/Subtype being 0x08 matches up with Wireshark's description of the frame is what has me confused.

0x08 = 0000 1000b 转换为Version = 00 ，Type = 00 （我认为这是 management 而不是 data 框架）和Subtype = 1000 （我认为这是信标框架）。因此，我希望该框架是一个管理框架，更具体地说是一个信标框架。但是，Wireshark将其报告为数据帧。让我感到困惑的第二件事是，Wireshark甚至从 Type / Subtype：Data（0x20） 0x20 c>。

0x08 = 0000 1000b, which I thought would translate to Version = 00, Type = 00 (which I thought meant management not data frame) and Subtype = 1000 (which I thought would be a beacon frame). So I would expect this frame to be a management frame and more specifically, a beacon frame. Wireshark however reports it as a Data frame. The second thing that is confusing me is where Wireshark is even pulling 0x20 from in the line Type/Subtype: Data (0x20).

谁能为我澄清我对802.11 spec / Wireshark捕获的解释，以及为什么两者不一致？

Can anyone clarify my interpretation of the 802.11 spec/Wireshark capture for me and why the two aren't consistent?

推荐答案

由于帧控制（FC）字节的布局，示例中的数据帧为0x08。 0x08 = 00001000
-前4位（0000）是子类型。 0000是该帧的子类型
-接下来的2位（10）是类型，它是十进制2，因此是数据类型的帧
-最后的2位（00）是版本，其中是0

The data frame in you example is 0x08 because of the layout of that byte of the frame control (FC). 0x08 = 00001000 - The first 4 bits (0000) are the subtype. 0000 is the subtype of this frame - The next 2 bits (10) is the type, which is 2 decimal and thus a data type frame - The last 2 bits (00) are the version, which is 0

下表转换了几种帧类型的FC的subtype-type-version字节的十六进制值。将QoS数据与正常数据帧进行比较可能确实有助于解决这一问题。请注意，表可能有一个或两个错误，因为我刚把它搅了一下。

The table below translates the hex value of the subtype-type-version byte of the FC for several frame types. A compare of the QoS data to the normal data frame might really help get this down pat. Mind you the table might have an error or two, as I just whipped it up.

您是对的1000是一个信标帧，您只是看错了

You are right that 1000 is a beacon frame, you just were looking at the wrong bits.

您有一个radiotap头，您可以从pcap API中获得该类型的dec表示形式：

You have a radiotap header, you can get the dec representation of the type like so from the pcap API:

int type = pkt_data[20] >> 2;

这篇关于解释802.11 Wireshark跟踪中的帧控制字节的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！