Forum

Hello Everybody,
Curious to get a close look at the 802.11 frames, I downloaded the Demo version of Airopeek (v 2.0.5). Under the 802.11 tab I choose to scan on all the 11 channels. I am using an Orinoco wireless card. Everything looked pretty normal except for a few of CF-End Frames that appeared in the scan. Please correct me if I am wrong, but as I understand the CF-End frames are transmitted only when the AP is in PCF mode and I have not heard of any product currently in market that supports this mode.

Here are the details from one of the packets
802.11 MAC Header:
Version: 3 (I think there is one version only)
Type: Control
Sub-type: Contention Free ?¡é?€?¡° End
Frame Control Flags: 00110000
Duration: 5385microsecs
Receiver: 2F:83:91:BC:07:60
BSSID: 70:AC:5F:3F:D4:5A

The MAC addresses seem to be garbage values.

The only AP?¡é?€??s I know of in the area were a couple of Linux boxes running the hostap driver with a Senao radio. I did a scan with ethereal (Linux) using a Senao wireless card and it did not show any of the CF-End frames.

Apart from the CF-End frames there we other Probe Response and 802.11 frag frames that were associated with garbage MAC addresses. The MAC addresses of all the packets were quite different.

I am not well versed with 802.11 frames and its detail operation so I do not know if I am missing something. But any comments would be highly appreciated. I do have a few screenshots that I would not mind emailing if anyone wants to have a look.

Thank you

Hi Essem:

These are almost certainly corrupted frames that just happen to have the bit pattern that matches CF-End and other miscellaneous frame types.

Filter for non corrupt frames and these will disappear.

And learn to distrust protocol analyzers.

I hope this helps. Can you add your city to your forum location? Thanks. /criss

Hey Criss_Hyde
Thank you for that prompt response. It makes a lot of sense now. They surely could be corrupted frames. A quick glance at Airopeek did not show them as corrupted but with a couple of AP?¡é?€??s and a ton of associated clients that could definitely be the case.

Thank you.

[quote="essem_9"]Hey Criss_Hyde
Thank you for that prompt response. It makes a lot of sense now. They surely could be corrupted frames. A quick glance at Airopeek did not show them as corrupted but with a couple of AP?¡é?€??s and a ton of associated clients that could definitely be the case.
quote]

Make sure you've got the "flags" or "status" (don't remember what AiroPeek calls it) column turned on. It will show a "C", I believe, for corrupted frames.

Hey Joshua,
I did look for the flags column and all those frames showed up as corrupted packets. Thank you for the information on the same. I was looking at the wrong location initially and apologies to everyone for posting a reply in haste.
[/quote]

You may also obtain information about CRC errors in the Packet Info section of the decode (right under "Packet Flags")