Forum

I am using Airopeek NX 2.03 and I am not able to see layer 3 packet (ping request) when I ping an Access Point Cisco 1231, but I can see the ICMP packet when I ping another Access Point like Netgear.
I noted that in packet to Cisco AP the Subtype value of 802.11 MAC Header is: %1000 Reserved, and the packet for Netgear AP is: %0000 Data Only.
There is someone that can help me to understand why?
Ping are ok for both the AP.
Thanks
Antonio

This is complete ICMP REQUEST packet to Cisco AP:

Packet Info
Flags: 0x00
Status: 0x01
Packet Length: 98
Timestamp: 11:15:16.859003000 10/27/2005
Data Rate: 108 54.0 Mbps
Channel: 1 2412 MHz
Signal Level: 64%
Signal dBm: -50
Noise Level: 9%
Noise dBm: -91
802.11 MAC Header
Version: 0
Type: %10 Data
Subtype: %1000 Reserved
Frame Control Flags: %00000001
0... .... Non-strict order
.0.. .... WEP Not Enabled
..0. .... No More Data
...0 .... Power Management - active mode
.... 0... This is not a Re-Transmission
.... .0.. Last or Unfragmented Frame
.... ..0. Not an Exit from the Distribution System
.... ...1 To the Distribution System

Duration: 44 Microseconds
BSSID: 00:13:C3:F0:D8:50
Source: 00:12:F0:A1:E8:A6 Dell Intel Wireless
Destination: 00:13:C4:30:2F:9A
Seq. Number: 787
Frag. Number: 0
802.2 Logical Link Control (LLC) Header
Dest. SAP: 0x00 Null SAP Null LSAP
Source SAP: 0x00 Null SAP Null LSAP
Command: 0xAAAA Numbered Information (No Poll)
Trans Send Seq Num: 85
Trans Recv Seq Num: 85
Packet Data:
......E..<...... 03 00 00 00 08 00 45 00 00 3C 13 EB 00 00 80 01
.O...y......FCS - Frame Check Sequence
FCS: 0xF624F0FD

This is the complete ICMP REQUEST packet to Netgear AP:
Packet Info
Flags: 0x00
Status: 0x05 Encrypted
Packet Length: 96
Timestamp: 22:15:14.307130000 10/25/2005
Data Rate: 4 2.0 Mbps
Channel: 7 2442 MHz
Signal Level: 80%
Signal dBm: -39
Noise Level: 4%
Noise dBm: -96
802.11 MAC Header
Version: 0
Type: %10 Data
Subtype: %0000 Data Only
Frame Control Flags: %00000001
0... .... Non-strict order
.0.. .... WEP Not Enabled
..0. .... No More Data
...0 .... Power Management - active mode
.... 0... This is not a Re-Transmission
.... .0.. Last or Unfragmented Frame
.... ..0. Not an Exit from the Distribution System
.... ...1 To the Distribution System

Duration: 258 Microseconds
BSSID: 00:09:5B:9C:A9:64 Netgear Wireless
Source: 00:12:F0:A1:E8:A6 Dell Intel Wireless
Destination: 00:09:5B:9C:A9:64 Netgear Wireless
Seq. Number: 4089
Frag. Number: 0
802.2 Logical Link Control (LLC) Header
Dest. SAP: 0xAA SNAP
Source SAP: 0xAA SNAP
Command: 0x03 Unnumbered Information
Vendor ID: 0x000000
Protocol Type: 0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Type of Service: %00000000
000. .... Precedence: Routine
...0 .... Normal Delay
.... 0... Normal Throughput
.... .0.. Normal Reliability
.... ..0. ECT bit - transport protocol will ignore the CE bit
.... ...0 CE bit - no congestion

Total Length: 60
Identifier: 15388
Fragmentation Flags: %000
0.. Reserved
.0. May Fragment
..0 Last Fragment

Fragment Offset: 0 (0 bytes)
Time To Live: 128
Protocol: 1 ICMP - Internet Control Message Protocol
Header Checksum: 0x7D4E
Source IP Address: 192.168.0.5 IT1N021
Dest. IP Address: 192.168.0.1 Netgear Lan
No IP Options
ICMP - Internet Control Messages Protocol
ICMP Type: 8 Echo Request
Code: 0
Checksum: 0x275C
Identifier: 0x0400
Sequence Number: 0x0022
ICMP Data Area:
abcdefghijklmnop 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70
qrstuvwabcdefghi 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69
FCS - Frame Check Sequence
FCS (Calculated): 0xAC7F047B

The Cisco AP has WMM enabled by default and AiroPeek's default decoder doesn't support 802.11e/QoS frame types. Therefore, AiroPeek makes its best guess, which is several bits off per frame (since 802.11e QoS-Data frames have additional header fields).

The NetGear does not have WMM enabled by default.

Wildpackets used to have a free beta driver with the correct 802.11e QoS Data frame decoders in it. Now, supposedly, their latest driver supports 802.11e.

http://www.wildpackets.com/support/hardware/atheros30_driver

http://www.wildpackets.com/support/product_support/airopeek/decodes

Type 1000 (Reserved) was only reserved in 802.11-1999 (R2003), but with the ratification of 802.11e, they are no longer reserved. Now we just have to wait for all of the WLAN Protocol analyzers to catch up. ;-) Tamosoft's CommView for Wi-Fi has 802.11e QoS Data decoding already.

Devinator

I have a similar problem with Observer. It cannot decode the packets for Cisco AP1230B, but it works fine with the Cisco AP877W. Emailed the techsupport and got the answer like Devin said. It is the QoS format and they are working on the driver.

I also try AiroPeek NX 3.0 and do not experience that problem.

Vu

Thanks Devinator,
I solved my problem, with Cisco AP1231 IOS 12.3.7.Ja1 there are more QOS policies (five policies, WMM and other) and with Comview for WiFi 5.2 not all Cisco Qos feature are supported, this is a ping decode packet:

Wireless Packet Info
Signal level: 0x55 (85)
Rate: 11.0 Mbps
Band: 802.11g
Channel: 13 - 2472 MHz
802.11
Frame Control: 0x0188 (392)
Protocol version: 0
To DS: 1
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
WEP: 0
Order: 0
Type: 2 - Data
Subtype: 8 - QoS Data
Duration: 0x0075 (117)
BSS ID: 00:12:01:39:82:30
Source Address: 00:12:F0:A1:E8:A6
Destination Address: 00:12:00:F0:AD:D7
Fragment Number: 0x0000 (0)
Sequence Number: 0x0D84 (3460)
802.2 LLC
DSAP: 0x00 (0) - SNAP
SSAP: 0x00 (0) - SNAP
Command: 0x40 (64)
Protocol: 0x0300 (768) - Unknown


I fix the problem disabling all Cisco Qos Policies, some Cisco Qos policies are not supported on Comview 5.2.

regards