cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jaygarces
New Contributor

Problems decoding pcap from BSAP capture in wireshark

Has anyone else seen this problem?  I perform a wireless capture using the AP packet capture in vWLAN but when I load the file into wireshark, the information appears to be corrupted.  No subtype info appears, a BSSID is listed that doesn't exist and every packet is the same.  However, when I open the packet in Metageek EyePA program, it does appear to be able to decode it (but I can't see the contents of the frames in EyePA).

Attaching a sample file if anyone wants to give it a shot.

0 Kudos
Reply
3 Replies
erik
Contributor
Contributor

Re: Problems decoding pcap from BSAP capture in wireshark

@jaygarces,

You are not alone. Sometime after 1.6.5 the prism headers stopped being decoded properly by Wireshark. If I recall correctly, all packets show as association responses as you allude.

I am back on Wireshark 1.6.5 (you can still find it out there if you look hard) and get the proper decode. If your experience is like mine, you'll notice that after 1.6.5 the "prism capture header" is missing. Here's that header being reflected properly in 1.6.5:

prism_capture_decode.png

If anyone else has further insight into this observation, I'd be interested as well.

Also, I've not tested the latest 1.10.0 stable release from Wireshark. Maybe someone else has?

Thanks,

Erik

jaygarces
New Contributor

Re: Problems decoding pcap from BSAP capture in wireshark

Erik,

     That was it.  I downloaded wireshark 1.6.5 and the pcap file decodes properly.

     What's interesting is that Metageek's Eye AP is still able to decode the pcap file, but some of the decoded info is incorrect.  The data rates are incorrect, but the subframe types are correct:

Screen Shot 2013-06-12 at 4.44.43 PM.png

I tried Wireshark 1.10 and it's unable to decode the pcap files correctly.

0 Kudos
Anonymous
Not applicable

Re: Problems decoding pcap from BSAP capture in wireshark

I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily as well as award points to the users that helped you. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

0 Kudos