How are wlan.bssid and wlan.staa obtained? [closed]

  • retag add tags

I'm digging around wlan analysis currently, and was not able to grasp - how are those two fields (wlan.bssid and wlan.staa) get obtained? For example, here are two images presenting only packets, available for analysis:

bssid:

https://i.imgur.com/Y1acfak.png

staa (hidden the IP's):

https://i.imgur.com/H5SXS9o.png

How does wireshark know, that those packets originate from a AP or station? I thought only way was to see if its a beacon/probe resp for an AP, and probe request for station. The whole idea is to differetiate between station and AP by the most available clues there are.

I've digged around source code to try to understand how, but was not succesfull.

EDIT: I was able to find a picture, that derives the bssid from to ds/from ds fields. Maybe thats exactly the way? How is STAA obtained is still a question. imgur

anonymous user
asked 2018-11-23 02:26:43 +0000, updated 2018-11-23 03:08:54 +0000
edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason "the question is answered, right answer was accepted" by wirequestion 2018-11-29 09:40:22 +0000

Comments

How does wireshark know, that those packets originate from a AP or station?

If you look in the frame control field, you will see bit(s) indicating direction. Many of these frames indicate which direction: FromDS or ToDS. There is a filter for these:

wlan.fc.fromds == 1
wlan.fc.tods == 1

The picture from the specification related to bits/bytes seems to answer your question - how the addresses are interpreted, but perhaps the confusion is that first trace picture?

Something looks unusual with your first picture - how are you capturing these? There is no radiotap (or other type) of header (which is a little unusual, but not unheard of), and all the fields are not filled in as they usually are with real traffic. Are you using and capturing from the same adapter, at the same time?

Bob Jones's avatar Bob Jones (2018-11-23 13:32:53 +0000) edit
more
  • delete

Something looks unusual with your first picture - how are you capturing these? There is no radiotap (or other type) of header (which is a little unusual, but not unheard of), and all the fields are not filled in as they usually are with real traffic. Are you using and capturing from the same adapter, at the same time?

Thank you for your answer. It became somehow clear to me that those STA and BSSID fields are only filled for data packets, so yeah, looks like tods/fromds is enought to determine the MAC's. I thought those can be populated for management frames too, but sadly no. Those were captured a long time ago with a mobile with custom kernel for those capturing needs, so I guess no raditap is ok.

I don't know the exact reason of those strange self sent packets in the first pic - this was ... (more)

wirequestion's avatar wirequestion (2018-11-25 04:06:38 +0000) edit
more
  • delete
add a comment see more comments