First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What does "absent" mean on some fields of the radiotap header?

Hi,

To see the detailed PHY information of the 802.11ac packets, I am using wireshark to parse the .pcap file, which is captured by tcpdump.

However, some of my interested fields under radiotap header appear to be "absent". By "absent", I cannot know whether it means true or false.

So what does "absent" exactly mean? Can I interpret that as false?

Yanbo

yanbo's avatar
1
yanbo
asked 2019-03-22 06:14:40 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

However, some of my interested fields under radiotap header appear to be "absent". By "absent", I cannot know whether it means true or false.

That is correct. If a field that happens to be a 1-bit Boolean flag is absent, it is completely unknown whether it's true or false - it's absent, meaning the flag's value is not specified.

(Not all radiotap fields are 1-bit Boolean flags, so not all radiotap fields are true or false - the rate field, for example, is a data rate, in units of 500 Kb/second, so it does not have a value that's "true" or "false".)

So what does "absent" exactly mean?

It means that the whatever generated the radiotap header did not specify the value of the field, perhaps because it was unable to determine the value of the field; as such, you (and Wireshark - or tcpdump, or whatever program is reading the captured packets) do not know the value of the field and cannot know the value of the field.

Can I interpret that as false?

You should not do so; you should interpret it as "unknown whether it's true or false", if it's a 1-bit Boolean flag, just as you should, for example, interpret an absent "rate" field as "unknown what the data rate was", not as "500 Kb/s" or any other known value.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-03-22 07:11:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi Harris,

Thank you for your reply. It helps a lot.

So what do you think the reason that cause the "absent" may be? Maybe it is because the firmware of the device used for capturing the packet doesn't support the function that is corresponding to the field I am interested in?

Actually, the field I want to check is "beamformed", under the "vht capacity information" item of radiotap header. By spying on this boolean field, I can know whether the captured packet is using beamforming (an 802.11 PHY technique that is used to improve the link quality) or not. The firmware of the transmitter and receiver is proved to support this beamforming function, but the firmware of the sniffer seems doesn't. Therefore, the sniffer cannot interpret this field. Do you think my point is correct?

Yanbo

yanbo's avatar yanbo (2019-03-22 09:04:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer