4

I have been capturing some packets over wifi using wireshark for analysis. If I captured IEEE 802.11 frames on an interface in monitor mode. If I capture an IEEE packet on an open network without encryption then I cannot see any ethernet headers. However if I capture the same packets on a usual interface(not in monitor mode), then I can see ethernet headers. I was not able to decrypt wpa packets captured in monitor mode for more analysis. So is there actually an ethernet layer when an IEEE packet is transmitted? Or is it added to it by the driver before delivering to applications listening on the upper layers?

Here is a packet missing ethernet layer. enter image description here


This is how the packet looks like on capturing on a usual interface(not in monitor)enter image description here

Sunny
  • 143
  • 1
  • 6

1 Answers1

4

So is there actually an ethernet layer when an IEEE packet is transmitted?

Short answer: no

Longer answer: IEEE 802.11 traffic is not IEEE 802.3 Ethernet traffic. They are both L2 (and L1) protocols in the OSI model, but they are not the same.

While they have many similarities, there are also major differences. For one, 802.11 has up to four address fields that may or may not be used for different purposes depending on the type of frame, while 802.3 has two.

In your example, the "IEEE 802.11" section should contain all your L2 information. So it isn't missing.

Or is it added to it by the driver before delivering to applications listening on the upper layers?

Quite the opposite. Lower layer headers are stripped before delivering to applications on upper layers.

The example you provide seems entirely normal to me. I would be more curious about 802.11 traffic that contains an 802.3 header as this could indicate something else going on.

Side note: the ability to decrypt 802.11 has no bearing on being able to view the headers. 802.11 encryption is only on the data payload, so the headers remain viewable. In fact, when troubleshooting wireless with packet captures, it is seldom necessary to decrypt 802.11 (if you are checking higher level protocols and need the data encrypted, it is typically easier to capture on the wired side of the AP).

YLearn
  • 1,247
  • 7
  • 17
  • I have added another image the capture looks like as in a wired network. From where did the ethernet header came? – Sunny Nov 11 '15 at 06:56
  • That looks like a straight Ethernet frame. There is no 802.11 information. Are you sure this isn't being captured off the wired interface? Especially since the IP addresses also don't match between your new example and the original. – YLearn Nov 11 '15 at 06:59
  • Both packets are captured on different wireless networks. And I am sure that I am capturing the right interface. And that is the core of my doubt. – Sunny Nov 11 '15 at 07:01
  • Maybe your OS is doing something weird, but you can't mix up an 802.11 frame for an 802.3 frame when you know what you are looking at. You can compare for yourself the differences in the frame format. For example: [802.3](https://www.google.com/search?q=802.3+frame+format&es_sm=122&tbm=isch&tbo=u&source=univ&sa=X&ved=0CB0QsARqFQoTCMDozKfnh8kCFcsrJgodqqIJiA&biw=1920&bih=965#imgrc=d5YC54s7Kj7VdM%3A) vs [802.11](https://www.google.com/search?q=802.11+frame+format&es_sm=122&tbm=isch&tbo=u&source=univ&sa=X&ved=0CB0QsARqFQoTCIqsz6_nh8kCFcJAJgodQBYMDg&biw=1920&bih=965#imgrc=p_QM8Ic4HwIyPM%3A). – YLearn Nov 11 '15 at 07:09
  • @Sunny, just had a thought. Are you using any sort of virtualization? If so, then it could possibly be a product of the virtualized network interface. I haven't tested myself, but it could make sense that when in monitor mode it is giving you raw data, but when not in monitor mode it is giving you a virtualized Ethernet interface and is software bridged. – YLearn Nov 11 '15 at 07:21
  • There is not any form of vitualisation . I am using wireshark on Ubuntu 14.04. I really doubt whether the wireless card is converting those packets into ethernet format before delivering to OS. I really appreciate if you to try the capture on an interface not in monitor mode. – Sunny Nov 11 '15 at 08:01
  • @Sunny, in case you were interested, I did verify the same behavior on Ubuntu (still haven't had time to try other OSes) myself and after some web searching did [ask a question](http://askubuntu.com/q/696607/300168) on [Ask Ubuntu](http://askubuntu.com/), but no answer to the question as of yet. – YLearn Nov 18 '15 at 20:46
  • Thank you YLearn. Actually I got some help from here http://superuser.com/questions/998951/is-there-an-ethernet-header-in-ieee-802-11/998956#998956 – Sunny Nov 18 '15 at 21:00
  • @Sunny, it would be nice to get a better answer than "some guy said so" (no pun intended). I also suspect something along those lines, but I am still holding out hope that someone will point to a documentation reference or one of the Ubuntu devs on that site will point to some source that provides more basis to the answer you got there. – YLearn Nov 18 '15 at 21:04
  • I also like better answers let us wait. – Sunny Nov 18 '15 at 21:08