Monday, 17 February 2014

WLAN Packet Capture - Displaying Only 802.11 Decodes in the Frames Summary

I quite like to be able to see the frame type, sequence numbers and flags field when looking at a summary of an 802.11 capture in Wireshark. 

However, Wireshark can be too helpful when decoding frames and  will display a summary of the frame which shows the detail of hight layer protocols (thus hiding the 802.11 summary info). This generally happens when decoding a capture of a WiFi network that has a guest network that is not using over the air encryption.

Here is an example. Some data frames in the trace summary below are shown as 'https' or 'Application Data' frames, rather than layer 2 data frames:

To prevent this behaviour, simply go to the "Analyze > Enabled Protocol" menu option in Wireshark and de-select 'LLC':

This will restore the standard 802.11 frame summary so that 802.11 frame types, flags etc. are available:

One thing to bear in mind with this approach is that some exchanges you would normally decoded (e.g. EAP exchanges and 4 way handshake) will suddenly become just data frames - so use with care.