scapy icon indicating copy to clipboard operation
scapy copied to clipboard
verified publisher icon secdev

RadioTap MCS is parsed wrong. PR #3963 seems to work for now.

Open gitchannel opened this issue 1 year ago • 3 comments

Brief description

How i understand the problem:

  • In Wireshark i see "Known MCS information: 0x00" which results in all Fields (Bandwith, MCS index, Guard interval...) are Absent. maybe odd of Wireshark too, it highlights 3 Bytes but only 7 bits (the previous mentioned Fields) are shown to me.
  • dot11.py RadioTap is parsing to the Antenna signal correctly, but then everything is off by one byte. (Type, Subtype, MAC Address.....). I guess if known mcs information is 0x00 set everything to None or something.
  • RadioTap documentation i don't understand it.

Scapy version

2.5.0+git20240324.2858b51

Python version

3.12.4

Operating system

Linux 6.9.9

Additional environment information

No response

How to reproduce

could take some time and compare it with Wireshark.

def write_mcs(pkt):
    wrpcap(filename='/tmp/mcs_issue.pcap', pkt=pkt, append=True)
    print(f'{pkt} written.', flush=True)
    

sniff(
    iface=interface,
    store=False,
    count=100,
    prn=write_mcs,
    lfilter=lambda x: x.present.value & 0x80000,
    )

Actual result

No response

Expected result

No response

Related resources

I think maybe PR #3963 is the Solution. Yes, parsing works.

gitchannel avatar Jul 27 '24 17:07 gitchannel

Hi! Thanks for the report. Could you please provide a pcap of this failing?

gpotter2 avatar Jul 28 '24 05:07 gpotter2 

with open('test_issue_known_mcs_zero.pcap', 'wb+') as fp:
    pcap_content=b'\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x7f\x00\x00\x00\xef"\xaaf\xf2k\x05\x00.\x00\x00\x00.\x00\x00\x00\x00\x00\x12\x00*\x00\x08\x00\x10\x00x\x14@\x01\xa0\x00\x00\x00\xe0\x00\x00\x00\xa1\xa1\xa1\xa1\xa1\xa1\xb2\xb2\xb2\xb2\xb2\xb2\xc3\xc3\xc3\xc3\xc3\xc3\xe06\x00\x00\x00\x00\xfa#\xaafM\xe2\x0b\x009\x00\x00\x009\x00\x00\x00\x00\x00\x1d\x00+H\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x9e\t\x80\x04\xbf\x00\x00\x00\x07\x00\x03\x88A,\x00\xa1\xa1\xa1\xa1\xa1\xa1\xb2\xb2\xb2\xb2\xb2\xb2\xc3\xc3\xc3\xc3\xc3\xc3PM\x9f0h\x1a'
    fp.write(pcap_content)

In this pcap are 2 packets to demonstrate one issue. the first packet is parsed wrong and the second seems ok. i cut and changed data (addr1 = a1:a1:a1:a1:a1:a1 addr2 = b2:b2:b2:b2:b2:b2 addr3 = c3:c3:c3:c3:c3:c3), but in comparison with wireshark the first packet as i mentioned the Address and everthing else is off...

and by the way i also think in dot11.py line 1550 class Dot11ReassoResp(Dot11AssoResp): should be class Dot11ReassoResp(_Dot11EltUtils): like the others.

Thank you

gitchannel avatar Aug 01 '24 22:08 gitchannel

Radiotap MCS field definition

The ReversePadField is wrong, because the subsequent parts of the field are all ConditionalField to pkt.present.MCS. The PR #3963 fixed this issue. I don't know what other information i could provide. Please let me know it. Thank you

gitchannel avatar May 17 '25 12:05 gitchannel