cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1264
Views
0
Helpful
0
Replies
ShaiGr
Beginner

CAPWAP IEEE 802.11 Management Packets Fields - Big or Little Endian? Plus Authentication Algorithm = 2 (?)

Hey, hope this is the right place for this kind of issue.

So I've been dealing with Authentication/Deauth and Association WLAN packets, and noticed that some fields are parsed by Wireshark's dissectors as little Endian, but are sent by Cisco WLC as big Endian (at least I think they are).

For example:

The Deauthentication packet sent with reason code bytes of - 0017. This is parsed by Wireshark as little Endian, which is 0x1700. There is no reason code known for this number (5888). On the other side, if we parse this as big Endian, we get 0x0017 = 23 - IEEE 802.1X authentication failed, which makes sense.

This is the packet:

image.png

 

These are the reason codes:

image.png

On the same note, I see Authentication packets sent with the Authentication Algorithm of 0x002 (which is parsed by wireshark as 512 - unknown due to the issue above). But, as far as I know, there are only 2 possible Algorithms:

0 - Open System.

1 - Shared Key.

What is 2?

image.png

 

If anyone came across any of these issues, I would love to hear your insights.

Thank you!

0 REPLIES 0