Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1515
Views
0
Helpful
0
Replies

CAPWAP IEEE 802.11 Management Packets Fields - Big or Little Endian? Plus Authentication Algorithm = 2 (?)

ShaiGr
Level 1
Level 1

‎12-17-2019 05:23 AM

Hey, hope this is the right place for this kind of issue.

So I've been dealing with Authentication/Deauth and Association WLAN packets, and noticed that some fields are parsed by Wireshark's dissectors as little Endian, but are sent by Cisco WLC as big Endian (at least I think they are).

For example:

The Deauthentication packet sent with reason code bytes of - 0017. This is parsed by Wireshark as little Endian, which is 0x1700. There is no reason code known for this number (5888). On the other side, if we parse this as big Endian, we get 0x0017 = 23 - IEEE 802.1X authentication failed, which makes sense.

This is the packet:

image.png

 

These are the reason codes:

image.png

On the same note, I see Authentication packets sent with the Authentication Algorithm of 0x002 (which is parsed by wireshark as 512 - unknown due to the issue above). But, as far as I know, there are only 2 possible Algorithms:

0 - Open System.

1 - Shared Key.

What is 2?

image.png

 

If anyone came across any of these issues, I would love to hear your insights.

Thank you!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents