What's the difference between wlan.sa, wlan.ra, wlan.ta and wlan.da?

wireless-networking wireshark mac-address
7,897

Solution 1

After experimenting a bit more on the matter, I've noticed the following.

I was capturing/analyzing with tshark 1.7.x (from my distro repository). wlan.ra and wlan.ta were indeed rarely set. After manually upgrading to tshark 1.10.x, wlan.ra and wlan.ta suddenly "started behaving normally". Although the display filter reference page claims wlan.ra and wlan.ta have been available since version 1.0.0, apparently they didn't work correctly.

I thought I'd share it, since someone else might find it useful.

Solution 2

The descriptions from the manual don't make a lot of sense to me. I'd think there would be -just like an ethernet frame- just a source MAC address and a destination MAC address.

Sorry, that's not how IEEE Std 802.11 works. It's not a simple network technology in which hosts always send packets directly to another host; many 802.11 networks involve an access point that forwards packets between machines on the network.

If, for example, a host with the MAC address 00:02:04:06:08:0a sends a packet to another host with the MAC address 0a:08:06:04:02:00, and they're both on a network using an access point with the MAC address 10:12:14:16:18:1a, the source address, wlan.sa, is 00:02:04:06:08:0a, the destination address, wlan.da, is 0a:08:06:04:02:00, and the receiver address, wlan.ra, is 10:12:14:16:18:1a, as the packet will go to the access point.

When the access point transmits that packet to the destination host, for that packet the source address, wlan.sa, is again 00:02:04:06:08:0a, the destination address, wlan.da, is again 0a:08:06:04:02:00, and the transmitter address, wlan.ta, is 10:12:14:16:18:1a, as the packet is coming from the access point.

In a more complicated network with multiple access points (an "extended service set"), access points may forward packets to each other, in which case all four addresses could be set, with wlan.ta being the MAC address of the sending access point and wlan.ra being the MAC address of the receiving access point.

So:

Also, what would be the best equivalent of eth.src and eth.dst (of ethernet frames)?

wlan.sa and wlan.da.

Which field represents the wireless client's MAC address?

wlan.sa.

If you search for "802.11 tutorial" on the Web, some of the tutorials it shows might be useful.

If you're willing to "take a drink from the firehose", there's always the 802.11 standards themselves.

Solution 3

From https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces:
"Destination Address (DA) : Final recipient of the frame
Source Address (SA) : Original source of the frame
Receiver Address (RA) : Immediate receiver of the frame
Transmitter Address (TA) : Immediate sender of the frame"

Their values are interpreted in combination with values of To DS, From DS (To / From - distribution system):

To DS=0, From DS=0
A frame sent between two stations not being APs in a BSS or IBSS. It is also the case for all management and control frames (directly sent to the AP and not the DS)

To DS=0, From DS=1
A frame sent by a station for an AP (destined to the DS)

To DS=1, From DS=0
A frame exiting the DS for a station.

To DS=1,From DS=1
Only frame using all four addresses fields. Seen in Wireless DS (mesh, repeater, …) where an AP sends a frame to another AP, it is exiting the DS and destined to the DS at the same time in that situation.

Share:
7,897
user2862333
Author by

user2862333

Updated on September 18, 2022

Comments

  • user2862333
    user2862333 over 1 year

    Tshark/wireshark (CLI) has several fields to display for WLAN, including these four (+ description from manual):

    • wlan.sa: Source address
    • wlan.ra: Receiver address
    • wlan.ta: Transmitter address
    • wlan.da: Destination address

    The descriptions from the manual don't make a lot of sense to me. I'd think there would be -just like an ethernet frame- just a source MAC address and a destination MAC address. After capturing some packets and examining them, apparently it sometimes happens not all these fields are used.

    Could anyone give me a more clear explanation of the difference between those four addresses? Also, what would be the best equivalent of eth.src and eth.dst (of ethernet frames)? Which field represents the wireless client's MAC address?

  • user2862333
    user2862333 over 10 years
    Thank you for your answer, this makes it a lot clearer. But can you also tell me why wlan.sa and wlan.da sometimes is empty? wlan.da is empty most of the times apparently.
  • Admin
    Admin over 10 years
    Control frames aren't "bridged" through the access point, and they have only a transmitter address (wlan.ta) and a receiver address (wlan.ra), they don't have a source or destination address (wlan.sa or wlan.da). As for wlan.da being empty most of the time, I just did a monitor-mode capture on our network, and neither wlan.sa nor wlan.da are empty on most of the packets. (Do NOT assume that the Source and Destination columns are wlan.sa and wlan.da, respectively - they aren't!)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the 0 bytes at the end of an Ethernet frame in Wireshark?
Spoof a chromebook's MAC address
How can I capture other computers traffic in Wireshark on a WiFi-network?
How to set intel centrino advanced-n 6205 in "monitor mode" in Windows 7 (32bit) and Wireshark
How to find IP address of a DNS server
Is it possible to track browsing history inside a wireless network
Is is possible to change MAC address of a WiMAX USB adapter?
Unknown Client appears in Wireless node in Router. Confused
Why does Wireshark show MAC addresses in the source\destination?
What causes dropping of ARP response packets in a wireless network?