0

I was analyzing a database of probe requests until I found the following packet which has 3 different vendor specific fields. How to interpret that ? Is it just a wrong packet ?

RadioTap version=0 pad=0 len=24 present=Flags+Rate+Channel+dBm_AntSignal+RXFlags+RadiotapNS+Ext Ext=[<RadioTapExtendedPresenceMask present=b5+b11 |>] Flags= Rate=1.0 Mbps ChannelFrequency=2452 ChannelFlags=CCK+2GHz dBm_AntSignal=-65 dBm RXFlags= notdecoded='\\xbf\x00' |<Dot11 subtype=Probe Request type=Management proto=0 FCfield= ID=0 addr1=ff:ff:ff:ff:ff:ff (RA=DA) addr2=9e:1e:21:eb:55:c0 (TA=SA) addr3=ff:ff:ff:ff:ff:ff (BSSID/STA) SC=56976 |<Dot11ProbeReq |<Dot11Elt ID=SSID len=0 info='' |<Dot11EltRates ID=Supported Rates len=4 rates=[1.0 Mbps, 2.0 Mbps, 5.5 Mbps, 11.0 Mbps] |<Dot11EltRates ID=Extended Supported Rates len=8 rates=[6.0 Mbps, 9.0 Mbps, 12.0 Mbps, 18.0 Mbps, 24.0 Mbps, 36.0 Mbps, 48.0 Mbps, 54.0 Mbps] |<Dot11EltDSSSet ID=DSSS Set len=1 channel=9 |<Dot11EltHTCapabilities ID=HT Capabilities len=26 L_SIG_TXOP_Protection=0 Forty_Mhz_Intolerant=1 PSMP=0 DSSS_CCK=0 Max_A_MSDU=3839 o Delayed_BlockAck=0 Rx_STBC=0 Tx_STBC=0 Short_GI_40Mhz=0 Short_GI_20Mhz=1 Green_Field=0 SM_Power_Save=disabled Supported_Channel_Width=20Mhz LDPC_Coding_Capability=1 res1=0 Min_MPDCU_Start_Spacing=6 Max_A_MPDU_Length_Exponent=3 res2=0 TX_Unequal_Modulation=0 TX_Max_Spatial_Streams=0 TX_RX_MCS_Set_Not_Equal=0 TX_MCS_Set_Defined=0 res3=0 RX_Highest_Supported_Data_Rate=0 res4=0 RX_MSC_Bitmask=255 res5=0 RD_Responder=0 HTC_HT_Support=0 MCS_Feedback=0 res6=0 PCO_Transition_Time=0 PCO=0 res7=0 Channel_Estimation_Capability=0 CSI_max_n_Rows_Beamformer_Supported=0 Compressed_Steering_n_Beamformer_Antennas_Supported=0 Noncompressed_Steering_n_Beamformer_Antennas_Supported=0 CSI_n_Beamformer_Antennas_Supported=0 Minimal_Grouping=0 Explicit_Compressed_Beamforming_Feedback=0 Explicit_Noncompressed_Beamforming_Feedback=0 Explicit_Transmit_Beamforming_CSI_Feedback=0 Explicit_Compressed_Steering=0 Explicit_Noncompressed_Steering=0 Explicit_CSI_Transmit_Beamforming=0 Calibration=0 Implicit_Trasmit_Beamforming=0 Transmit_NDP=0 Receive_NDP=0 Transmit_Staggered_Sounding=0 Receive_Staggered_Sounding=0 Implicit_Transmit_Beamforming_Receiving=0 ASEL= |<Dot11Elt ID=Extendend Capabilities len=8 info='\x00\x00\x08\\x84\x00\x00\x00@' |<Dot11Elt ID=Interworking len=7 info='\x0f\\xff\\xff\\xff\\xff\\xff\\xff' |<Dot11Elt ID=255 len=28 info='#\x01\x08\x08\x00\x00\\x80\x000\x02\x00\r\x00\\x9f\x00\x00\x00\x00\\xfd\\xff\\xfd\\xff9\x1c\\xc7q\x1c\x07' |<Dot11EltVendorSpecific ID=Vendor Specific len=11 oui=Apple, Inc. (00:17:f2) info='\n\x00\x01\x04\x00\x00\x00\x00' |<Dot11EltVendorSpecific ID=Vendor Specific len=7 oui=Microsoft Corp. (00:50:f2) info='\x08\x00\x11\x00' |<Dot11EltVendorSpecific ID=Vendor Specific len=9 oui=Broadcom (00:10:18) info='\x02\x00\x00\x10\x00\x00' |>>>>>>>>>>>>>>

Improve this question
1
  • Has any answer solved your question? Then please accept it or your question will keep popping up here forever. Please also consider voting for useful answers. Commented Dec 10, 2023 at 10:26

1 Answer 1

Reset to default
0

What you point out as 3 different vendor specific fields are parts of the MAC address fields - there are actually four of those in an 802.11 frame: destination, source, receiver and transmitter address.

Each MAC address consists of an Organizationally Unique Identifier (OUI) that is assigned to a vendor by IEEE-SA, and a vendor-specific/unique identifier which is indicated in your quote.

Improve this answer
1
  • Thank you for your return. The only MAC addresses I can see in this frame are addr1 (broadcast), addr2 (9e:1e:21:eb:55:c0), and addr3 (broadcast). None of them belong to Apple, Inc. (00:17:f2), Microsoft Corp. (00:50:f2), or Broadcom (00:10:18). Am I missing something? Commented Jul 13, 2023 at 17:33

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.