Interpreting Frame Control bytes in 802.11 Wireshark trace

Question

I have a Wi-Fi capture (.pcap) that I\'m analysing and have run across what appear to me to be inconsistencies between the 802.11 spec and Wireshark\'s interpretati

Answer 1

The data frame in you example is 0x08 because of the layout of that byte of the frame control (FC). 0x08 = 00001000 - The first 4 bits (0000) are the subtype. 0000 is the subtype of this frame - The next 2 bits (10) is the type, which is 2 decimal and thus a data type frame - The last 2 bits (00) are the version, which is 0

The table below translates the hex value of the subtype-type-version byte of the FC for several frame types. A compare of the QoS data to the normal data frame might really help get this down pat. Mind you the table might have an error or two, as I just whipped it up.

You are right that 1000 is a beacon frame, you just were looking at the wrong bits.

You have a radiotap header, you can get the dec representation of the type like so from the pcap API:

int type = pkt_data[20] >> 2;