I was doing some protocol captures the other day with my AirMagnet WiFi Analyzer Pro and I happened to notice a packet on channel 36.
Both the from DS and to DS bits are set, leading me to believe this packet was traversing a wireless DS. Oddly, one of the known MAC addresses is an access point, so I am assuming this is a wireless bridge - most likely on a portable medical device.
I noticed in the summary column is this: SNAP prot: 000B85CCCD
I have googled and turned up nothing. Anyone know what this is?
My best guess is a proprietary WDS implementation. Read about SNAP here:
The SNAP in this frame points to a layer 3 protocol that is not well-known, which would point to a vendor-specific protocol to handle the packet. Could possibly be a corrupt frame, too.
Are you sure that it was decoded correctly by Airmagnet Wi-Fi Analyzer? Which version do you use?
Have you tried to decode this packet by yourself, bit-by-bit?
What you are probably seeing is the SNAP(Subnetwork Access Protocol) header. This is an extension of the LLC header. In there it should identify something like EtherType = 0x0800. That is HEX for IP. This is normal. What you have listed looks like a MAC address of a Cisco Airespace AP. Cisco OUI: 00-0B-85. Do you count 3 or 4 address fields. For a bridge or WDS it should be RA/TA/DA/Sequence Control/SA/QoS/LLC/SNAP/IP...etc. I spend a lot of time looking at stuff like this. It can be fun trying to figure out if something was intentional or an accident.
Nice catch, Wireless Jon -- Timothy, have you tried looking at the frame in a different analyzer, like wireshark?