Forum

I was doing some protocol captures the other day with my AirMagnet WiFi Analyzer Pro and I happened to notice a packet on channel 36.

Both the from DS and to DS bits are set, leading me to believe this packet was traversing a wireless DS. Oddly, one of the known MAC addresses is an access point, so I am assuming this is a wireless bridge - most likely on a portable medical device.

I noticed in the summary column is this: SNAP prot: 000B85CCCD

I have googled and turned up nothing. Anyone know what this is?

My best guess is a proprietary WDS implementation. Read about SNAP here:
[url=http://en.wikipedia.org/wiki/Subnetwork_Access_Protocol]http://en.wikipedia.org/wiki/Subnetwork_Access_Protocol[/url]

The SNAP in this frame points to a layer 3 protocol that is not well-known, which would point to a vendor-specific protocol to handle the packet. Could possibly be a corrupt frame, too.

Are you sure that it was decoded correctly by Airmagnet Wi-Fi Analyzer? Which version do you use?
Have you tried to decode this packet by yourself, bit-by-bit?

What you are probably seeing is the SNAP(Subnetwork Access Protocol) header. This is an extension of the LLC header. In there it should identify something like EtherType = 0x0800. That is HEX for IP. This is normal. What you have listed looks like a MAC address of a Cisco Airespace AP. Cisco OUI: 00-0B-85. Do you count 3 or 4 address fields. For a bridge or WDS it should be RA/TA/DA/Sequence Control/SA/QoS/LLC/SNAP/IP...etc. I spend a lot of time looking at stuff like this. It can be fun trying to figure out if something was intentional or an accident.

Nice catch, Wireless Jon -- Timothy, have you tried looking at the frame in a different analyzer, like wireshark?