• Hi Criss,
    Very happy to see your post after a long time.....(one week)

    The station which i was describing was a non-Qos Station. (from association request). So the sequence number should be incremental.

    Even Qos behaviour does not fit it. Probe request....1436 and next probe request at 2043.......

    As I said in the previous post, can the reason for this behaviour is active scanning or weak signal.I have found support for this from internet.

    When the gap between current SN and last SN is between 3 and 4092 inclusively, it is considered an abnormal sequence number advance. It is incorrect to declare the current frame is a spoofed frame simply because there is an abnormal sequence number advance, since there are many legitimate scenarios that can lead to such sequence number
    advances. For example, when an STA resumes its traffic with its current AP
    after scanning other channels, resetting its NIC, or roaming out of the coverage area of the monitor node, the gap between the current frame and the last frame that the monitor node can observe could be much larger than 1.

    In our implementation we were using sequence not only for duplicate filtering, re-assembly but also for detecting spoofing (which proved costly).
    Once it goes out of sequence(window size - 1500), AP is dropping all the frames saying them as duplicate or spoofed frames which is not the case.(until it wraps around)After two days of my research i found that the station behaviour is causing problems.(and it happens rarely (1 in 10,000 frames))

    I just want to confirm whether what iam assuming is correct to not...

    With regards.

Page 1 of 1
  • 1