From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-04-14 06:37:55 UTC
On Sat, Apr 13, 2002 at 07:32:33PM -0500, Andy Warner wrote:
> In the dim, dark, back of my mind - I seem to remember these
> being UDP packets. I'd have to snoop some packets to validate
> that theory, but I'll throw it out there for discussion before
> I've done the experiment.
The client seems to also send UDP broadcast packets, but these link test packets are not based on IP. They are unicast 802.11 data frames with following LLC:
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func = UI (0x03)
000. 00.. = Unnumbered Information
.... ..11 = Unnumbered frame
After this comes 58 bytes of data. An example from the client side:
0000 00 00 07 06 00 01 02 03 04 05 06 07 08 09 0a 0b ................ 0010 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b ................ 0020 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b .... !"#$%&'()*+ 0030 2c 2d 2e 2f 30 31 32 33 fe ca ,-./0123..
And Prism2 card in Host AP mode replied with following:
0000 00 01 07 06 50 72 69 73 6d 20 20 49 00 20 20 20 ....Prism I.
0010 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0020 20 20 20 20 2e 09 00 6e 08 01 01 0f 0a 00 00 64 ...n.......d 0030 09 2a 09 2b 01 00 32 33 fe ca .*.+..23..
That 'Prism I' is the nickname (or cnfOwnName). I would assume that signal quality is in the bytes following 32 bytes reserved for the name. I don't have a Lucent AP at home, so I won't be able to sniff its reply to link test today.
-- Jouni Malinen PGP id EFC895FA