Troubleshooting Wi-Fi networks at the protocol level involves the analysis of control, management, and data frames. When doing save-to-disk captures of these frames for analysis, files sizes can grow very rapidly because of the payloads that can be found in data frames. However, if you’re only interested in frame exchanges, and not so much about what the payload looks like, saving this data might be unnecessary. It might also be useless if the wireless network is using encryption because, unless you have a way to decrypt it, the data would be unreadable. And even for unencrypted networks, it might be a good idea to ignore the payload and avoid storing user data in plain text.
Packet slicing is a technique that allows us to capture just a portion of the beginning of each frame, disregarding the remaining bytes. In a perfect world, we should be able to specify a fixed number of bytes that’s sufficient to capture only the 802.11 MAC headers so that only this information is stored. But the world is not perfect and the length of a 802.11 MAC header may vary, so we have to be smarter about it.
For example, the 802.11 MAC header of a QoS data frame includes the QoS Control field, while non-QoS data frames do not. Also, if the frame is being transmitted over a wireless distribution system, the MAC header will contain an additional MAC address. If we want to perform automatic frame slicing, we need to determine what type of MAC header the frame carries so we know how many headers bytes we need to preserve. Also, not all data frames carry data, so we want to know the subtype too and avoid any unnecessary processing overhead.
The latest version of Airtool comes with a new option that allows you to perform automatic data frame slicing. When enabled, only the 802.11 MAC header of data frames will be stored in the capture file. If the frame does not passes the FCS check, the frame is left intact because a) the tool cannot ensure the frame is a valid data frame and b) protocol analyzers would not be able to determine anymore if the original frame had a good or a bad FCS, which could alter the semantics of the capture. Also, even though Airtool will disregard the payload of the data frames when slicing is enabled, the original length would still be stored as part of the capture metadata so you know how many bytes of user data the frame was originally carrying.
To enable data frame slicing, click in the Airtool icon, then go to Preferences > General and check the “Do not save Layer 3-7 payload (MSDU)” option.