WLAN Analysis with Wireshark (Radiotap Header Section, Part 2)

Time Synchronization Function Timer (TSFT): is utilized to fulfill timing synchronization among (wireless) users.

The TSFT sub-field under the Present flags (of Radiotap Header Section) indicates its capability to show this information.The right-hand side diagram indicates this frame (7) is able to deliver that data.


The Wireshark MAC timestamp display filter is "radiotap.mactime" it is is a sequence number where the latter frame is embedded with higher TSFT. In 802.11 standard, Independent Basic Service Set (IBSS) defines a distributed Timing synchronization function (TSF). What that means, any two stations in an IBSS network are physically located in the signal reachable area, from the other station’s point of view.
A TSF keeps the timers for all stations in the same basic service set (BSS) synchronized. All stations shall maintain a local TSF timer. The diagram in below indicates, each station has a counter which will be used for two stations to exchange timing information on BSS ID (06:20:17:11:22:52).

The right-hand side diagram, with the filter of "wlan.bssid == 40:9b:cd:0c:67:58" could present more information. As you can see several STA are in the range of "40:9b:cd:0c:67:58," including MAC address ended with 38:ff:22; 97:78:6c; 00:01:11. 

The type of counting is in increments of microseconds.

Frame 39182 & 39183, with below diagram, show the same MAC timestamp. It turns our 39183 is a malformed fame where the radiotap data goes past the end of the radiotap header.