Ethereal-users: Re: [Ethereal-users] Question about raw packet of 802.11 in linux andwindows
snowboarder wrote:
< I have successfully used ethereal and libpcap0.7.2 to capture raw packet of 802.11(management frames,Beacon etc) in linux.
< I want to use the ethereal and winpcap to capture the raw packets in windows, But I failed. Why can't I capture war packet
<(managements packet) in windows? Is it due to winpcap or device driver not supporting monitor mode?
Only "cooked mode - network (non-control) frames only." on Windows
http://www.ethereal.com/media.html
"On platforms that don't allow Ethereal to capture raw 802.11 packets, the 802.11 network will appear like an Ethernet to Ethereal."
http://www.ethereal.com/faq.html#q5.29
Guy Harris has explained why in the following message:
http://www.ethereal.com/lists/ethereal-users/200302/msg00038.html
"There's already 802.11 packet analysis code in Ethereal on Windows, in
the sense that if you have a capture file with 802.11 packets in it, you
can read that capture file in the Windows version of Ethereal and it
will dissect the 802.11 headers.
What's missing is code in WinPcap to support *capture* of raw 802.11
traffic in Windows, and the reason for that is that
there is no standard way, using NDIS, to request that an 802.11
card and driver return 802.11 frames - or that it go into
"monitor mode" and supply frames that it otherwise wouldn't
supply;
therefore, the only way to do that appears to be to write your
own drivers for 802.11 cards;
neither the WinPcap developers nor any Ethereal developers so
far have, I suspect, any interest whatsoever in developing those
drivers *AND*, as would probably be necessary, supporting them
(e.g., as new versions of card firmware are released) *AND*
adding support for new cards as they arrive (e.g., 802.11a and
802.11g cards)."
