Wireshark-dev: Re: [Wireshark-dev] What's the difference between NdisMediumBare80211 (DLT_IEEE8
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 30 Mar 2016 19:59:03 -0700
On Mar 30, 2016, at 5:09 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> I'm adding Native 802.11 capture support to Npcap and demonstrate it on Wireshark. (See: https://github.com/nmap/npcap/releases/download/v0.06-r13/npcap-nmap-0.06-r13-wifi.exe). I found that the there are two 802.11 related values to show the adapter type: NdisMediumBare80211 and NdisMediumRadio80211
> 
> 
> And Packet.dll translates them based on the following code:
> 
> 	case NdisMediumBare80211:
> 		p->linktype = DLT_IEEE802_11;
> 		break;
> 
> 	case NdisMediumRadio80211:
> 		p->linktype = DLT_IEEE802_11_RADIO;
> 		break;
> 
> So I want to know which value should I use for native 802.11 capturing?

If you're supplying a radiotap header, so that the packet data begins with a radiotap header, use NdisMediumRadio80211.

If you're not supplying any radio metadata, so that the packet data begins with an 802.11 header, use NdisMediumBare80211.

If you're doing anything else, do one of the two things above instead.