Wireshark-users: Re: [Wireshark-users] Help.. pcap to ivs
Andrea Faver wrote:
i know.. i saved my dump.pcap file in wireshark-tcdump-libpcap mode.
i tried in dos ivstools --convert dump.pcap dump.ivs
the error message is:
opening dump.pcap
"dump.pcap" isn't a regular 802.11 (wireless) capture
That doesn't mean it's not a pcap file - it means the packets in it
don't have 802.11 headers.
A lot of 802.11 adapters can be configured to provide to the host fake
Ethernet packets, rather than 802.11 packets, and a lot of 802.11
drivers will, by default, configure the adapters to do so.
On Windows prior to Windows Vista, that's how *all* the drivers work, as
far as I know; the networking stack doesn't handle 802.11 headers. In
Windows Vista, the networking stack can handle 802.11 headers, but not
all drivers have been changed to work with the "Native 802.11" mechanism
- and, even for those that have, WinPcap doesn't put the adapter into
monitor mode, so they won't supply 802.11 headers.
So if you've captured on Windows with a WinPcap-based application, such
as WinDump or Wireshark, you won't have an 802.11 capture.
On Linux, adapters don't supply 802.11 headers by default, but a lot of
them do so in monitor mode. See
http://wiki.wireshark.org/CaptureSetup/WLAN#head-bb8373ef4903fe9da2b8375331726541fb1ad32d
for information on some adapters.
On FreeBSD, NetBSD, OpenBSD, and, I think, DragonFly BSD, you can get
802.11 headers in newer versions; see
http://wiki.wireshark.org/CaptureSetup/WLAN#head-2fcfb4ae9d4e09f91c40d7112ba5103f84b5646d
In Mac OS X 10.4, there might be a "wlt1" or "wlt2" adapter - if you
capture on that, the capture will be done in monitor mode, and will have
802.11 headers. See
http://kismac.macpirate.ch/wiki/doku.php?id=troubleshooting_airport_extreme
for information on tweaking the Info.plist file for the adapter to
enable the wlt device - I think it's available by default on at least
some Intel-based Macs, but you have to tweak the Info.plist file and
reboot to get it on, for example, a PowerBook.
In Mac OS X 10.5, if you select 802.11 headers with the "-y" flag to
tcpdump or TShark or the link-layer header type list in Wireshark, the
capture will be done in monitor mode, and will have 802.11 headers.
In any case, note that, if the adapter is put into monitor mode, it
might disassociate itself from the network, so you won't necessarily be
able to capture traffic on a machine while it's active on a wireless
network - you might only be able to passively capture traffic from other
machines.