[Winpcap-users] how Wireshark get linktype?
Guy Harris
guy at alum.mit.edu
Tue Sep 1 17:05:46 PDT 2009
On Sep 1, 2009, at 4:41 PM, Joshua (Shiwei) Zhao wrote:
> I'm using Wireshark 1.0.4 with a WiFi device. When I select the device
> in capture options panel, I cannot get the expected linktype
> DLT_IEEE802_11_RADIO.
> I know the device driver is in monitor mode and it works if I manually
> add a DLT_IEEE802_11_RADIO type there and choose it.
> But how does Wireshark/winpcap get the default type, via a OID request
> OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE?
> I believe the driver does have support on these two OIDs.
>
> Is this a known problem or is there sth not compatible between my
> driver and Wireshark/winpcap? I know Wireshark calls pcap_datalink()
> to retrieve the media type.
Wireshark's default link-layer type for a network adapter is the
default link-layer type that libpcap/WinPcap chooses for the device,
so it gets it with pcap_datalink().
If you want DLT_IEEE802_11_RADIO to be the default link-layer type for
Wireshark, you will either have to
1) choose a default by looking at the list of link-layer types
supported by the device and picking the "best" one (which I *really*
wouldn't advise doing in the standard version of Wireshark, as, on Mac
OS X Leopard and Snow Leopard, if you pick DLT_IEEE802_11_RADIO or
even DLT_IEEE802_11 for an 802.11 adapter you'll put the adapter into
monitor mode, which, on Atheros-based adapters, such as the ones on
many Apple notebooks, will disassociate it from the network)
or
2) change WinPcap to use DLT_IEEE802_11_RADIO as its default, as
returned by pcap_datalink().
More information about the Winpcap-users
mailing list