[Winpcap-users] how Wireshark get linktype?
Guy Harris
guy at alum.mit.edu
Tue Sep 1 18:42:32 PDT 2009
On Sep 1, 2009, at 5:48 PM, Joshua (Shiwei) Zhao wrote:
> No it's not airpcap.
Then, as Gianluca noted, getting DLT_IEEE802_11_RADIO or
DLT_IEEE802_11 is not supported in WinPcap.
> I have the driver source code and it does return media type as
> NdisMedium802_11_Radio
(Do you mean NdisMediumRadio80211?)
> if it receives an OID as I mentioned earlier.
That's not a standard NDIS medium type according to
http://msdn.microsoft.com/en-us/library/cc514150.aspx
and that's NDIS 6.0 documentation, so it's not even in NDIS 6.0, much
less the 5.x that WinPcap supports. If the driver returns that in
response to OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE, I don't
know whether Microsoft will guarantee that it will work.
NdisMediumRadio80211 is also not a standard NDIS medium type.
I have the impression that the AirPcap driver is *NOT* an NDIS driver;
the AirPcap device can be used for capturing traffic, but it can't be
used as a regular network device. I think WinPcap communicates with
the AirPcap driver with a special private interface, not through NDIS.
> But the driver never sees a request for those OIDs.
If you look at, for example, the WinPcap 4.0.2 source, you see that
PacketGetLinkLayerFromRegistry(), in packetNtx/Dll/AdInfo.c, requests
the medium type with OID_GEN_MEDIA_IN_USE.
> In Wireshark I also tried to add code to send OIDs request to the
> driver, using wpcap_packet_request(). If I define a new OID on both
> side, it works fine. However, when I send an OID of
> OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE, the driver never sees
> this OID. It's lost somewhere? I still cannot figure out....
Perhaps there's something wrong with the driver? Perhaps NDIS gets
confused if it reports a medium type that's not one of the ones
defined by NDIS?
More information about the Winpcap-users
mailing list