Re: [tcpdump-workers] What's the difference between NdisMediumBare80211 (DLT_IEEE802_11) and NdisMediumRadio80211 (DLT_IEEE802_11_RADIO)

[Guy Harris <guy () alum mit edu>]

On Apr 6, 2016, at 7:21 PM, Yang Luo <hsluoyb () gmail com> wrote:

> BTW, should adding radiotap header to a 802.11 packet be an option which can be selected by the user? If yes, which 
> is by default? with radiotap or without it?
> In fact, I want to know how Linux implements this?

Newer Linux drivers are mac80211 drivers, which supply "fake Ethernet" headers when not in monitor mode and 
802.11+radiotap headers when in monitor mode.

> I tend to keep the alike manner as other systems.

Different systems behave differently.  BSD-flavored systems might offer the option of no radio header or radiotap 
headers, or might even offer a choice of no radio header or *multiple* radio headers:

        $ tcpdump -i en0 -L
        Data link types for en0 when not in monitor mode (use option -y to set):
          RAW (Raw IP)
          PPI (Per-Packet Information)
          EN10MB (Ethernet)
        $ tcpdump -i en0 -I -L
        Data link types for en0 when in monitor mode (use option -y to set):
          RAW (Raw IP)
          IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header)
          IEEE802_11 (802.11)
          IEEE802_11_RADIO (802.11 plus radiotap header)
          PPI (Per-Packet Information)

but I think that's overkill - it's probably best to just provide 802.11+radiotap headers in monitor mode, with no 
option.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe