Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows

[Guy Harris <guy () alum mit edu>]

On Apr 12, 2016, at 6:39 PM, Yang Luo <hsluoyb () gmail com> wrote:

> On Wed, Apr 13, 2016 at 1:47 AM, Alexis La Goutte <alexis.lagoutte () gmail com> wrote:
>
> > Awesome !
> >
> > Need to include support of directly switch to monitor mode on Wireshark :)
>
> You bet! That will be the last step to do.
> WlanHelper is currently a workaround for this feature. Monitor mode switch on and off should be able to be done 
> directly using Wireshark for friendly use.
> However, I'm also planning to provide the monitor switch in a API way too,

Yes.

The API is pcap_set_rfmon().

In your activate routine, if the opt.rfmon field of the pcap_t is 1, then put the device in monitor mode, otherwise 
don't put it in monitor mode.

> so a program can switch on and off Monitor mode too.

No, your only option to control monitor mode is when you open the device; you don't get to turn it on and off while 
you're capturing - you have to close the device and re-open it.

If you do that, it will work in Wireshark, the same way it does in OS X (and, if you happen to have a version of 
libpcap linking with libel, on Linux), without having to change Wireshark.

> BTW, are there any options when setting to Monitor mode? Like channel no or something.

There are currently no APIs in libpcap to control the channel number; I plan to add them in the future.  (I plan to do 
that after splitting off some functions into a helper process, so that libpcap wouldn't have to be linked with libnl on 
Linux or with the CoreWLAN framework on OS X - only the helper process would.)

> I don't know what's NdisMediumPpi

It's for the PPI header:

        http://www.cacetech.com/documents/PPI%20Header%20format%201.0.10.pdf

which AirPcap adapters, and at least some AirPort cards on some versions of OS X, can provide.  Radiotap is a better 
form of radio metadata, and my goal is to get it to the point where everything Wireshark supports with PPI is also 
supported with radiotap (the only thing missing is the ability to show the individual frames of an A-MPDU all together).

> So is there any possibility to remove the "AirPcap" string in the UI?

Yes, it should be removed from there.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe