On Wed, May 08, 2002 at 08:33:33PM -0500, David Frascone wrote:
> How can I see the 802.11 header in an 802.11 capture? I'm using kernel
> 2.4.18, pcmcia-cs-3.1.31,
I infer from
http://pcmcia-cs.sourceforge.net/ftp/README-2.4
that pcmcia-cs is needed only for its userland stuff, not for any kernel
stuff, in 2.4 kernels, so I'm assuming this driver is not from the
pcmcia-cs package.
It appears that there's an "orinoco.c" file in the 2.4.18 kernel source
("drivers/net/wireless/orinoco.c"). The 2.4.18 "orinoco.c" doesn't
appear to support seeing raw 802.11 frames; it only returns a device
type of ARPHRD_ETHER, never ARPHRD_IEEE80211.
The page at
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.html
speaks of a driver for "Wavelan IEEE/Orinoco, PrismII and Symbol cards"
that's part of:
the 2.4.12 kernel;
the 3.1.29 pcmcia package;
with the object file name "orinoco_cs.o". As ARPHRD_IEEE80211 is
relatively new, I would not be surprised to find that said driver (if
that's what you have, although I suspect you just have the driver
referred to above) doesn't do raw 802.11 either.
(It also speaks of an older driver, no longer being maintained, with the
object file name "wvlan_cs.o"; it says of that driver
Andreas Neuhaus is no longer working to improve this driver,
therefore it's now discontinued in favor of the new Orinoco
driver (see section 3). The driver is based on Lucent source
code, which is a cut down version of their full driver. So, it
^^^^^^
lacks all the part about handling natively 802.11 frames...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
so that driver can't do it.)
However, having noticed that WildPackets have a (Windows) driver for use
with AiroPeek and AiroPeek NX that lets it capture on Orinoco cards, and
that Sniffer Wireless (for Windows) claims to work with Orinoco cards, I
figured there was probably *some* way of getting the Orinoco cards to do
it - and, sure enough, my friend Mr. Google, when asked about
linux orinoco "raw 802.11"
managed to turn up a pile of links, including one to a page that, in
turn, liked to the Orinoco Monitor Mode Patch Page:
http://airsnort.shmoo.com/orinocoinfo.html
which apparently uses both ARPHRD_IEEE80211_PRISM and ARPHRD_IEEE80211
(the former requiring a CVS snapshot version of libpcap, the latter
working with libpcap 0.7.1, and both of them supplying capture
information that Ethereal should be able to use).
(I should probably talk to Michael Richardson about putting up a bunch of
stuff on the tcpdump.org site giving information on how to tweak your
favorite free(-as-in-speech) UNIXes to do wireless sniffing; it's not an
Ethereal-specific issue, so it really belongs on the tcpdump.org site,
with programs using libpcap linking to that page from their Web sites.
But first I have to *find* all that information, as it appears to be
scattered all over the Web. I guess not all 802.11 drivers are in the
"standard" Linux kernel, and even those that are don't necesarily have
patches in their standard versions to support ARPHRD_IEEE80211 or
ARPHRD_IEEE80211_PRISM.)