Wireshark-dev: Re: [Wireshark-dev] Sniff WLAN packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 8 Dec 2006 14:00:00 -0800

On Dec 8, 2006, at 2:42 AM, david lopez wrote:

I'm David, a PhD student
I'm developing a small sniffer for my project. I'm using libpcap

It appears, from your program, that you're using WinPcap (the Windows port of libpcap).

Are you doing this on Windows (in which case you're using WinPcap) or on some other OS (in which case you're using libpcap)?

In either case, the right mailing list for this is probably tcpdump-workers@xxxxxxxxxxx (even when using WinPcap, if you're not using any WinPcap-specific features or having Windows-specific issues) or the WinPcap mailing list (if you're using WinPcap-specific features or having Windows- specific or WinPcap-specific issues).


I built a sniffer for capturing ethernet packets on the cable and it is working fine. Now, I would like to use this sniffer for capturing 802.11 WLAN packets. When I use this sniffer for capturing 802.11 WLAN packets on my adapter, it looks ok, but when I try to get the MAC and IP addresses, they are wrong. I supposse that I should eliminate first the WLAN envelopment or something like tath

I would like to know if you can give a clue or if you have some example code.

Here you have my code:

...which assumes that the packets have Ethernet headers. That will only be true if pcap_datalink() returns DLT_EN10MB; if it's not doing that, your code won't work.

Note that on 802.11 interfaces you might still get packets with Ethernet headers, because the 802.11 adapter, or its driver, might turn the native 802.11 plus 802.2 plus SNAP headers on packets into fake Ethernet headers. If that's the case, pcap_datalink() will return DLT_EN10MB; if it's not the case, it'll return some other value, such as DLT_IEEE802_11.

What does the line
 printf("\nDatalink=%s\n\n", pcap_datalink_val_to_name(datalink));

print?  If it doesn't print

	Datalink=Ethernet

then your program won't work; you will have to modify it to check the value of "datalink", and only treat the packet as beginning with an Ethernet header if it's DLT_EN10MB, and have it do whatever is appropriate for the *other* type of link-layer header for values other than DLT_EN10MB. (Take a look at tcpdump to see what's involved with that, and why, to handle the general case, a lot is involved; in particular, note how many entries the "printers[]" table has.)

If you're running on Windows, it'll probably report "Datalink=Ethernet" on 802.11 interfaces.