Wireshark-dev: Re: [Wireshark-dev] Link-layer header type??

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 24 Oct 2008 18:55:03 -0700

On Oct 24, 2008, at 5:48 PM, Joshua (Shiwei) Zhao wrote:

Under the Capture Options dialogue, there is an item for "Link-layer
header type". There are only two menu items as default: "Ethernet" and
"Data Over Cable Service.....".
How can I add another type there, e.g. 802.11, either by configuration
or by modifying the code?

Is the adapter on which you're trying to capture an 802.11/Wi-Fi adapter?

And on what operating system are you running Wireshark?

And how can I modify the code to add other types to always show up by default?

You cannot modify the Wireshark code, and it would make no sense to do so. The only link-layer headers you can get are the ones that the capture device, its driver, and libpcap/WinPcap support.

In the case of 802.11 adapters and their drivers, they might, or might not, support getting 802.11 headers. See

	http://wiki.wireshark.org/CaptureSetup/WLAN

for some information on that. Libpcap 1.0 should, when it's released, make that better, at least on Linux, *BSD, and Mac OS X, although Wireshark will need to be changed to use the new APIs for requesting monitor mode (and, on Linux, mac80211 drivers won't work the way they're supposed to; I'll look at fixing that in a later libpcap release). For Windows, currently you'd need to buy an AirPcap adapter:

	http://www.cacetech.com/products/airpcap_family.htm

In theory, WinPcap should be able to handle the new Libpcap 1.0 APIs on Vista, but not on XP or earlier; nobody's written any code to do so, however.

In the case of Ethernet adapters, newer versions of libpcap/WinPcap also offer "Data Over Cable Service Interface Specification" to handle the case where some piece of Cisco cable modem head-end equipment is sending DOCSIS (Data Over Cable Service Interface Specification) packets encapsulated inside Ethernet framing ("Ethernet framing" does not include the MAC header, so the packets aren't Ethernet packets - yes, it's a hack).

In the case of Endace DAG adapters:

	http://www.endace.com/dag-network-monitoring-cards.html

that capture on SONET/SDH or PDH/TDM links, they might offer multiple link-layer types as the user would have to indicate what particular type of traffic is being run on the SONET/SDH or T-carrier/E-carrier link.