Wireshark-dev: Re: [Wireshark-dev] [Winpcap-users] how Wireshark get linktype?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 1 Sep 2009 17:05:46 -0700

On Sep 1, 2009, at 4:41 PM, Joshua (Shiwei) Zhao wrote:

I'm using Wireshark 1.0.4 with a WiFi device. When I select the device
in capture options panel, I cannot get the expected linktype
DLT_IEEE802_11_RADIO.
I know the device driver is in monitor mode and it works if I manually
add a DLT_IEEE802_11_RADIO type there and choose it.
But how does Wireshark/winpcap get the default type, via a OID request
OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE?
I believe the driver does have support on these two OIDs.

Is this a known problem or is there sth not compatible between my
driver and Wireshark/winpcap? I know Wireshark calls pcap_datalink()
to retrieve the media type.

Wireshark's default link-layer type for a network adapter is the default link-layer type that libpcap/WinPcap chooses for the device, so it gets it with pcap_datalink().

If you want DLT_IEEE802_11_RADIO to be the default link-layer type for Wireshark, you will either have to

1) choose a default by looking at the list of link-layer types supported by the device and picking the "best" one (which I *really* wouldn't advise doing in the standard version of Wireshark, as, on Mac OS X Leopard and Snow Leopard, if you pick DLT_IEEE802_11_RADIO or even DLT_IEEE802_11 for an 802.11 adapter you'll put the adapter into monitor mode, which, on Atheros-based adapters, such as the ones on many Apple notebooks, will disassociate it from the network)

or

2) change WinPcap to use DLT_IEEE802_11_RADIO as its default, as returned by pcap_datalink().