Wireshark-dev: Re: [Wireshark-dev] [Winpcap-users] how Wireshark get linktype?

From: "Joshua (Shiwei) Zhao" <swzhao@xxxxxxxxx>
Date: Tue, 1 Sep 2009 17:31:19 -0700
1) In Wireshark, we can choose a default interface but cannot choose a
default linktype for that interface, right? Maybe we need to add that
option :)

2) Since I already set the driver to monitor mode, I thought winpcap
should return that as the default.
    In fact, winpcap doesn't even return DLT_IEEE802_11_RADIO as an
option. It only gives the default linke types. That's why I wonder
whether there is compatibility issue between winpcap and the driver
and whether winpcap uses those two OIDs for linktype queries.

Thanks,
Joshua



On Tue, Sep 1, 2009 at 5:05 PM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
>
> On Sep 1, 2009, at 4:41 PM, Joshua (Shiwei) Zhao wrote:
>
>> I'm using Wireshark 1.0.4 with a WiFi device. When I select the device
>> in capture options panel, I cannot get the expected linktype
>> DLT_IEEE802_11_RADIO.
>> I know the device driver is in monitor mode and it works if I manually
>> add a DLT_IEEE802_11_RADIO type there and choose it.
>> But how does Wireshark/winpcap get the default type, via a OID request
>> OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE?
>> I believe the driver does have support on these two OIDs.
>>
>> Is this a known problem or is there sth not compatible between my
>> driver and Wireshark/winpcap? I know Wireshark calls pcap_datalink()
>> to retrieve the media type.
>
> Wireshark's default link-layer type for a network adapter is the
> default link-layer type that libpcap/WinPcap chooses for the device,
> so it gets it with pcap_datalink().
>
> If you want DLT_IEEE802_11_RADIO to be the default link-layer type for
> Wireshark, you will either have to
>
>        1) choose a default by looking at the list of link-layer types
> supported by the device and picking the "best" one (which I *really*
> wouldn't advise doing in the standard version of Wireshark, as, on Mac
> OS X Leopard and Snow Leopard, if you pick DLT_IEEE802_11_RADIO or
> even DLT_IEEE802_11 for an 802.11 adapter you'll put the adapter into
> monitor mode, which, on Atheros-based adapters, such as the ones on
> many Apple notebooks, will disassociate it from the network)
>
> or
>
>        2) change WinPcap to use DLT_IEEE802_11_RADIO as its default, as
> returned by pcap_datalink().
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users@xxxxxxxxxxx
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>