Wireshark-dev: Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 12 Apr 2016 19:23:40 -0700
On Apr 12, 2016, at 6:39 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> On Wed, Apr 13, 2016 at 1:47 AM, Alexis La Goutte <alexis.lagoutte@xxxxxxxxx> wrote:
> 
>> Awesome !
>> 
>> Need to include support of directly switch to monitor mode on Wireshark :)
> 
> You bet! That will be the last step to do.
> WlanHelper is currently a workaround for this feature. Monitor mode switch on and off should be able to be done directly using Wireshark for friendly use.
> However, I'm also planning to provide the monitor switch in a API way too,

Yes.

The API is pcap_set_rfmon().

In your activate routine, if the opt.rfmon field of the pcap_t is 1, then put the device in monitor mode, otherwise don't put it in monitor mode.

> so a program can switch on and off Monitor mode too.

No, your only option to control monitor mode is when you open the device; you don't get to turn it on and off while you're capturing - you have to close the device and re-open it.

If you do that, it will work in Wireshark, the same way it does in OS X (and, if you happen to have a version of libpcap linking with libel, on Linux), without having to change Wireshark.

> BTW, are there any options when setting to Monitor mode? Like channel no or something.

There are currently no APIs in libpcap to control the channel number; I plan to add them in the future.  (I plan to do that after splitting off some functions into a helper process, so that libpcap wouldn't have to be linked with libnl on Linux or with the CoreWLAN framework on OS X - only the helper process would.)

> I don't know what's NdisMediumPpi

It's for the PPI header:

	http://www.cacetech.com/documents/PPI%20Header%20format%201.0.10.pdf

which AirPcap adapters, and at least some AirPort cards on some versions of OS X, can provide.  Radiotap is a better form of radio metadata, and my goal is to get it to the point where everything Wireshark supports with PPI is also supported with radiotap (the only thing missing is the ability to show the individual frames of an A-MPDU all together).

> So is there any possibility to remove the "AirPcap" string in the UI?

Yes, it should be removed from there.