Wireshark-users: Re: [Wireshark-users] Capturing 802.11 Headers in Managed Mode

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 08 May 2007 09:59:47 -0700
Ritesh Taank wrote:

I have searched endlessly on the Internet for ways around this, and have found only a few articles that touch briefly on the subject, without giving too much detail. From what i'm reading out there, i think there is a way around this by using a specific type of card/driver combination?

Yes. From a quick look at the code, it should be possible to do this by using the right driver...

...the one in FreeBSD should do the job. :-) NetBSD's, OpenBSD's, and DragonFly BSD's might also work (I suspect they would). If you request 802.11 headers - or 802.11+radiotap headers - via the GUI in Wireshark or via the "-y" flag in Wireshark, TShark, or tcpdump, you should get them even when not in monitor mode.

Unfortunately, a quick look at the ipw2200 driver in the 2.6.20.4 Linux kernel suggests that it only returns 802.11 headers in monitor mode, so you might be out of luck if you want to do this on Linux. There is, I suspect, no reason in theory why most of the Linux wireless drivers couldn't supply 802.11 or 802.11+radiotap headers, but in Linux, unless it was added recently, there's no API to request particular link-layer headers for packets delivered to a PF_PACKET socket (unlike recent versions of {Free,Net,Open,DragonFly}BSD, where you can request particular link-layer header types for a BPF device and can independently request monitor mode), and, for whatever reason, they might have decided to provide Ethernet headers (perhaps so as not to break programs not prepared to get 802.11 headers - I think that was the rationale for not supplying them by default in BSD).

If you saw Web articles talking about particular cards and drivers, where were those articles?

Others have mentioned making modifications to the driver for my card (ipw2200)?

Where was that mentioned?  (Links to the aritcles?)

I also read that the mad-wifi and hostap drivers might be able to do what I need, but from their respective project websites i couldn't find these answers. Also, would they work with my ipw2200 card?

No, they wouldn't work with your card - the madwifi driver is for cards using Atheros chips (not Intel chips), and the hostap driver is for cards using PRISM II/2.5/3 chips.