Wireshark-users: Re: [Wireshark-users] Help.. pcap to ivs

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 14 Mar 2008 10:20:41 -0700
Andrea Faver wrote:


i know.. i saved my dump.pcap file in wireshark-tcdump-libpcap mode.
i tried in dos ivstools --convert dump.pcap dump.ivs
the error message is:
opening dump.pcap
"dump.pcap" isn't a regular 802.11 (wireless) capture
That doesn't mean it's not a pcap file - it means the packets in it don't have 802.11 headers.
A lot of 802.11 adapters can be configured to provide to the host fake Ethernet packets, rather than 802.11 packets, and a lot of 802.11 drivers will, by default, configure the adapters to do so.
On Windows prior to Windows Vista, that's how *all* the drivers work, as far as I know; the networking stack doesn't handle 802.11 headers. In Windows Vista, the networking stack can handle 802.11 headers, but not all drivers have been changed to work with the "Native 802.11" mechanism - and, even for those that have, WinPcap doesn't put the adapter into monitor mode, so they won't supply 802.11 headers.
So if you've captured on Windows with a WinPcap-based application, such as WinDump or Wireshark, you won't have an 802.11 capture.
On Linux, adapters don't supply 802.11 headers by default, but a lot of them do so in monitor mode. See 

	http://wiki.wireshark.org/CaptureSetup/WLAN#head-bb8373ef4903fe9da2b8375331726541fb1ad32d

for information on some adapters.
On FreeBSD, NetBSD, OpenBSD, and, I think, DragonFly BSD, you can get 802.11 headers in newer versions; see 

	http://wiki.wireshark.org/CaptureSetup/WLAN#head-2fcfb4ae9d4e09f91c40d7112ba5103f84b5646d
In Mac OS X 10.4, there might be a "wlt1" or "wlt2" adapter - if you capture on that, the capture will be done in monitor mode, and will have 802.11 headers. See 

	http://kismac.macpirate.ch/wiki/doku.php?id=troubleshooting_airport_extreme
for information on tweaking the Info.plist file for the adapter to enable the wlt device - I think it's available by default on at least some Intel-based Macs, but you have to tweak the Info.plist file and reboot to get it on, for example, a PowerBook.
In Mac OS X 10.5, if you select 802.11 headers with the "-y" flag to tcpdump or TShark or the link-layer header type list in Wireshark, the capture will be done in monitor mode, and will have 802.11 headers.
In any case, note that, if the adapter is put into monitor mode, it might disassociate itself from the network, so you won't necessarily be able to capture traffic on a machine while it's active on a wireless network - you might only be able to passively capture traffic from other machines.