Wireshark-users: Re: [Wireshark-users] promiscuous capture on Mac OS X shows different 802.11 rat

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 11 Oct 2009 15:47:06 -0700

On Oct 11, 2009, at 3:06 PM, George Nychis wrote:

I am running Wireshark in promiscuous mode on Mac OS X, and I find
that it is reporting different 802.11 TX rates (radiotap.datarate)

(If you're getting Radiotap information, you're actually running in monitor mode; unfortunately, OS X won't give radiotap information - or even 802.11 frames - unless it's in monitor mode, so requesting a link- layer type of 802.11 or 802.11+radiotap puts the adapter in monitor mode. For Atheros AirPort cards, that causes the adapter to disassociate from the network.)

than if I boot the machine in Linux and run Wireshark.

(Unfortunately, at least with mac80211 drivers, and even with non- mac80211 drivers for some adapters, Linux also won't give you radio information except in monitor mode, although, again at least with mac80211 drivers, you can capture on a wmaster driver and get 802.11 headers without going into monitor mode. *BSD FTW here - monitor mode and the link-layer type are orthogonal.)

In linux, the
beacons for my AP are shown to be 1Mbps (believable) ... whereas in
Mac OS X Wireshark shows me 13Mbps.  That is a little odd for a beacon
frame.

There could well be a bug in the OS X driver for your network adapter, so that it supplies a bogus data rate for transmitted frames.

What version of OS X is this, and what type of AirPort card does it have? (Apple menu -> About This Mac -> "More Info...", and there should be something called "AirPort Card" under "Network".)