Wireshark-users: Re: [Wireshark-users] Sniffing Wireless with Wireshark?

Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 1 Nov 2009 01:42:30 -0700

On Oct 31, 2009, at 9:42 PM, Steve Evans wrote:

Are you using PCAP (or similar) adapters?

Presumably by "PCAP (or similar) adapters" you mean "AirPcap (or similar) adapters":

	http://www.cacetech.com/products/airpcap.html

Windows, prior to the adoption of "Native 802.11":

	http://msdn.microsoft.com/en-us/library/aa503061.aspx

was not very friendly towards capturing on 802.11 networks, and, even with Native 802.11, capturing with WinPcap (the capture mechanism Wireshark uses on Windows) doesn't work all that well (WinPcap doesn't support NDIS 6, and thus doesn't support Native 802.11). With WinPcap, on 802.11 networks, you can capture with promiscuous mode off, and capture traffic to and from your machine, which will *probably* work; promiscuous mode might not work at all, and monitor mode isn't supported.

AirPcap adapters are special (they don't plug into the normal Windows networking stack, so they can't be used as normal adapters to join a wireless network), and can capture (in what amounts to monitor mode) on Windows.