Wireshark-users: Re: [Wireshark-users] How to capture wireless?WiFI

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 19 Dec 2009 12:25:04 -0800
On Dec 18, 2009, at 4:04 PM, Roader wrote:

>     My name is ErWei Zhang.I'm a wirshark user in China.I want to capture WIFI data.How to capture them?How to set wireshark?
>     I used one tp-Link wireless adapter(wl-310).The operation system is Widows XP.

Unfortunately, Windows is not the best platform on which to capture Wi-Fi traffic.

See

	http://wiki.wireshark.org/CaptureSetup/WLAN#head-02456742c655394c9e948a4c9a59d3441c92782f

for details.

>     Yesterday,I used wireshark capture some wifi data. But I think it didn't capture all I want.It contain some ARP data,not have IEEE 802.11data. Why?

Because WinPcap doesn't support the Native 802.11 mechanism in Vista and later (which might also be in later service packets of Windows XP).  Even if it did (making it do so would be a significant change), in order to capture non-data frames and to see the 802.11 headers on data frames, the driver for your wireless adapter would *also* have to support Native 802.11, and not all of them necessarily do (especially on Windows XP).

In addition, in order to capture that traffic, the adapter would have to be put into monitor mode, which would, on Windows, disassociate you from whatever network you're associated with, at least according to Microsoft:

	http://msdn.microsoft.com/en-us/library/aa503132.aspx

which might not be what you want.

If you want to capture 802.11 traffic on Windows, you might want to try using CACE Technologies' AirPcap devices:

	http://www.cacetech.com/products/airpcap.html

They don't function as regular 802.11 adapters, so you'd still need your TP-LINK adapter.