On Tue, Aug 26, 2003 at 05:44:29AM +0100, Puneet Goel wrote:
> i have been looking for buying a WLAN setup. one of the possible use
> of mine is using ethereal or some other protocol analyzer under Windows
> as well as occasinally Linux too. so thought of some possible hardware
(I am assuming that by "hardware" you're referring only to an 802.11
card.)
> but saw only some of the hardware are supported in Windows and very few
> in Linux.
Where did you see this?
There are several issues here.
First, does the OS in question support the 802.11 card *at all*?
In the case of Windows, the supplier of the card almost certainly
supplies a driver, so the card is supported in that sense; otherwise,
most of their potential customers won't be able to use their card
(unless Windows comes with the card, in which case the card is, again
supported).
In the case of Linux - or any other free UNIX - either the card's
manufacturer supplies a driver for the UNIX in question (as is the case
with, I think, Cisco's Aironet cards and Linux), or somebody has to
write the driver themselves, which might involve reverse-engineering the
hardware if there's no documentation, or even if there *is*
documentation but it's incomplete. Therefore, you aren't necessarily
going to have support for as many types of hardware on the free UNIXes.
Second, if the card is supported, does the OS in question support
sniffing on it at all and, if so, can that be done in promiscuous mode?
In the case of WinPcap, there are a couple of issues:
First, can WinPcap see the card? People seem to report problems
having WinPcap recognize, or capture on, some LAN network
interfaces; I don't know why that happens - you'd have to ask
the WinPcap developers about that.
Second, will the driver put the card into promiscuous mode if
the appropriate NDIS request is made? That depends on whether
the hardware supports some notion of promiscuous mode, and on
whether the driver writer chose to support promiscuous mode (or
even had a clue that you can do promiscuous mode via NDIS).
In the case of the free UNIXes, there don't seem to be problems seeing
the card, but there could be similar issues for promiscuous mode.
In addition, due to, I think, the NDIS specification not explicitly
specifying whether packets transmitted *by* the host are delivered to an
NDIS attachment if the attachment is in promiscuous mode, some drivers
appear not to deliver those packets in promiscuous mode - you can only
capture them if you're *not* in promiscuous mode.
Finally, if the card is supported, and sniffing is supported, can that
be done in *monitor* mode, wherein raw 802.11 packets, including
management and control frames, can be seen?
I don't know whether all cards support that in hardware; for those that
do, whether that's supported by the driver and OS is another matter.
NDIS has *NO* mechanism by which a card can be put into monitor mode (at
least not in anything I've seen), so, on Windows, standard drivers appear
not to be able to do that.
There isn't a standard mechanism in Linux for that, but people have, for
*some* cards, implemented that - but not in the same way for all cards.
In the BSDs, there wasn't one until recently; David Young added a
mechanism to do it in NetBSD, and it's apparently being picked up by
FreeBSD, but I don't think all drivers have been converted to use it.