On Sep 1, 2009, at 4:41 PM, Joshua (Shiwei) Zhao wrote:
I'm using Wireshark 1.0.4 with a WiFi device. When I select the device
in capture options panel, I cannot get the expected linktype
DLT_IEEE802_11_RADIO.
I know the device driver is in monitor mode and it works if I manually
add a DLT_IEEE802_11_RADIO type there and choose it.
But how does Wireshark/winpcap get the default type, via a OID request
OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE?
I believe the driver does have support on these two OIDs.
Is this a known problem or is there sth not compatible between my
driver and Wireshark/winpcap? I know Wireshark calls pcap_datalink()
to retrieve the media type.
Wireshark's default link-layer type for a network adapter is the
default link-layer type that libpcap/WinPcap chooses for the device,
so it gets it with pcap_datalink().
If you want DLT_IEEE802_11_RADIO to be the default link-layer type for
Wireshark, you will either have to
1) choose a default by looking at the list of link-layer types
supported by the device and picking the "best" one (which I *really*
wouldn't advise doing in the standard version of Wireshark, as, on Mac
OS X Leopard and Snow Leopard, if you pick DLT_IEEE802_11_RADIO or
even DLT_IEEE802_11 for an 802.11 adapter you'll put the adapter into
monitor mode, which, on Atheros-based adapters, such as the ones on
many Apple notebooks, will disassociate it from the network)
or
2) change WinPcap to use DLT_IEEE802_11_RADIO as its default, as
returned by pcap_datalink().