Wireshark-dev: Re: [Wireshark-dev] Get "Malformed Packet" for 802.11 Beacon frames on Windows
From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Wed, 13 Apr 2016 13:07:46 +0800
Hi Guy,

As you know, Npcap/WinPcap is currently based on libpcap 1.0 branch 1_0_rel0b (20091008), which is a very old version.
Adding features to so old wpcap.dll code will put me even farther away from the libpcap trunk.
So I wanted to use the latest libpcap code in Npcap before adding code. Actually I posted a thread on tcpdump list about how to build libpcap on Windows before. But no solutions.

Do you know how to build libpcap into wpcap.dll?
I guess Loris developed the 1st generation WinPcap and ported libpcap into wpcap.dll. How did he achieve this?


Cheers,
Yang


On Wed, Apr 13, 2016 at 10:23 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Apr 12, 2016, at 6:39 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> On Wed, Apr 13, 2016 at 1:47 AM, Alexis La Goutte <alexis.lagoutte@xxxxxxxxx> wrote:
>
>> Awesome !
>>
>> Need to include support of directly switch to monitor mode on Wireshark :)
>
> You bet! That will be the last step to do.
> WlanHelper is currently a workaround for this feature. Monitor mode switch on and off should be able to be done directly using Wireshark for friendly use.
> However, I'm also planning to provide the monitor switch in a API way too,

Yes.

The API is pcap_set_rfmon().

In your activate routine, if the opt.rfmon field of the pcap_t is 1, then put the device in monitor mode, otherwise don't put it in monitor mode.

> so a program can switch on and off Monitor mode too.

No, your only option to control monitor mode is when you open the device; you don't get to turn it on and off while you're capturing - you have to close the device and re-open it.

If you do that, it will work in Wireshark, the same way it does in OS X (and, if you happen to have a version of libpcap linking with libel, on Linux), without having to change Wireshark.

> BTW, are there any options when setting to Monitor mode? Like channel no or something.

There are currently no APIs in libpcap to control the channel number; I plan to add them in the future.  (I plan to do that after splitting off some functions into a helper process, so that libpcap wouldn't have to be linked with libnl on Linux or with the CoreWLAN framework on OS X - only the helper process would.)

> I don't know what's NdisMediumPpi

It's for the PPI header:

        http://www.cacetech.com/documents/PPI%20Header%20format%201.0.10.pdf

which AirPcap adapters, and at least some AirPort cards on some versions of OS X, can provide.  Radiotap is a better form of radio metadata, and my goal is to get it to the point where everything Wireshark supports with PPI is also supported with radiotap (the only thing missing is the ability to show the individual frames of an A-MPDU all together).

> So is there any possibility to remove the "AirPcap" string in the UI?

Yes, it should be removed from there.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe