Wireshark-users: Re: [Wireshark-users] promiscuous capture on Mac OS X shows different 802.11 rat
On Oct 11, 2009, at 3:06 PM, George Nychis wrote:
I am running Wireshark in promiscuous mode on Mac OS X, and I find
that it is reporting different 802.11 TX rates (radiotap.datarate)
(If you're getting Radiotap information, you're actually running in
monitor mode; unfortunately, OS X won't give radiotap information - or
even 802.11 frames - unless it's in monitor mode, so requesting a link-
layer type of 802.11 or 802.11+radiotap puts the adapter in monitor
mode. For Atheros AirPort cards, that causes the adapter to
disassociate from the network.)
than if I boot the machine in Linux and run Wireshark.
(Unfortunately, at least with mac80211 drivers, and even with non-
mac80211 drivers for some adapters, Linux also won't give you radio
information except in monitor mode, although, again at least with
mac80211 drivers, you can capture on a wmaster driver and get 802.11
headers without going into monitor mode. *BSD FTW here - monitor mode
and the link-layer type are orthogonal.)
In linux, the
beacons for my AP are shown to be 1Mbps (believable) ... whereas in
Mac OS X Wireshark shows me 13Mbps. That is a little odd for a beacon
frame.
There could well be a bug in the OS X driver for your network adapter,
so that it supplies a bogus data rate for transmitted frames.
What version of OS X is this, and what type of AirPort card does it
have? (Apple menu -> About This Mac -> "More Info...", and there
should be something called "AirPort Card" under "Network".)
