Wireshark-dev: Re: [Wireshark-dev] Sniff WLAN packets
From: Guy Harris <[email protected]>
Date: Fri, 8 Dec 2006 14:00:00 -0800
On Dec 8, 2006, at 2:42 AM, david lopez wrote:

I'm David, a PhD student
I'm developing a small sniffer for my project. I'm using libpcap
It appears, from your program, that you're using WinPcap (the Windows  
port of libpcap).
Are you doing this on Windows (in which case you're using WinPcap) or  
on some other OS (in which case you're using libpcap)?
In either case, the right mailing list for this is probably [email protected] 
 (even when using WinPcap, if you're not using any WinPcap-specific  
features or having Windows-specific issues) or the WinPcap mailing  
list (if you're using WinPcap-specific features or having Windows- 
specific or WinPcap-specific issues).

I built a sniffer for capturing ethernet packets on the cable and it is working fine. Now, I would like to use this sniffer for capturing 802.11 WLAN packets. When I use this sniffer for capturing 802.11 WLAN packets on my adapter, it looks ok, but when I try to get the MAC and IP addresses, they are wrong. I supposse that I should eliminate first the WLAN envelopment or something like tath
I would like to know if you can give a clue or if you have some  
example code.
Here you have my code:
...which assumes that the packets have Ethernet headers.  That will  
only be true if pcap_datalink() returns DLT_EN10MB; if it's not doing  
that, your code won't work.
Note that on 802.11 interfaces you might still get packets with  
Ethernet headers, because the 802.11 adapter, or its driver, might  
turn the native 802.11 plus 802.2 plus SNAP headers on packets into  
fake Ethernet headers.  If that's the case, pcap_datalink() will  
return DLT_EN10MB; if it's not the case, it'll return some other  
value, such as DLT_IEEE802_11.
What does the line
 printf("\nDatalink=%s\n\n", pcap_datalink_val_to_name(datalink));
print?  If it doesn't print

	Datalink=Ethernet

then your program won't work; you will have to modify it to check the value of "datalink", and only treat the packet as beginning with an Ethernet header if it's DLT_EN10MB, and have it do whatever is appropriate for the *other* type of link-layer header for values other than DLT_EN10MB. (Take a look at tcpdump to see what's involved with that, and why, to handle the general case, a lot is involved; in particular, note how many entries the "printers[]" table has.)
If you're running on Windows, it'll probably report  
"Datalink=Ethernet" on 802.11 interfaces.