This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

802.11 capture probleme on MacBook Pro (os 10.6.6)

0

I've just changed may MacBook Pro. I have the same Airport chipset and firmware than my old one. With my old MacBook Pro and old Wireshark version, the Link-Layer header type for my airport interface proposed me different option: Ethernet, 802.11, ... With my new MacBook and Wireshark 1.4.3, i have only Ethernet option. However there is a new topic "Capture packets in monitor mode". In this mode I can choose 802.11. However only the 66 first byte of frames data are captured. Same probleme with tcpdump:

tcpdump -y ieee802_11_radio -s 256 -i en1 tcpdump: IEEE802_11_RADIO is not one of the DLTs supported by this device How can i capture complete 802.11 traffic on my MacBook pro, as I did before ?

asked 25 Jan '11, 07:22

Serge%20Botkine's gravatar image

Serge Botkine
1111
accept rate: 0%


One Answer:

0

802.11 adapters can capture in a number of modes, including monitor mode. The way monitor mode is selected is, at the low level, different in different OSes; in OS X 10.5.x and 10.6.x, the way to ask the driver to run in monitor mode is to select an 802.11 link-layer type when capturing - and if you select one of those link-layer types, the adapter will go into monitor mode.

Libpcap 1.0 added programming interfaces to select monitor mode; Wireshark 1.4 supports those APIs, if present. When using those APIs, Wireshark lets you select monitor mode by checking the "Capture packets in monitor mode" check box, and only shows the link-layer types available in the mode you select - if you're not in monitor mode, you can only get Ethernet headers on 802.11 devices.

OS X 10.6.x includes libpcap 1.0.x - and tcpdump 4.x. This means that, to capture in monitor mode, you have to use the "-I" flag to tcpdump:

tcpdump -I -s 256 -i en1

Note that monitor mode defaults to IEEE802_11_RADIO, so you don't need a -y flag. Note also that the "256" includes the Radiotap header.

The Wireshark dmg for Snow Leopard uses the new APIs, so, to capture in monitor mode with TShark, you must specify the -I flag, and, to capture in monitor mode with Wireshark, you must check the "Capture packets in monitor mode" checkbox. As noted, if you want 802.11 headers, you must capture in monitor mode.

As for only seeing the first 66 bytes of packet data, try not specifying the "-s" flag to tcpdump or TShark, or selecting "Limit each packet to {XXX} bytes" in Wireshark. If you don't get the full packet, that's probably an OS X bug.

answered 25 Jan '11, 15:01

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%