This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Fake Ethernet

0

I want Wireshark to give me all/at least Data packet into Fake Ethernet format in monitor mode. How Wireshark can be set for converting wireless packet to fake Ethernet packet? and can I use analysis tool of real Ethernet packet on this Fake Ethernet ?

asked 07 Feb '14, 20:48

WIDS's gravatar image

WIDS
257713
accept rate: 0%

edited 07 Feb '14, 21:42


2 Answers:

0

Wireshark is not a converter tool, it decodes and displays packet captures. If you need to edit/convert your trace files you should take a look at the command line tool editcap, which you can find in the Wireshark installation directory. It doesn't come with a converter option for packets as well, but it can cut away bytes at the end or beginning of a packet, which can often help with topics like yours.

answered 08 Feb '14, 03:37

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thank you Jasper but-> The Wi-Fi Wiki page ( http://wiki.wireshark.org/Wi-Fi ) says that sometimes the hardware/driver translates 802.11 headers into Ethernet headers........

(08 Feb '14, 06:21) WIDS

Correct. If you capture on a card in promiscuous mode (but not monitor mode) you'll not see the radio layers, only Ethernet and up. That happens when you capture on a standard WiFi card on Windows because it cannot be put into monitor mode. Which is why Wifi captures on Windows require additional AirPCAP adapters.

(08 Feb '14, 06:30) Jasper ♦♦

Can i use promiscuous mode on Ubuntu PC (12.04 ) with external wireless card ( card detail: Ralink 2573 driver rt73usb ) to do above.

(08 Feb '14, 19:12) WIDS

I don't know that card, but you could just try and see what Wireshark displays when capturing on that card.

(09 Feb '14, 03:01) Jasper ♦♦

1

I want Wireshark to give me all/at least Data packet into Fake Ethernet format in monitor mode.

Unfortunately, to quote Sir Michael Philip Jagger, "you can't always get what you want". The only OS/driver/adapter combinations I've seen that provide fake Ethernet headers rather than 802.11 headers in monitor mode was FreeBSD, and I'm not even sure they support it any more.

If Wireshark doesn't offer Ethernet as a link-layer header type when you select monitor mode, that's because the OS/driver/adapter combination doesn't support it.

As for promiscuous mode, it often isn't implemented on wireless devices; you could try it, but whether it will be any different from non-promiscuous mode - i.e., whether it will capture any traffic other than traffic to and from your machine - would depend on the OS/driver/adapter combination.

answered 08 Feb '14, 23:41

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%