This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why does Wireshark convert 802.11 frames into ‘fake’ Ethernet frames?

1

Hi,

I was wondering why Wireshark converts 802.11 frames into 'fake' Ethernet frames during captures. Why would it be such a problem to send the actual 802.11 frame to the packet capture mechanism?

Thanks.

asked 17 Jul '15, 15:13

jfer3351's gravatar image

jfer3351
15114
accept rate: 0%


One Answer:

3

Wireshark does not convert 802.11 frames into fake Ethernet frames. This is not something unique to Wireshark; you will see the same behavior with tcpdump, for example.

The OS software (driver, networking stack) that supplies packets to the capture mechanism does so. Wireshark is stuck with what gets delivered to it from the capture mechanism.

For whatever reason, unless you're capturing in monitor mode, you get fake Ethernet frames, on several OSes, and you only get data frames, not management or control frames.

You'd have to ask the developers of the drivers and networking stack for the OS you're using why they chose to do that. There was, as I remember, a time where, in FreeBSD, you could select either fake Ethernet or 802.11 headers when capturing, even when not capturing in monitor mode, but I'm not sure they still support that.

answered 17 Jul '15, 17:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Guy,

Thanks for your very comprehensive answer.

I will try to find out why the driver/networking stack developers made such decision and, if successful, I will post the answer here.

Cheers.

(18 Jul '15, 15:03) jfer3351