According to the wireshark wiki
Can one detect that a packet has an 802.11 history? That is, that it was captured as 802.11 and then modified to contain a fake Ethernet instead? Or is the fake Ethernet is indistinguishable from a regular one? asked 19 Jun '17, 01:52 Guy Kroizman |
2 Answers:
I agree with @sindy that it is really not possible to positively identify these cases where we have 802.11-->EthII/802.3 conversion, but I wanted to share some things things that I have picked up over the years that may 'suggest' a wireless adapter collection. These are not deterministic - only some things I have found that tend to be different between wired and wireless world:
My view is that if I see enough of these traits, I can guess how the capture was taken. Unfortunately I live in a world where deterministic answers are not always available and yet we have to solve the problem anyway. I am forced to guess sometimes to move forward in many situations, so techniques that allow us to reduce risk while still guessing are quite useful in the real word. answered 20 Jun '17, 16:56 Bob Jones edited 20 Jun '17, 16:56 |
Mostly the second. The fake ethernet headers are there to completely replace the 802.11 headers, so you can only use the MAC address (which is inherited from the 802.11 header to the Ethernet one) to identify the interface of the device which has sent the packet. If it is an address of a WLAN interface, the packet came directly through WLAN; if it is an address of a wired interface, it hasn't. But if you e.g. have a wired bridge between two WLANs, you have to look at the position of that device too. answered 19 Jun '17, 13:26 sindy edited 19 Jun '17, 13:32 |
If you have a MacBook Pro with a built-in Ethernet, that's the case. MacBook Pros haven't come with a built-in Ethernet for many years, however; mine doesn't have one, and the Wi-Fi is en0.