[Winpcap-users] WiFi monitoring on win7

[Guy Harris]

(WinPcap issue, rather than Wireshark issue.  libpcap 1.0.0 and later have an API for going into monitor mode, and libpcap 0.4 and later - probably going all the way back to libpcap 0.1 - have an API for going into promiscuous mode; Wireshark currently doesn't support the monitor-mode API, and has supported the promiscuous-mode API since Day One.  Whether the promiscuous-mode API does what you want on a wireless adapter is another matter; it tends not to do so on Windows, thanks to driver problems, but that's not unique to Wireshark.)

On Dec 14, 2009, at 11:30 AM, Joshua (Shiwei) Zhao wrote:

> Hi there,
> I'm wondering whether win7 allows any 3rd party (except its Netmon
> software) to put a WiFi driver into promiscuous or monitor mode.

If you're talking about user-mode 3rd-party software, that would depend on whether the driver that the 3rd-party software uses to talk to the adapter can use the appropriate APIs for turning on promiscuous mode:

	http://msdn.microsoft.com/en-us/library/bb648512.aspx

(setting the filter to NDIS_PACKET_TYPE_PROMISCUOUS) or monitor mode:

	http://msdn.microsoft.com/en-us/library/aa503132.aspx

and whether the driver properly handles those NDIS operations.

> Does latest winpcap 4.1.1 support that?

It supports NDIS_PACKET_TYPE_PROMISCUOUS.

It does not support the monitor mode APIs.

> Is there working wifi sniffer softwares on win7?

Microsoft Network Monitor?

> How is AirPcap?

AirPcap is a device; it is *not* a normal Wi-Fi adapter (you can't use it to join a wireless network, as far as I know), it's a special device for use when capturing traffic, and it has its own API.  WinPcap uses that API to control AirPcap devices; I think those devices are, in effect, always in monitor mode.

> If so, anyone know how they make it pass win7's nativeWifi intermediate driver?

They do so by having it not be a normal Wi-Fi adapter, so none of Microsoft's code that handles Wi-Fi adapters is involved when capturing packets from it.