[Winpcap-users] how Wireshark get linktype?
Gianluca Varenni
gianluca.varenni at cacetech.com
Tue Sep 1 19:01:26 PDT 2009
----- Original Message -----
From: "Guy Harris" <guy at alum.mit.edu>
To: <winpcap-users at winpcap.org>
Sent: Tuesday, September 01, 2009 6:42 PM
Subject: Re: [Winpcap-users] how Wireshark get linktype?
>
> On Sep 1, 2009, at 5:48 PM, Joshua (Shiwei) Zhao wrote:
>
>> No it's not airpcap.
>
> Then, as Gianluca noted, getting DLT_IEEE802_11_RADIO or
> DLT_IEEE802_11 is not supported in WinPcap.
>
>> I have the driver source code and it does return media type as
>> NdisMedium802_11_Radio
>
> (Do you mean NdisMediumRadio80211?)
>
>> if it receives an OID as I mentioned earlier.
>
> That's not a standard NDIS medium type according to
>
> http://msdn.microsoft.com/en-us/library/cc514150.aspx
>
> and that's NDIS 6.0 documentation, so it's not even in NDIS 6.0, much
> less the 5.x that WinPcap supports. If the driver returns that in
> response to OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE, I don't
> know whether Microsoft will guarantee that it will work.
>
> NdisMediumRadio80211 is also not a standard NDIS medium type.
>
> I have the impression that the AirPcap driver is *NOT* an NDIS driver;
> the AirPcap device can be used for capturing traffic, but it can't be
> used as a regular network device. I think WinPcap communicates with
> the AirPcap driver with a special private interface, not through NDIS.
It's exactly like that. It's a standard WDM driver with a private interface.
>
>> But the driver never sees a request for those OIDs.
>
> If you look at, for example, the WinPcap 4.0.2 source, you see that
> PacketGetLinkLayerFromRegistry(), in packetNtx/Dll/AdInfo.c, requests
> the medium type with OID_GEN_MEDIA_IN_USE.
>
>> In Wireshark I also tried to add code to send OIDs request to the
>> driver, using wpcap_packet_request(). If I define a new OID on both
>> side, it works fine. However, when I send an OID of
>> OID_GEN_MEDIA_SUPPORTED or OID_GEN_MEDIA_IN_USE, the driver never sees
>> this OID. It's lost somewhere? I still cannot figure out....
>
> Perhaps there's something wrong with the driver? Perhaps NDIS gets
> confused if it reports a medium type that's not one of the ones
> defined by NDIS?
If I remember well, returning a custom media type is not supported, but I
might be totally wrong here...
GV
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list