Re: [Wireshark-dev] Link-layer header type??

Fri, 24 Oct 2008 18:55:26 -0700 

On Oct 24, 2008, at 5:48 PM, Joshua (Shiwei) Zhao wrote:

> Under the Capture Options dialogue, there is an item for "Link-layer
> header type". There are only two menu items as default: "Ethernet" and
> "Data Over Cable Service.....".
> How can I add another type there, e.g. 802.11, either by configuration
> or by modifying the code?

Is the adapter on which you're trying to capture an 802.11/Wi-Fi  
adapter?

And on what operating system are you running Wireshark?

> And how can I modify the code to add other types to always show up  
> by default?

You cannot modify the Wireshark code, and it would make no sense to do  
so.  The only link-layer headers you can get are the ones that the  
capture device, its driver, and libpcap/WinPcap support.

In the case of 802.11 adapters and their drivers, they might, or might  
not, support getting 802.11 headers.  See

        http://wiki.wireshark.org/CaptureSetup/WLAN

for some information on that.  Libpcap 1.0 should, when it's released,  
make that better, at least on Linux, *BSD, and Mac OS X, although  
Wireshark will need to be changed to use the new APIs for requesting  
monitor mode (and, on Linux, mac80211 drivers won't work the way  
they're supposed to; I'll look at fixing that in a later libpcap  
release).  For Windows, currently you'd need to buy an AirPcap adapter:

        http://www.cacetech.com/products/airpcap_family.htm

In theory, WinPcap should be able to handle the new Libpcap 1.0 APIs  
on Vista, but not on XP or earlier; nobody's written any code to do  
so, however.

In the case of Ethernet adapters, newer versions of libpcap/WinPcap  
also offer "Data Over Cable Service Interface Specification" to handle  
the case where some piece of Cisco cable modem head-end equipment is  
sending DOCSIS (Data Over Cable Service Interface Specification)  
packets encapsulated inside Ethernet framing ("Ethernet framing" does  
not include the MAC header, so the packets aren't Ethernet packets -  
yes, it's a hack).

In the case of Endace DAG adapters:

        http://www.endace.com/dag-network-monitoring-cards.html

that capture on SONET/SDH or PDH/TDM links, they might offer multiple  
link-layer types as the user would have to indicate what particular  
type of traffic is being run on the SONET/SDH or T-carrier/E-carrier  
link.
_______________________________________________
Wireshark-dev mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-dev

Reply via email to