Re: Get "Malformed Packet" for 802.11 Beacon frames on Windows

[Yang Luo <hsluoyb () gmail com>]

Hi Guy,

As you know, Npcap/WinPcap is currently based on libpcap 1.0 branch
1_0_rel0b (20091008), which is a very old version.
Adding features to so old wpcap.dll code will put me even farther away from
the libpcap trunk.
So I wanted to use the latest libpcap code in Npcap before adding code.
Actually I posted a thread on tcpdump list about how to build libpcap on
Windows before. But no solutions.

Do you know how to build libpcap into wpcap.dll?
I guess Loris developed the 1st generation WinPcap and ported libpcap into
wpcap.dll. How did he achieve this?


Cheers,
Yang


On Wed, Apr 13, 2016 at 10:23 AM, Guy Harris <guy () alum mit edu> wrote:

> On Apr 12, 2016, at 6:39 PM, Yang Luo <hsluoyb () gmail com> wrote:
>
> > On Wed, Apr 13, 2016 at 1:47 AM, Alexis La Goutte <
> alexis.lagoutte () gmail com> wrote:
> > > Awesome !
> > >
> > > Need to include support of directly switch to monitor mode on Wireshark
> :)
> > You bet! That will be the last step to do.
> > WlanHelper is currently a workaround for this feature. Monitor mode
> switch on and off should be able to be done directly using Wireshark for
> friendly use.
> > However, I'm also planning to provide the monitor switch in a API way
> too,
>
> Yes.
>
> The API is pcap_set_rfmon().
>
> In your activate routine, if the opt.rfmon field of the pcap_t is 1, then
> put the device in monitor mode, otherwise don't put it in monitor mode.
>
> > so a program can switch on and off Monitor mode too.
>
> No, your only option to control monitor mode is when you open the device;
> you don't get to turn it on and off while you're capturing - you have to
> close the device and re-open it.
>
> If you do that, it will work in Wireshark, the same way it does in OS X
> (and, if you happen to have a version of libpcap linking with libel, on
> Linux), without having to change Wireshark.
>
> > BTW, are there any options when setting to Monitor mode? Like channel no
> or something.
>
> There are currently no APIs in libpcap to control the channel number; I
> plan to add them in the future.  (I plan to do that after splitting off
> some functions into a helper process, so that libpcap wouldn't have to be
> linked with libnl on Linux or with the CoreWLAN framework on OS X - only
> the helper process would.)
>
> > I don't know what's NdisMediumPpi
>
> It's for the PPI header:
>
>
> http://www.cacetech.com/documents/PPI%20Header%20format%201.0.10.pdf
>
> which AirPcap adapters, and at least some AirPort cards on some versions
> of OS X, can provide.  Radiotap is a better form of radio metadata, and my
> goal is to get it to the point where everything Wireshark supports with PPI
> is also supported with radiotap (the only thing missing is the ability to
> show the individual frames of an A-MPDU all together).
>
> > So is there any possibility to remove the "AirPcap" string in the UI?
>
> Yes, it should be removed from there.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe