I need to capture wireless traffic in monitor mode, so use Microsoft Network Monitor 3.4. To me, it seems to be the only solution on Windows 7, without extra hardware like airpcap. (REMARK: Wireshark does not support monitor mode on Windows platforms.)

The cap file generated by Network Monitor can be opened by Wireshark and displayed correctly. However, I found that both the "save as" and "Export Specified Packets ..." functions (from the "File" menu) are disabled.

How can I make such functions work?

asked 07 Jan '13, 21:42

newwireshark's gravatar image

newwireshark
1222
accept rate: 0%


I just verified your setup and it does in fact not allow to save or export specified packets. From looking at the packets I guess that the reason is the pseudo header ("NetMon 802.11 capture header") inserted by NetMon for each packet, which it only does for WiFi captures.

Going one step further I checked what formats Wireshark should be able to write, and found that there is only NetMon 1.x and NetMon 2.x (I did that by running tshark.exe and editcap.exe with the "-F" parameter and nothing else).

My suspicion is that Wireshark can't write the NetMon 3.x format, which is probably required to write this "NetMon 802.11 capture header".

link

answered 08 Jan '13, 04:52

Jasper's gravatar image

Jasper ♦
16.1k338212
accept rate: 17%

If it is able to read the NetMon 802.11 header shouldn't it be able to write a pcap-ng file by adding a radiotap header (if it's possible to 'convert' the NetMon 802.11 header to radiotap)? Apparently that functionality is not yet implemented.

(08 Jan '13, 04:57) Kurt Knochner ♦

Hi Jasper,

Thank you for the comment.

I am sorry but I don't quite understand. If Wireshark can read the NetMon 3.4 cap file, why can't it export the packets in pcap format? In such case, writing to NetMon 3.4 header is not requried, I assume.

So does it mean that there is no work-around at all for this problem?

(08 Jan '13, 18:01) newwireshark

[I converted your answer to a comment to keep things in line]

Without reading the source code to verify this I can only guess that it is because the pcap format does not have a data structure or pseudo link layer type to write the NetMon header data. A conversion from the NetMon 802.11 capture header to the pcap radiotap header would be required, and I guess that has not been implemented as of yet.

So I guess the only workaround right now is to actually use NetMon for working on those kind of trace files until someone codes the necessary routines to write the data in pcap.

(08 Jan '13, 18:47) Jasper ♦

My suspicion is that Wireshark can't write the NetMon 3.x format

NetMon 3.x uses the 2.x format; the format has evolved over time, but it's still essentially the same format.

I can only guess that it is because the pcap format does not have a data structure or pseudo link layer type to write the NetMon header data

In particular, there's no pseudo link-layer header type for the NetMon flavor of 802.11 radio data pseudo-header, and Wireshark currently doesn't try to map 802.11 radio data pseudo-headers to a "common" format so that it could use, for example, radiotap headers.

(10 Jan '13, 17:30) Guy Harris ♦♦

...and, unfortunately, that header includes the dreaded "RSSI" field, which radiotap doesn't have (it has, instead, antenna signal and noise values, either in dB from an arbitrary reference point or dB from 1 milliwatt), so it's hard to map to radiotap. (There are some other fields that might not map to radiotap; it'd be nice if Microsoft were to adopt radiotap for monitor mode Native Wi-Fi support, and then it'd match most UN*Xes.)

(10 Jan '13, 17:34) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×87
×62
×55
×4
×4

Asked: 07 Jan '13, 21:42

Seen: 4,689 times

Last updated: 10 Jan '13, 17:34

powered by OSQA