PcapNg and Wireless Data

Pcap-ng and pcap are both formats that support all the packet types describe in the tcpdump.org list of link-layer header types. This includes the LINKTYPE_IEEE802_11 type (in which packets begin with an IEEE 802.11 header) and the LINKTYPE_IEEE802_11_PRISM, LINKTYPE_IEEE802_11_RADIOTAP, LINKTYPE_IEEE802_11_AVS, and LINKTYPE_PPI types (in which packets either begin with a header giving some physical layer meta-data for the packet - pcap-ng doesn't have anything in the general format to support physical layer meta-data for individual packets, but it doesn't have to, and, in fact, shouldn't, do so - or begin with the "PPI" header, which can include physical-layer meta-data for the packet. (As the page you mentioned, the pcap-ng page on the Wireshark wiki, currently says in the "Features not yet in pcap-ng" list, it doesn't support "Wireless spectrum information / physical layer meta-data (other than what's already carried in headers such as the radiotap header for 802.11)"; I've italicized the important part here. I will update that page to clarify that it will probably never do so, as "what's already carried in headers" will be sufficient.)

Capturing on an 802.11 interface when not in monitor mode will probably give you packets with fake Ethernet headers rather than the packets' actual 802.11 headers.

In either case, if you want the network-layer information, you will have to check the Ethernet or 802.11 header to see what protocol is above the link layer, ignore packets where the protocol isn't what you're interested in, and then skip past the link-layer header (and radio meta-data/PPI header, if it's present) and process the network-layer header.

Note that if you are capturing in monitor mode, the packets will be encrypted if you're on a "protected" (WEP or WPA/WPA2) network, and you will need to decrypt the payload in order to be able to process the network-layer header.