I need to capture wireless traffic in monitor mode, so use Microsoft Network Monitor 3.4. To me, it seems to be the only solution on Windows 7, without extra hardware like airpcap. (REMARK: Wireshark does not support monitor mode on Windows platforms.)
The cap file generated by Network Monitor can be opened by Wireshark and displayed correctly. However, I found that both the "save as" and "Export Specified Packets ..." functions (from the "File" menu) are disabled.
How can I make such functions work?
asked 07 Jan '13, 21:42
I just verified your setup and it does in fact not allow to save or export specified packets. From looking at the packets I guess that the reason is the pseudo header ("NetMon 802.11 capture header") inserted by NetMon for each packet, which it only does for WiFi captures.
Going one step further I checked what formats Wireshark should be able to write, and found that there is only NetMon 1.x and NetMon 2.x (I did that by running tshark.exe and editcap.exe with the "-F" parameter and nothing else).
My suspicion is that Wireshark can't write the NetMon 3.x format, which is probably required to write this "NetMon 802.11 capture header".
answered 08 Jan '13, 04:52