I need to capture wireless traffic in monitor mode, so use Microsoft Network Monitor 3.4. To me, it seems to be the only solution on Windows 7, without extra hardware like airpcap. (REMARK: Wireshark does not support monitor mode on Windows platforms.)
The cap file generated by Network Monitor can be opened by Wireshark and displayed correctly. However, I found that both the "save as" and "Export Specified Packets ..." functions (from the "File" menu) are disabled.
How can I make such functions work?
asked 07 Jan '13, 21:42
I just verified your setup and it does in fact not allow to save or export specified packets. From looking at the packets I guess that the reason is the pseudo header ("NetMon 802.11 capture header") inserted by NetMon for each packet, which it only does for WiFi captures.
Going one step further I checked what formats Wireshark should be able to write, and found that there is only NetMon 1.x and NetMon 2.x (I did that by running tshark.exe and editcap.exe with the "-F" parameter and nothing else).
My suspicion is that Wireshark can't write the NetMon 3.x format, which is probably required to write this "NetMon 802.11 capture header".
answered 08 Jan '13, 04:52
I have written a utility that uses 1. tshark to export each frame in hex 2. tshark to export each frame's timestamp into a text file 3. text2pcap and editcap to import the hexdump into a nano pcap file format 4. parses the timestamp file and updates the nano pcap file with the original timestamp
This utility was written in python, and built into a Windows exe.
Drop a comment here to let me know if you wish to have a copy.
answered 16 Mar, 13:34