Hi, As you may already know, when we capture wireless frames over a WiFi interface, you can choose Monitor mode so all the radio information can be shown. If you don't choose Monitor mode, an pseudo Ethernet header will be used so that you can see all the higher level protocols, like tcp, icmp, etc. My question is, how to convert the frames captured under monitor mode to its corresponding 'Ethernet' form? asked 27 Mar '17, 02:33  SteveZhou |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
You can still see the information from layer 3 and above if the frames are decrypted even with the radiotap (or other) and 802.11 headers present from monitor mode.
The presence/absence of higher level protocol decoding is not linked to pseudo header vs 802.11 header.
but I cannot see any higher level protocol, it was only shown as Data under IEEE 802.11 header. Do I need to decode that manually?
I can only imagine two cases without looking at any tangible evidence, such as an actual trace:
A. The 802.11 type 'data' frames are encrypted. Are the frames 'protected' - i.e. have the p-bit set in the 802.11 header for these data frames?
.1.. .... = Protected flag: Data is protected
B. The Wireshark installation is broken such as decoding no longer works
For case 1, decrypt first. If this still does not work, try changing the ignore protection bit options under protocols->IEEE 802.11. For case 2, I have never seen this happen, but try a different machine and/or reinstall.
I never need to decode manually typical network traffic, i.e. ARP, basic UDP and TCP data flows, etc, that comes from wireless monitor mode.