Also, I don't know how fast Wireshark can make changes about this monitor support, But I came up with another workaround for now. It is letting Npcap provide some kind of control panel for users. There's a switch in this panel that controls the wifi adapter's monitor mode. So I guess under this condition Wireshark is not necessary to know anything about the monitor mode? This is kind of like Airpcap, I saw it also provides such a panel and supports Wireshark. Is this viable?
Cheers, Yang On Thursday, December 31, 2015, Guy Harris <[email protected]> wrote: > > On Dec 29, 2015, at 11:29 PM, Yang Luo <[email protected] <javascript:;>> > wrote: > > > 2) pcap_cant_set_rfmon function in wpcap\libpcap\pcap.c: > > https://github.com/nmap/npcap/blob/master/wpcap/libpcap/pcap.c > > Line 98 > > > > /* > > * For systems where rfmon mode is never supported. > > */ > > static int > > pcap_cant_set_rfmon(pcap_t *p _U_) > > { > > return (1); > > // return (0); > > } > > That's a temporary hack, I hope. > > What you *should* do is have a pcap_can_set_rfmon_win32() function in > pcap-win32.c, and, at the end of pcap_create_interface() in pcap-win32.c, do > > p->can_set_rfmon_op = pcap_can_set_rfmon_win32; > > right after setting p->activate_op. > > > I changed this function to always returning 1, which means "supported". > I know here I should check whether the adapter supports the monitor mode, > but I found no way to check. All I can do is to get/set the current mode > using the OID way above. > > That might be the only way - you might have to open the device, try to get > the OID in question, and, if that succeeds, assume you can set the mode, > otherwise assume you can't. (I think that whether getting and setting that > OID works, or not, is ultimately up to the driver, and a driver that lets > you get the mode but doesn't let you set it to monitor mode would mess > things up - you'd be able to request monitor mode, but attempting to do so > would fail - in which case the only way to handle that would be to try to > set monitor mode. Doing that, however, would, if it succeeds, disconnect > you from the wireless network, so we really don't want to do that.) > > > After all these changes, there's no change in Wireshark, I didn't find a > place to switch on/off the monitor mode like Microsoft Network Monitor. So > I doubt whether Wireshark supports the monitor mode of Wlan in Windows? > > Currently, dumpcap only uses the > pcap_create()/pcap_activate()/pcap_can_set_rfmon() APIs if, when it was > compiled, it was built against a version of libpcap/WinPcap that doesn't > have pcap_open(). > > WinPcap has pcap_open(), so that means dumpcap *doesn't* use those APIs, > which means that Wireshark on Windows won't use them and won't support > monitor mode. > > This means that dumpcap needs to be changed to use those APIs on local > adapters if they're available, regardless of whether pcap_open() is > available, and to use pcap_open() *only* for remote adapters. > > *If* we're willing to require that the Windows version of Wireshark use > only WinPcap 4.1 and later, or NPcap, that's a straightforward source code > change. This would mean people who had some reason to, for example, use > WinPcap 3.x - for example, to capture on PPP devices (dial-up, mobile phone > USB adapter, VPN, etc.) on Windows 2000 or the 32-bit versions of Windows > XP and Windows Server 2003 - would be unable to do so. > > Given that 1.10 was the last release to support Windows XP packages, and > 1.12 was the last release to support Windows Server 2003 packages: > > https://wiki.wireshark.org/Development/LifeCycle > > I wouldn't *personally* have a problem with Wireshark 2.2 and later not > supporting WinPcap earlier than 4.1. > > If we still want to allow people to use 2.2 and later with WinPcap 3.x, > dumpcap would have to be able to choose whether to use pcap_create() *et > al* at run time. That's probably doable, but I'd really rather not have to > do that. > > Note also that this all means that, until Wireshark 2.2, the only way to > use Windows Native WLAN to capture in monitor mode would be to run a > development build. Unless we backport changes to 2.0 - and 1.12 if people > want it - you're not going to be able to just drop in NPcap and capture in > monitor mode. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected] > <javascript:;>> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] <javascript:;> > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
