因為工作的緣故,需要去監聽無線網路的封包,特別是IEEE802.11的管理控制訊框(frame ... 其實我還是比較喜歡直接叫作封包)。同事直接打開 wireshark 卻擷取 wifi 介面,卻發現聽到了一堆 ethernet 的訊框而聽不到 wifi 的訊框。為什麼呢?來看看 wireshark 的官網 怎麼說: If you're trying to capture network traffic that's not being sent to or from the machine running Wireshark or TShark, i.e. traffic between two or more other machines on an Ethernet segment , or are interested in 802.11 management or control packets , or are interested in radio-layer information about packets , you will probably have to capture in " monitor mode ". This is discussed below. Without any interaction, capturing on WLAN's may capture only user data packets with "fake" Ethernet headers . In this case, you won't see any 802.11 management or control packets at all, and the 802.11 packet headers are "translated" by the network driver to "fake" Ethernet packet headers. 答案揭曉,原來這是因為 wifi driver 會自動把 wireless frame 轉成 ethernet frame 後再給 kernel,這樣 kernel 裏面的 proto
留言
張貼留言