Using "fake ethernet headers" in monitor mode


when not using monitor mode, you are shown “fake ethernet headers” instead of 802.11 headers. I want to see the fake ethernet headers in monitor mode, but I don’t know how. I only know how to enable monitor mode. Help please.


Whether monitor mode is supported, whether you can get fake Ethernet headers in monitor mode, and whether you can get anything other than fake Ethernet headers when not in monitor mode is determined by the Wi-Fi adapter, its driver on whatever operating system you’re using, and the capture mechanism being used (in the case of Wireshark, as with tcpdump, it’s whatever mechanism libpcap/WinPcap uses).

The only operating systems on which the driver might allow fake Ethernet headers in monitor mode are the *BSDs. On Windows, WinPcap currently doesn’t support monitor mode, and the Windows “Native Wi-Fi” mechanism, which it might use at some point, only supports 802.11 headers with radio information in monitor mode; on Linux, all the drivers I know of support only 802.11 headers, possibly with radio information, in monitor mode; and on OS X, the way that monitor mode is enabled is by requesting 802.11 or 802.11+radio information headers via BPF (which is what newer versions of libpcap do), so there is no way to even ask for monitor mode with fake Ethernet headers.

So you could try using a machine running FreeBSD, NetBSD, OpenBSD, or DragonFly BSD, and requesting monitor mode and Ethernet headers when capturing; there’s no guarantee that this will work, however.

Note that, in monitor mode, the adapter will normally capture not only data frames, but also management frames and possibly control frames. With fake Ethernet headers, the management and control frames will have to be discarded, as there’s no way to represent them in a frame with fake Ethernet headers.