libpcap implements this underneath the standard libpcap API for monitor mode. The AirPort code appears to keep a count of the number of BPF devices that have requested it, with the adapter being in monitor mode if and only if the count is non-zero. On macOS, at the user-kernel boundary, the way you put an interface into monitor mode is to set the link-layer header type for the BPF device used for the interface to be one that provides 802.11 headers.
(WinPcap doesn't handle monitor mode at all, so it's libpcap/Npcap). The way monitor mode is implemented is platform-dependent, so how well libpcap/Npcap handles putting into monitor mode an interface that's already in monitor mode is platform-dependent.
Remaining question to investigate: how well does Wireshark (or more specifically libpcap/wpcap) handle an interface that has already been put into monitor mode by e.g.
call pcap_list_datalinks() to get the list of data link layers supported, and fail if that fails. get the default data link type by calling pcap_datalink(). call pcap_activate() and fail if that fails. if the device supports monitor mode, and get_if_capabilities() was told to determine the capabilities when in monitor mode, turn on monitor mode. check whether the device is a Linux bonding device, which will never be the case on Windows, and if it's not, will call pcap_can_set_rfmon() to determine whether the device supports monitor mode, and fail if that call reports an error (rather than "yes" or "no"). call pcap_create() to try to open the device, and fail if the device can't be opened. In the 2.6 Windows version of Wireshark, that, and routines it calls, will: The routine get_if_capabilities() in caputils/capture-pcap-util.c is the routine that actually gets the interface's capabilities. (that's macOS, running on the Wi-Fi interface on my MacBook Pro it supports monitor mode, and can return any of the header types in question). $ dumpcap -i en0 -L -list-time-stamp-types -I -Mġ27 IEEE802_11_RADIO 802.11 plus radiotap headerġ63 IEEE802_11_RADIO_AVS 802.11 plus AVS radio information header
0 kommentar(er)
