I have been capturing some packets over wifi using wireshark for analysis. If I captured IEEE 802.11 frames on an interface in monitor mode. If I capture an IEEE packet on an open network without encryption then I cannot see any ethernet headers. However if I capture the same packets on a usual interface(not in monitor mode), then I can see ethernet headers. I was not able to decrypt wpa packets captured in monitor mode for more analysis. So is there actually an ethernet layer when an IEEE packet is transmitted? Or is it added to it by the driver before delivering to applications listening on the upper layers?
Here is a packet missing ethernet layer.
This is how the packet looks like on capturing on a usual interface(not in monitor)
Best Answer
Short answer: no
Longer answer: IEEE 802.11 traffic is not IEEE 802.3 Ethernet traffic. They are both L2 (and L1) protocols in the OSI model, but they are not the same.
While they have many similarities, there are also major differences. For one, 802.11 has up to four address fields that may or may not be used for different purposes depending on the type of frame, while 802.3 has two.
In your example, the "IEEE 802.11" section should contain all your L2 information. So it isn't missing.
Quite the opposite. Lower layer headers are stripped before delivering to applications on upper layers.
The example you provide seems entirely normal to me. I would be more curious about 802.11 traffic that contains an 802.3 header as this could indicate something else going on.
Side note: the ability to decrypt 802.11 has no bearing on being able to view the headers. 802.11 encryption is only on the data payload, so the headers remain viewable. In fact, when troubleshooting wireless with packet captures, it is seldom necessary to decrypt 802.11 (if you are checking higher level protocols and need the data encrypted, it is typically easier to capture on the wired side of the AP).