I'm trying to write code that can capture raw native 802.11 packets to essentially write a packet sniffer. I'm using Vista with 802.11 device which uses an NDIS 6.0 native 802.11 driver.
Perhaps I am going about this the wrong way (and please let me know if there are better alternatives!) I'm trying to do this all through the Windows SDK or Windows DDK for Vista and higher.
Doing some googling and reading the documentation, it seems like the best way to do this is run a monitoring light weight filter using the Windows DDK. I modified the ndislwf sample to be a monitoring filter driver and attach to "wlan" media types. I seem to be able to put the device into monitor mode and extensible station mode via OID_DOT11_CURRENT_OPERATION_MODE. I can also confirm that ndislwf is attaching successfully to the NdisMediumNtive802_11 type.
The problem is my calls to set OID_GEN_CURRENT_PACKET_FILTER with { NDIS_PACKET_TYPE_PROMISCUOUS |NDIS_PACKET_TYPE_802_11_RAW_DATA |NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT |NDIS_PACKET_TYPE_802_11_RAW_MGMT |NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL }
(as described here: http://msdn.microsoft.com/en-us/library/bb648512.aspx) Seem to never take effect even though they return successfully from NdisFOidRequest. According to the documentation the DOT11_EXTSTA_RECV_CONTEXT associated with the NET_BUFFER_LIST passed to FilterReceiveNetBufferLists should indicate DOT11_RECV_FLAG_RAW_PACKET but this flag is never set.
Am I doing something wrong here? How can I capture the raw packets?