On Thu, 10 Mar 2005, Greg Troxel wrote:

> 802.11 drivers, and in particular ath(4) support different DLTs.
> tcpdump can list the available ones (-L) and choose one of them (-D in
> 1.6 and I think 2.0, -y in current).
>
> The default DLT for ath(4) is EN10MB, and 802.11 data packets are
> mapped to Ethernet format and then tapped.  This mapping happens
> anyway since the packets are then passed to ether_input.
>
> With '-y IEEE802_11', you get the 802.11 packets.  Further, you can
> put the card in monitor mode, which causes some packets that are
> normally processed in hardware to be handed to the host for
> inspection, but also prevents normal use.
>
> -- 
>        Greg Troxel <gdt@ir.bbn.com>
>

Hm,

I don't know whether this is what you want to achive, but perhaps
it can give a hint. It is how to sniff encrypted traffic and
analyze with aircrack (guess not exactly what you want), but
maybe the tcpdump line is of interest (I might be wrong):

"
NetBSD WEP Cracking Howto

ifconfig wi0 chan 6 (or whatever channel you want to monitor)
ifconfig wi0 ssid mywifinetworkname
ifconfig wi0 mediaopt monitor
tcpdump -s 0 -i wi0 -en -y IEEE802_11 -w myfile.pcap

perhaps comment out @ aircrack.c:

/* if( ( h80211[1] & 0x40 ) != 0x40 ) continue; */

Then use aircrack.
"

Btw, this text is not from me.
-Florian