I'm trying to find information on the radiotap header for mac os x Lion. I'm attempting to capture wireless packets but the mac addresses i get out of 802.11 frames don't match what wireshark is outputting. There are pieces of the mac address that look close to what wireshark is reporting. I posted a question previously from which i learned about the presence of the radio tap header does anyone know where I can find details of what it looks like on mac os x. I have looked at some of the libpcap/tcpdump source but I'm kind of lost as to how to accurately account for the radiotap header when I am processing packets. Any advice is much appreciated.
See the radiotap.org site for information on the radiotap header. If you just want to skip over the radiotap header to get to the 802.11 header, fetch the little-endian it_len field from the radiotap header; it indicates how big the radiotap header is.
Note, however, that if the 802.11 frames were captured from an Atheros network device, there might be some padding between the 802.11 header and the payload; see the "frame has padding between 802.11 header and payload (to 32-bit boundary)" flag in the flags field. That, unfortunately, will require you to parse the radiotap header.