This is one of those quick posts aiming to save me and (maybe you) some time the next time I forget this.
On my Mac, I use Wireshark primarily to capture Wi-Fi traffic, in monitor mode. I want to see the Radiotap and 802.11 headers. Usually I leave Wireshark set this way.
On occasion, I actually use Wireshark to inspect higher level traffic – I want to see the IP addresses and TCP/UDP ports etc. I might be troubleshooting an issue and am using my Mac as the client trying to recreate the issue – so I don’t need monitor mode for that. Simple enough – turn it off in the interface settings (Find this button on the Main toolbar 
to access the menu, then scroll to the right to find the Monitor mode drop down and make sure your Wi-Fi interface has this disabled):
Then just set the Link-layer header back to Ethernet, just like your other interfaces:
Except “Ethernet” isn’t an option. I could’ve sworn that’s what it is set to by default after install…
I can’t believe this still trips me up every few months. I spent half an hour the other day scratching my head, when the trick is simply to restart Wireshark. Close it entirely, reopen it and voila:
Ethernet is back! Also, the 802.11 options have disappeared because we’re no longer in monitor mode. Now I can see Ethernet, IP, and TCP/UDP headers again:
In comparison to capturing 802.11 frames in monitor mode:
I keep forgetting the need to restart Wireshark for the Link-layer options to change #facepalm.
Note: you also need to restart Wireshark after enabling monitor mode before the 802.11 options will show up in the Link-layer header drop down option.
Or maybe it’s just me. I’m confident that I’ll still forget all about this post next time I try to show a University Computer Engineering class how many packets it takes to load the Facebook home page.
It was 781 (including DNS lookups and a couple of retransmitted frames), in case you’re wondering…
mroutedotca.wordpress.com 