There are tons of “HowTos” out there how to capture wireless traffic. I plan to collect some of these methods and write a little how to on my own.
This post focuses on general considerations for wireless capturing, independend of the used tool. The different methods to actually caputure 802.11 frames will be covered in later posts.
First of all. WLAN capturing is not as easy (at least – not yet) as capturing traffic in a wired Ethernet network. First of all, if you capture natively with Windows and WinPcap / Wireshark you will see a normal Ethernet header – not an 802.11 frame. There are ways to capture 802.11 with Windows, but we come to that later.
In general there are always the following guidelines when capturing wireless traffic:
Set the channel
It is very important to set the correct channel before starting the capture. Otherwise your wireless adapter will eventually scan through all the available channels and this needs time. So if you don’t set the channel you will either lose packets or you won’t capture anything at all because you are statically on the wrong channel.
Set your card to monitor / promiscuous mode
Per default your network card only processes frames, which are intended for the current station. So without monitor mode you’ll see
- Frame from and to your actual workstation
- Broad- and Multicast frames
For a lot of use cases this is enough – but in most cases you want to see frames from and to other stations. Therefore, you must set your adapter in monitor mode.
Wireless networks are typically encrypted with AES. So in a wireless capture you can only decode the layer-2 information in clear text. Everything below the frame (layer-3 to 7) is encrypted. So you won’t even see the IP addresses.
However, in most cases this is enough. Everything below layer-2 is not relevant for analyzing wireless networks. Typically you need management and control frames to understand how a SSID works and troubleshoot most of client connectivity issues.
Sometimes layer-3 information would be helpful for better packet filtering based on IP addresses or for QoS related analysis (ToS / DSCP value).
In general, Wireshark is able to decode encrypted wireless frames for WPA2 PERSONAL (pre-shared key). But the initial 4-way handshake between AP and the client in question must be in the capture file as well.
Wireless is chatty. The management and control frames can be overwhelming if looking for a tiny piece of information.
So know how you can filter effectively in two ways:
- Capture filter that only relevant frames are contained in your capture
- Display filter to find the information you’re searching for.
There will be a separate post on filtering.
Have fun with this upcoming series.