So one generic method to capture wireless frames is using Linux. There are multiple distributions, which are specialized on this (an example is Kali Linux).

However, standard Linux distributions may be used as well. This how to is created considering Ubuntu 16.04 LTS on a laptop with an integrated “Intel(R) Dual Band Wireless-AC 7260” adapter.

Unnecessary to mention, that your wireless connection is not availabe during capture. Also I’m not responsible if you break your Linux system!

Of course there are some helping tools like “airmon-ng” or “airodump”, which assists our traffic sniffing goal, but I try to focus on the built-in Linux fuctionality.


First of all we should check if our wireless adapter supports the monitoring mode. If the adapter does not support this, only frames from and to the WLAN station can be captures along with broad- and Multicast frames.

So what’s the name of our wireless adapter in Linux:

Will give you the output (example):

So for the “iw” tool the device is named “phy0“. The interface name is “wlp2so

To check if the adapter supports monitor mode, issue the command:

Will give you the output (example) along with tons of other interesting stats about your adapter. But in line 20 (section “supported interface modes”) we can see that the “monitor” mode is supported.

Disturbing Linux services

When using a standard Linux client distribution, there may be services, which are disruptive for wireless capturing. Examples are “avahi-daemon”, “NetworkManager”, “wpa_supplicant” or “dhclient”. If your capture stops at some point without a reason, try to temporarily disable those services.
Example: sudo service NetworkManager stop

Create monitoring interface

Now we can create a new monitoring network interface. As the name already states, that interface is in monitoring / promisuous mode. The second command removes the main WLAN interface.

Set capture parameters

As written in my previous post, the capture channel must be set.
Either set the freqency using:

or the channel number using:

If you add the parameter HT40+, you capture 40MHz wide channels:

Verify your configuration:

Example output:

Capture using tcpdump to capture file

If you like to use tcpdump for capturing, issue the following command:

Alternatively, you can capture using Wireshark

Radiotap header

One nice side effect is, that a radiotap header is added to the capture frame. This information is NOT inside a WLAN frame. It is added by the capturing device to each frame to get some RF information (RSSI, channel, data rate etc.)radiotap_header

This is a WireShark screenshot of the radiotap header. In tcpdump the output looks like:

tcpdump capture filters

You’ll see very soon, that you are overwhelmed with frames. So it’s probably a good idea to appy a capture filter.

Here are some examples:
(usage sudo tcpdump -i mon0 -w capture.cap <FILTER>)

  • Capture only beacon frames:  subtype beacon
  • Capture only probe requests or responses:   subtype probereq or subtype proberesp
  • Only from an to a wireless host: wlan ra <CLIENT-MAC> or wlan ta <CLIENT-MAC>
  • Filter of packet types:
    • Management frames: type mgt
    • Control frames: type ctl
    • Data frames: type data

Note: You won’t see any control frames (RTS,CTS etc.) when using the “wlan ra” or “ta” filters. I’ll explain those filters in detail in another post.

1 Comment

Cisco WLC: EDCA timers - NetGab - The daily networking madness · 05/12/2017 at 16:45

[…] Unfortunately the actual values cannot be determined in the WLC GUI or CLI. Furthermore, the names of the EDCA profiles don’t reflect whether the IEEE 802.11 parameters are used. The good thing is, that the values can be captured in beacon frames. If you don’t know how to capture wirless frames, please check these posts: WLAN traffic capture [1] and WLAN traffic capture [2] […]

Leave a Reply