In general there are always the following guidelines when capturing wireless traffic:<\/p>\n
For a lot of use cases this is enough – but in most cases you want to see frames from and to other stations. Therefore, you must set your adapter in monitor mode.<\/p>\n However, in most cases this is enough. Everything below layer-2 is not relevant for analyzing wireless networks. Typically you need management and control frames to understand how a SSID works and troubleshoot most of client connectivity issues.<\/p>\n Sometimes layer-3 information would be helpful for better packet filtering based on IP addresses or for QoS related analysis (ToS \/ DSCP value).<\/p>\n In general, Wireshark is able to decode encrypted wireless frames for WPA2 PERSONAL (pre-shared key). But the initial 4-way handshake between AP and the client in question must be in the capture file as well.<\/p>\n <\/p>\n Wireless is chatty. The management and control frames can be overwhelming if looking for a tiny piece of information. There will be a separate post on filtering.<\/p>\n <\/p>\n Have fun with this upcoming series.<\/strong><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" There are tons of “HowTos” out there how to capture wireless traffic. I plan to collect some of these methods and write a little how to on my own. This post focuses on general considerations for wireless capturing, independend of the used tool. The different methods to actually caputure 802.11 […]<\/p>\n","protected":false},"author":1,"featured_media":57,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[10,11,9],"class_list":["post-56","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-capture","tag-sniffing","tag-wlan"],"yoast_head":"\n![\"Multiple](\"http:\/\/netgab.net\/web\/wp-content\/uploads\/2016\/12\/APs_color.png\")
Set the channel
\n<\/strong>It is very important to set the correct channel before starting the capture. Otherwise your wireless adapter will eventually scan through all the available channels and this needs time. So if you don’t set the channel you will either lose packets or you won’t capture anything at all because you are statically on the wrong channel.<\/p>\n![\"Wireless](\"http:\/\/netgab.net\/web\/wp-content\/uploads\/2016\/12\/network-37139_640-300x219.png\")
Set your card to monitor \/ promiscuous mode
\n<\/span><\/strong>Per default your network card only processes frames, which are intended for the current station. So without monitor mode you’ll see<\/p>\n\n
![\"Lock\"](\"http:\/\/netgab.net\/web\/wp-content\/uploads\/2016\/12\/kgpg.png\")
Encryption
\n<\/span><\/strong>Wireless networks are typically encrypted with AES. So in a wireless capture you can only decode the layer-2 information in clear text. Everything below the frame (layer-3 to 7) is encrypted. So you won’t even see the IP addresses.<\/p>\n![\"Image](\"http:\/\/netgab.net\/web\/wp-content\/uploads\/2016\/12\/filter.png\")
Filtering<\/strong><\/p>\n
\nSo know how you can filter effectively in two ways:<\/p>\n\n