Skip to main content
Cisco Meraki

Capturing Wireless Traffic from a Client Machine

  1. Last updated
  2. Save as PDF

Wireless packet captures are incredibly useful while troubleshooting specific events on a WLAN. The most common use is to see all communication (data, management and control frames) between a station (STA) and an access point (AP).

In order to do this without using the dedicated hardware, a Mac or a PC using Linux is needed.

If you don't have either a Macbook or Linux machine available, but you do have more Meraki APs in the network, try this method to collect wireless captures instead.

Viewing wireless traffic is a two step process:

  1. Put the wireless adapter in monitor/promiscuous mode
  2. View the traffic using Wireshark in Monitor Mode 

NOTE:

  • When capturing traffic in the 5GHz band, always configure the AP to use a 20MHz channel width.
  • When capturing wireless traffic on an SSID with encryption enabled, such as WPA2-PSK, ensure that the monitor mode capture is started before associating the client to the SSID so that the client traffic can be properly decrypted for later examination of the captures. 
  • When possible, create an Open test SSID to simplify the analysis of the capture.

Monitoring on macOS

Monitoring on Macs running Sierra and High Sierra (10.12.x and 10.13.x)

Make sure you are not connected to any networks (including wired.)

 

 image.png

 

Hold the Option key and click on the Wireless icon in the upper right. By holding the Option key, it will show a hidden option.

 

 Screen Shot 2017-04-26 at 12.23.17 PM.png

 

Choose "Open Wireless Diagnostics…”

Once it opens, go to the upper left under the “Window” section and choose “Sniffer”

 

 Screen Shot 2017-04-26 at 12.23.46 PM.png

 

Pick the appropriate Channel and Channel width to capture. This example shows an example of capturing on 5ghz – Channel 56 with a channel width of 80 Mhz.

 

 sniffer.png

 

 56.png

 

Note: It is recommended to use 20 MHz to capture all the traffic from the AP to avoid any frame drops due to channel bonding.

Once you have set your channel and width, click “Start.” Note the directory that it will put the capture in. (/var/tmp)

Stop the capture once you have captured the event.

To navigate to the folder, switch to Finder. Then select Go at the top, and then “Go to folder…”

 

 Screen Shot 2017-04-26 at 12.26.27 PM.png

 

Fill in the folder /var/tmp and click “Go”

 

Screen Shot 2017-04-26 at 12.26.36 PM.png

 

In the folder you’ll find your Monitor mode Capture

 

Screen Shot 2017-04-26 at 12.27.17 PM.png

Monitoring on Macs running Yosemite (10.10.x)

Open the Wireless Diagnostics program from spotlight (Command + Spacebar):

a3112c28-0ea9-4288-8289-61b7165f0a4d

When at the Introduction page, press Command + 6 to open the Sniffer:

Note: On 10.9 Mavericks, use Command + 2, then go to the Frame Capture tab.

036c44ca-c58e-4ce6-8e7b-1afbdc6452e8

Pick the Channel and channel Width, and press Start. This should match the channel currently in use by the client/AP that is to be monitored.

Ensure your AP is using 20 MHz channel width and select 20 MHz Width on the Sniffer menu too. Using a longer channel width can result in incomplete data.

During the capture you’ll see the eye icon over the wireless monitor indicating that the interface is in Monitor Mode:

4b90a0c8-35c7-4d60-9b2c-66591e226a38

This capture can be viewed live from Wireshark running in Monitor Mode (instructions found at the bottom of the article). Traffic collected will also will be automatically saved to a temporary .wcap file on the desktop. To open this capture in Wireshark, simple change the suffix from .wcap to .pcap and open from Wireshark.

 

To end the capture, simply click the Stop button.

Monitoring on Linux

Monitoring on Kali Linux

Find out which wireless interfaces are available by running the `iwconfig` command in a terminal:

68bf1eb9-597b-4390-9be5-f806aa9a2d53

In order to set an interface to Monitor Mode (usually wlan0), run `airmon-ng start wlan0`. If monitoring another interface, replace 'wlan0' with the desired interface name.  When running this command, a message may appear that indicates processes that “could cause trouble”:

cc5b2d9a-f24d-4c7f-97c3-298c002850c3

If/when airmon-ng indicates that there are interfering processes, find the processes and kill them by typing `kill [PID]`:

36bc473f-62d3-4d5f-9987-4c9bf2b575b7

Now that those processes have been killed, start the process over.  Kill the mon0 interface using `airmon-ng stop mon0`...:

079efd42-b530-4944-9b26-daf8a3020475

… and recreate it now that there aren’t any interfering processes.  This is done by running `airmon-ng start wlan0` again:

6a7b98eb-50dd-4d1d-a99d-813d6561880a

Notice above that when running `airmon-ng start wlan0` this time, it didn't say that there were any conflicting processes.

 

Finally, specify the channel to monitor on by using `airodump-ng mon0 --channel [CHANNEL]`. In the example below, channel 1 is being monitored:

d3ced35d-b97a-4636-b844-11e669e2be8c

e5355980-1ee9-419e-9d1b-d7e86d42dfb8

This capture can be viewed live from Wireshark running in Monitor Mode.

Using Wireshark in Monitor Mode

Once a wireless card is in monitor/promiscuous mode, the data can be viewed live using Wireshark in Monitor Mode.

Note: The following screenshots were taken using an old (pre v2.0) version of Wireshark. To enable Monitor Mode in newer versions, please reference the Wireshark Wiki for details.

In the example below, interface en0 (Mac) or mon0 (Linux) was selected and specified to use monitor mode.

e5233961-0bba-429b-8659-30be9815b29e

Once this mode is selected and the capture is started in Wireshark, the 802.11 frames will start to fill the screen. This will be the majority of the traffic, and since there aren't any coloring rules for 802.11 traffic by default, they should be white:

3d288a92-3881-40a5-9c4b-d4bbeb146aa0

NOTE: For more information about decrypting 802.11 traffic in Wireshark, please refer to this link.