Home > Wireless LAN > Monitoring and Reporting > Capturing Wireless Traffic from a Client Machine

Capturing Wireless Traffic from a Client Machine

Wireless packet captures are incredibly useful while troubleshooting specific events on a WLAN. The most common use is to see all communication (data, management and control frames) between a station (STA) and an access point (AP).

This is easily possible while using an AirPCAP adapter however these can be expensive and may not be available while experiencing connectivity issues.

 

In order to do this without using the dedicated hardware mentioned above, a Mac or a PC using Linux is needed.

 

Viewing wireless traffic is a two step process:

  1. Put the wireless adapter in monitor/promiscuous mode
  2. View the traffic using Wireshark in Monitor Mode

Monitoring on Macs running Yosemite (10.10.x)

Open the Wireless Diagnostics program from spotlight (Command + Spacebar):

When at the Introduction page, press Command + 6 to open the Sniffer:

Note: On 10.9 Mavericks, use Command + 2, then go to the Frame Capture tab.

Pick the Channel and channel Width, and press Start. This should match the channel currently in use by the client/AP that is to be monitored.

 

During the capture you’ll see the eye icon over the wireless monitor indicating that the interface is in Monitor Mode:

This capture can be viewed live from Wireshark running in Monitor Mode (instructions found at the bottom of the article). Traffic collected will also will be automatically saved to a temporary .wcap file on the desktop. To open this capture in Wireshark, simple change the suffix from .wcap to .pcap and open from Wireshark.

 

To end the capture, simply click the Stop button.

Monitoring on Kali Linux

Find out which wireless interfaces are available by running the `iwconfig` command in a terminal:

In order to set an interface to Monitor Mode (usually wlan0), run `airmon-ng start wlan0`. If monitoring another interface, replace 'wlan0' with the desired interface name.  When running this command, a message may appear that indicates processes that “could cause trouble”:

If/when airmon-ng indicates that there are interfering processes, find the processes and kill them by typing `kill [PID]`:

Now that those processes have been killed, start the process over.  Kill the mon0 interface using `airmon-ng stop mon0`...:

… and recreate it now that there aren’t any interfering processes.  This is done by running `airmon-ng start wlan0` again:

Notice above that when running `airmon-ng start wlan0` this time, it didn't say that there were any conflicting processes.

 

Finally, specify the channel to monitor on by using `airodump-ng mon0 --channel [CHANNEL]`. In the example below, channel 1 is being monitored:

This capture can be viewed live from Wireshark running in Monitor Mode.

Using Wireshark in Monitor Mode

Once a wireless card is in monitor/promiscuous mode, the data can be viewed live using Wireshark in Monitor Mode.

Note: The following screenshots were taken using an old (pre v2.0) version of Wireshark. To enable Monitor Mode in newer versions, please reference the Wireshark Wiki for details..

In the example below, interface en0 (Mac) or mon0 (Linux) was selected and specified to use monitor mode.

Once this mode is selected and the capture is started in Wireshark, the 802.11 frames will start to fill the screen. This will be the majority of the traffic, and since there aren't any coloring rules for 802.11 traffic by default, they should be white:

For more information of decrypting 802.11 traffic, please refer to this link.

You must to post a comment.
Last modified
15:10, 21 Dec 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1576

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case