Harley Sutherland
Capturing network traffic on Wireshark requires users to switch to monitor mode. This mode is particularly useful when trying to capture traffic that is not being sent to or from the machine running Wireshark, or when interested in radio-layer information about packets such as signal strength and data rates. However, changing the 802.11 capture modes can be very platform/network adapter/driver/libpcap dependent, and might not be possible on certain operating systems like Windows. To enable monitor mode, one must first ensure their WiFi card supports it, install the correct capture libraries, and then use a tool to enable the mode.
| Characteristics | Values |
|---|---|
| Operating System | Windows, Linux, macOS, BSD, iOS |
| WLAN Adapter | Must support monitor mode |
| Libpcap | Must be version 1.0 or later |
| Wireshark | Must be version 1.4 or later |
| Npcap | Must be installed and enabled during Wireshark installation |
| WlanHelper | Must be enabled |
What You'll Learn
Windows 11 monitor mode
Monitor mode in Wireshark allows you to capture network traffic that is not being sent to or from the machine running Wireshark. This includes traffic between other machines on the network, as well as 802.11 management or control packets, and radio-layer information about packets such as signal strength and data rates.
To enable monitor mode in Wireshark on Windows 11, you need to ensure that your hardware, firmware, and driver support this mode. You can check if your wireless adapter supports monitor mode by using the command "netsh wlan show wirelesscapabilities" in the Windows Command Prompt. If your adapter does not support monitor mode, you may need to purchase an external wireless adapter that is compatible.
Once you have confirmed that your hardware supports monitor mode, you can enable it by using the WlanHelper tool that comes with Npcap. Npcap is a capture library for Windows that enables raw 802.11 packet capture support (monitor mode) and is required for monitor mode to function in Wireshark.
After installing Npcap with the "Support raw 802.11 traffic (and monitor mode) for wireless adapters" option selected, you can launch Wireshark and go to the Capture Options. In the Capture Options window, you should see a "Monitor mode" checkbox. If the checkbox is not grayed out, you can enable monitor mode by checking the box. If the checkbox is grayed out, it indicates that your adapter does not support monitor mode, or there may be an issue with the adapter's driver or libpcap.
It is important to note that even with Npcap, Windows with monitor mode is considered a poor solution for WiFi capture due to various limitations. These limitations include the inability to change channels, capturing only low-modulated frames, and a lack of useful metadata in the radiotap header.
If you encounter issues with monitor mode in Windows 11, it is recommended to use a different operating system with supported hardware, such as Linux or macOS, which have better support for monitor mode and WiFi capture.
Integrating Merc Monitor and Solix: A Step-by-Step Guide
You may want to see also
WLAN capture setup
This guide will take you through the process of setting up a WLAN (IEEE 802.11) capture using Wireshark. Please note that the specific steps may vary depending on your operating system and hardware setup.
Step 1: Install Wireshark
If you haven't already, download and install Wireshark from the official website (https://www.wireshark.org/download.html). Wireshark is free and open-source software that allows you to capture and analyse network traffic.
Step 2: Select the Correct Interface
In Wireshark, click on the "Capture" menu and select "Options". Here, you will need to choose the appropriate interface for capturing packets. If you are using a wireless network adapter, select that interface.
Step 3: Configure Wireless Settings
To ensure you are capturing the correct packets, you need to configure the wireless settings in Wireshark. Go to the "Capture" menu, choose "Options", and then click on "Wireless Settings". Here, you can specify the RF channel, SSID, and other wireless parameters to match your network configuration.
Step 4: Start the Packet Capture
With your interface and wireless settings configured, you are now ready to start capturing packets. Go to the "Capture" menu and choose "Start". Wireshark will begin capturing packets, which you can view and analyse in real-time.
Step 5: Stop the Capture and Save the File
Once you have captured enough data, stop the packet capture by going to the "Capture" menu and choosing "Stop". You can then save the captured data by going to File" > "Save" and naming your file. It is recommended to use .pcap or .pcap-ng file formats for compatibility with other tools.
Step 6: Analyse the Captured Packets
Wireshark provides a variety of tools to help you analyse the captured packets. You can filter the packets based on various criteria, such as source and destination addresses, protocols, or specific data fields. You can also view detailed information about each packet, including hex and ASCII representations of the data.
Tips and Troubleshooting:
- Promiscuous Mode: Some 802.11 cards do not support promiscuous mode, which can cause issues with packet capturing in Wireshark. Try turning promiscuous mode off if you are not seeing any packets.
- AirPcap: If you are having trouble with your existing wireless adapter, consider purchasing AirPcap, a USB-based 802.11 radio designed to work with Wireshark. It includes drivers optimised for Wireshark and an external antenna for improved performance.
- Channel Selection: Ensure that you are monitoring the correct RF channel for the wireless network you are interested in. You can change the channel in the "Wireless Settings" menu.
- Packet Filtering: To reduce clutter and focus on specific aspects of the network traffic, you can set capture filters in Wireshark. For example, you can filter by IP address to only view packets associated with a particular device.
- Buffer Size: The default buffer size in Wireshark is 1 Mbyte, but you can adjust this in the "Capture Options" menu if needed.
By following these steps, you should be able to successfully set up a WLAN capture using Wireshark. Remember that the specific steps may vary depending on your operating system and hardware, so refer to Wireshark's documentation and online resources for more detailed instructions specific to your setup.
Monitors for Graphic Design: Choosing the Perfect Display
You may want to see also
Using Mac OS X in monitor mode
To use monitor mode on Mac OS X, you will need to use an older version of the operating system. Monitor mode is supported on Mac OS X 10.4.x (Tiger) and later, but only if you run Wireless Diagnostics. On Mac OS X 10.5.x (Leopard) and later, you can select a "Link-layer header type" other than "Ethernet" from the Capture -> Options dialog box in Wireshark.
On Mac OS X 10.6.x (Snow Leopard) and later versions, to capture in monitor mode on an AirPort Extreme device, check the "Monitor mode" checkbox in the "Capture Options" or "Edit Interface Settings" dialog.
Some newer machines, running macOS Mojave or later, do not support remaining associated with a Wi-Fi network while running in monitor mode. If you try to capture in monitor mode without disassociating from your Wi-Fi network first, the adapter won't go into monitor mode, and no traffic will be captured.
To summarise, to use monitor mode on Mac OS X:
- Use an older version of Mac OS X, preferably Mac OS X 10.4.x (Tiger) or later.
- Run Wireless Diagnostics by Option+clicking on the Wi-Fi icon in the menu bar and selecting "Wireless Diagnostics".
- In the Wireless Diagnostics window, select "Sniffer" from the "Window" menu.
- Select a channel and channel width, then click "Start".
- If using Mac OS X 10.5.x (Leopard) or later, select a "Link-layer header type" other than "Ethernet" in the Capture -> Options dialog box in Wireshark.
- If using Mac OS X 10.6.x (Snow Leopard) or later, check the "Monitor mode" checkbox in the "Capture Options" or "Edit Interface Settings" dialog.
- If using macOS Mojave or later, disassociate from your Wi-Fi network before capturing in monitor mode to ensure the adapter goes into monitor mode.
Adjusting Monitor DPI on Your MacBook Pro
You may want to see also
Npcap library
Npcap is a packet capture library for Windows that provides the core packet capture capabilities for Wireshark. It is included in the official Wireshark installer for Windows, which can be downloaded from the Wireshark website. However, if you prefer, you can download and install Npcap manually from its website.
Npcap has added several new features to Wireshark, including loopback capture and raw 802.11 packet capture support (in "monitor mode"). When installed on Windows 7 or later, Npcap allows users to select wireless adapters in Wireshark to capture raw 802.11 traffic. In "monitor mode", users can see raw 802.11 packets (data, management, and control) with Radiotap headers. Without "monitor mode", only 802.11 data packets can be seen.
Npcap has its own license with its own restrictions. The Nmap Project has granted the Wireshark Foundation the right to include Npcap with its installers. However, if you wish to distribute your own Wireshark installer or any other package that includes Npcap, you must comply with the Npcap license and may be required to purchase a redistribution license.
The Wireshark uninstaller provides the option to remove the core components while keeping your personal settings and Npcap. If you uninstall Npcap independently of Wireshark, you won't be able to capture anything with Wireshark.
Simple Ways to Check Monitor Calibration
You may want to see also
WlanHelper utility
WlanHelper is a utility that can be used to set/get the operation mode (like monitor mode) for a wireless adapter on Windows. It is included with the installation of Npcap, which is a prerequisite for capturing wireless traffic on Windows with Wireshark.
To use WlanHelper, open an elevated command prompt and navigate to the directory where WlanHelper.exe is located (usually C:\Windows\System32\Npcap\). Then, run the following command to check the current mode of your WiFi card:
Wlanhelper "Wi-Fi 2" mode managed
Replace "Wi-Fi 2" with the name of your network card. The default mode is "managed", which means the card is ready for normal WiFi connectivity.
To put the card into monitor mode, use the following command:
Wlanhelper "Wi-Fi 2" mode monitor
If you encounter an error, make sure to run the command prompt as an administrator.
WlanHelper can also be used to change the WiFi channel. For example, to set the channel to 11, use the following command:
Wlanhelper "Wi-Fi 2" channel 11
Note that WlanHelper follows the grammar of iwconfig, a wireless management tool for Linux. Therefore, if you rename WlanHelper.exe to iwconfig.exe, the command lines for configuring operation mode on Windows will be the same as on Linux.
Enabling G-Sync on Your ASUS Monitor: A Step-by-Step Guide
You may want to see also
Frequently asked questions
You will need to check that your hardware/firmware/driver supports monitor mode. You can do this by running the command "netsh wlan show wirelesscapabilities" on the Windows command line. If your setup does support monitor mode, you can then use the wlanhelper utility to enable it.
You can change to monitor mode using the command:
> sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
You will need to enable your device to monitor mode via WlanHelper. Then, open Wireshark and check the box under the Monitor Mode column.
You will need to check that your setup supports monitor mode. If it does, you can then enable monitor mode in Wireshark by checking the box in the Capture Options window.
