{"id":2758,"date":"2021-10-15T10:13:28","date_gmt":"2021-10-15T10:13:28","guid":{"rendered":"https:\/\/wi-fiplanet.com\/?p=2758"},"modified":"2022-05-19T21:02:17","modified_gmt":"2022-05-19T21:02:17","slug":"how-to-sniff-wireless-packets-with-wireshark","status":"publish","type":"post","link":"https:\/\/wi-fiplanet.com\/how-to-sniff-wireless-packets-with-wireshark\/","title":{"rendered":"How to: Sniff Wireless Packets with WireShark"},"content":{"rendered":"\n
December 16, 2008<\/p>\n\n\n\n
WireShark is free software that sniffs packets on wireless networks. Learn tips for configuring and using this tool when analyzing and troubleshooting 802.11 wireless networks.<\/p>\n\n\n\n
WireShark is free software that sniffs packets on wireless networks. Learn tips on configuring and using this tool when analyzing and troubleshooting 802.11 wireless networks. <\/em><\/p>\n\n\n\n WireShark is freely-available software that interfaces with an 802.11 client card and passively captures (\u201csniffs\u201d) 802.11 packets being transmitted within a wireless LAN. You may be familiar with using Ethereal software for sniffing wireless networks. <\/p>\n\n\n\n Over a year ago, however, Ethereal’s lead developer (Gerald Combs) re-released the software as WireShark. WireShark provides the same (if not better) functionality as Ethereal. Ethereal doesn\u2019t appear to be supported anymore, so use WireShark instead.<\/p>\n\n\n\n WireShark software is easy to install. Simply go to http:\/\/www.wireshark.org\/download.html, download the software for your applicable operating system, and perform the installation.<\/p>\n\n\n\n A problem you\u2019ll likely run into is that WireShark may not display any packets after starting a capture using your existing 802.11 client card, especially if running in Windows. The issue is that many of the 802.11 cards don\u2019t support promiscuous mode. <\/p>\n\n\n\n In this case, you can try turning promiscuous mode off (from inside WireShark), but you\u2019ll only see (at best) packets being sent to and from the computer running WireShark.<\/p>\n\n\n\n If you have trouble getting WireShark working with existing client cards, then consider purchasing AirPcap, which is a USB-based 802.11 radio designed to work effectively with WireShark. It comes with drivers tuned to WireShark and operates very well. An external antenna is also included with AirPcap, which increases the listening ability of the tool.<\/p>\n\n\n\n Before capturing packets, configure WireShark to interface with an 802.11 client device; otherwise, you\u2019ll get an alert \u201cNo capture interface selected!\u201d when starting a packet capture. To select an interface, click the Capture menu, choose Options, and select the appropriate interface.<\/p>\n\n\n\n Be certain to monitor the correct RF channel. For example, if the wireless network is set to channel 1 for the traffic you\u2019re interested in, then configure WireShark to monitor channel 1. To do this, click the Capture menu, choose Options, and click Wireless Settings. The menu Advanced Wireless Settings will appear where you can change the channel. <\/p>\n\n\n\n Consider filtering the packet capture to reduce clutter when analyzing packet traces. For example, you may be troubleshooting a particular client device connecting to the network. In this case, you can set a filter that excludes all packets except those associated with the IP address of the client you\u2019re troubleshooting. To set a filter, click the Capture menu, choose Options, and click WireShark: Capture Filter will appear where you can set various filters.<\/p>\n\n\n\n To start the packet capturing process, click the Capture menu and choose Start. WireShark will continue capturing and displaying packets until the capture buffer fills up. The buffer is 1 MB by default. This size is generally good enough, but to change it, click the Capture menu, choose Options, and adjust the Buffer size value accordingly.<\/p>\n\n\n\n When you\u2019re done capturing packets, click the Capture menu and choose Stop. Alternatively, you can set the capture run length (in packets or minutes), and the capture will automatically stop when that length has been met. You\u2019ll be prompted to save the capture for later viewing.<\/p>\n\n\n\n The packet capture will display the details of each packet as they were transmitted over the wireless LAN. Figure 1 is a screenshot of a sample packet capture window. The top panel of the window identifies each packet\u2019s source and destination nodes, protocol implemented, and information about each packet. <\/p>\n\n\n\n You can select a specific packet to display more details. The one selected in Figure 1, packet 3, is an 802.11 beacon frame. The middle panel displays information about this packet, and you can choose a specific field of the packet (such as Duration field shown in the figure), and the contents of that field are displayed in hex and ASCII format in the bottom panel. <\/p>\n\n\n\n As a result, you\u2019re able to analyze the flow and view each field (including data field payloads) of all packets.<\/p>\n\n\n\n
\n\n\n\nInstalling WireShark<\/h3>\n\n\n\n
Capturing packets<\/h3>\n\n\n\n