Back to Home Back to Archive

802.11 packet capture

November 06, 2013

Capture 802.11 from OSX


 /usr/libexec/airportd en0 sniff <channel>


It saves it to a file in /tmp

 /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=1

Tip: symlink 'aiprort' command with:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

Using GUI

alt-click the Wifi icon-->open wireless diagnostics, then hit Command-6. If you want to capture at 40MHz, keep in mind you'll need to choose the primary channel. eg. if you'd like to capture 149 and 153, you'd choose 149 and 40MHz.

 Using tcpdump

Disassociate from network
sudo airport -z

set channel
sudo airport --channel=1

capture in mon mode to file
tcpdump -s0 -I -i en0 -w /tmp/capture.pcap

Capture 802.11 from Linux (assuming monitor mode support)


ifdown wlan0
iw dev wlan0 set channel 6
iw dev wlan0 set type monitor
ifconfig wlan0 up

Capture 802.11 from Access Points (remote capture)


Cisco Campus AP

config ap mode sniffer <ap_name>
config ap sniff 802.11b enable <channel> <ip_of_wireshark/tcpdump station> <ap_name>

Aruba Instant AP

pcap start <base bssid> <ip_of_wireshark/tcpdump station> <port> 0 1518”

Check the active pcap session
show pcap

Stop the capture
pcap stop <base bssid> <pcap-id>

Aruba Campus AP
ap packet-capture raw-start ap-name <ap_name> <your_workstationIP> <port> <frame_format> radio <0/1> channel <chan_#>

 Example (Using port 8211)
ap packet-capture raw-start ap-name ap-1 10.0.0.5 8211 5 radio 1 channel 1

Example (capture filter for Management frames)
ap packet-capture interactive ap-name <ap_name> 'type == mgmt' <your_workstationIP> 5555 radio 0 channel 36
Get the ID
show ap packet-capture status ap-name ap-1

 Stop it (11 is the ID)
ap packet-capture stop ap-name ap-1 11 radio 1

Consume the packets with tcpdump for later analysis, discarding all the ICMP unreachables that the receiving host sends to the AP.
tcpdump -i en0 not icmp -w file.pcap

 Note, if using wireshark to display the packets, you'll want to select one of the packets, then:
Analyze-->Decode as...-->Aruba ERM PEEK-NG (type5)

TCPDump examples 


Capture-filter for only Probe Requests
tcpdump -s0 -I -i en0 -e type mgt subtype probe-req -w file.pcap

Capture-filter for only Association Requests
tcpdump -s0 -I -i en0 -e type mgt subtype assocreq -w file.pcap

Tshark examples

Capture-filter for only Probe requests:
tshark -I -i en0 -f "wlan[0]==0x40" -w file.pcap

Read a pcap file & apply a display filter from CLI.
Apply a display filter for 802.11 retries. Useful for piping to 'wc' to get retry %.
tshark -r <file.pcap> -R "wlan.fc.retry == 1"

 Read a pcap file captured via Cisco AP in 'sniffer mode', and decode it to show 802.11 (peekremote) packets (also apply a filter to show only 802.11 re-transmissions) Note, earlier versions of tshark/wireshark call it 'airopeek' instead of peekremote:
tshark -r <file.pcap> -d udp.port==5000,peekremote -R wlan.fc.retry==1

You can then pipe that to, say "wc" and divide that number by the total # of packets to get retry %. Don't forget, Wireshark includes frames with invalid FCS (Conversely, OmniPeek does not). So you should probably throw out the invalid frames before doing your count.

More info & References

Check out the following post for details on differences between ways of capturing in OSX

Other useful command is 'airport', like showing connection details, ssid's etc.

 /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport <option>