THE BLOG ★ Ramblings on WiFi & stuff.

Options for Wireless Packet Capture in Windows

UPDATED: 05/28/2019

HOLD THE PRESSES!!! So, as of Wireshark 3.0, you can do RF Monitor mode captures in Windows using inexpensive NICs. Specifically, the Netgear A6210. Here’s write up on how to set this up, but nothing special is required other than Wireshark 3.0, or newer, and a supported NIC (Netgear A6210).

So, of course, this comes with some caveats. The main one is that this does not support channel information. So, while you CAN set the channel you want to capture on, there will be no data in the capture confirming you are indeed on that channel.

WiFiXax has a blog post on howe to do it.

You can go ahead and read the rest of this post, but at this point, why would you? ¯\_(ツ)_/¯


In Windows, you cannot effectively analyze wireless frames, because you are unable to put the wireless NIC in "RF Monitor Mode" - that is the mode in which the wireless NIC can see ALL 802.11 frames in the air, not just ones intended for itself.

Historically, it's been an expensive proposition. There are some great tools out there like OmniPeek (which I use), the gold standard for Windows packet analysis. And for years, AirPcap Nx was the main NIC folks used for pcap'ing WLANs with Wireshark. Unfortunately, both options are pricey. And the AirPcap NX is no longer manufactured. You’d be lucky to find a used one on eBay. Linux and MacOS have been the only ways to cheaply get access to RF Monitor mode without spendy software and hardware, like Omnipeek and the AirPcap Nx.

But, not everyone uses Linux, or Mac OS. Fortunately, and fairly recently, there are more and more ways to get RF Monitor mode in Windows. Here are some relatively inexpensive options (NOT an exhaustive list) to perform an RF Monitor Mode wireless packet capture in Windows using relatively inexpensive hardware.

OR, you could just get a Mac and do it natively. 😉

Lastly, if you have access to an Ekahau Sidekick, and you have an Ekahau Connect account, you can use the Sidekick to perform offline packet captures, and you can even have each NIC capture on a difference channel! Cool!


* If anyone has additional relatively inexpensive options for this list please DM me @HeyEddie



"relatively inexpensive"

def.

I don't know. Less than a grand? Less than $500? Please don't get all pedantic on me. 😉

SharkTIPS! My Favorite Wireshark Customizations


Thanks to the gentle nagging of @WiFiNigel I finally got around to posting SOME of the things I've been wanting to post. It's been sitting in a text file for several months without me ever getting around to posting it. And thanks to @JamesGarringer‬ for inspiring me to think about maybe writing it.

Wireshark may be free, but it's a powerful and useful beast. Knowing how to use your tools, and set them up to be the most efficient and productive is important. So, here are a few of my favorite Wireshark customizations that help me do my job. This is the first of two posts.


🦈  SharkTIP #1 - Custom Profiles

The first thing you should do after installing Wireshark is to create custom profiles to have Wireshark ready to go for the task at hand. For me, that means wireless frame capture & analysis. I like to have certain columns, and colors all set so I can quickly spot things that I’m looking for. In future SharkTips I cover some of the other Wireshark customizations I use in my custom profiles.

Creating profiles is easy. First, click on “Edit” menu and then select “Configuration Profiles”. You’ll see this window popup:

Wireshark Configuration Profiles Panel

Next,  click on the “+” to add and name a new profile. Then click “OK” to close and save the new profile.

That’s it! Now, you’ll just have to take the time to customize your view to your likes and needs. You can arrange the panel layout, the columns that you prefer to see, the colors of the packet/frames. Any changes you make to the active profile are automatically saved.

To switch profiles just click on “Profiles” at the bottom, right-hand corner of Wireshark. You’ll see a list of all the available profiles. Just click on the one you want and your done.

Profile Selector

You can even save you profiles for use on other machines, or to share. A quick Google search should allow to find customer profiles that other users have created that may suit your needs.

To share a profile, or add someone else's profile, go to the help about for Wireshark and click on the “Folders” tab. You’ll see links to various folders. Click on the link for the “Personal configuration”. When the window pops up go into the "Profiles" folder. There you will see folders for each of your profiles. Just copy and share the profile(s) you want share.

Alternatively, if you want to add someone else's profile(s) copy their profile folders into your "Profiles" folder. Next time you start Wireshark the profiles will be available to you.

The Profile Folder


SharkTIP #2 - Columns That Matter

Columns are YUGE. Having the right columns front and center will make finding what you want faster and easier. If you're trying to learn and understand 802.11, taking the CWAP, having the right columns will go a along way to helping you understand what's happening up in them frames!

Useful Wireshark Columns for 802.11 (Click to see Full Size)

There are a few different ways to create columns:

 

OPTION 1

You can right-click on the column bar and select "Column Preferences" from the menu. Then you can press the "+" button to create a new column, give it a name and either select form the list of presets, or use a filter for what you want.

For example, if you wanted to create a column that shows TX rate you could...

The standard way to add new columns to Wireshark.

OPTION 2 (My preferred method) 

This option gives you more stuff to choose from. You'll be surprised what you'll find. Select an item you want from the Packet DETAILS below the Packet List like so...

Adding Columns to Wireshark from the Packet Details Window instead of selecting from the standard list.

Here are some of some of the columns I use:

  • Sequence No.

  • Length

  • Size

  • Source

  • Destination

  • SSID

  • PTK

  • PHY

  • PWR MGMT

  • Noise

  • Type/Subtype

  • Protocol

  • CH.

  • Priority

  • RSSI

  • Rate

  • DTIM

  • Duration

  • Info

I hide/unhide columns as needed by right-clicking on the column bar and selecting/de-selecting what I want from the list:

Wireshark Hiding/Unhiding Columns


SharkTIP #3 - Colorize The Packets!

I spend the majority of my time working with 802.11. So, I’ve customized Wireshark to make analyzing it faster and easier.

One of the first things I did was add a custom color palette for colorizing 802.11 frames. Fortunately, I didn’t have to work too hard. @WiFiTrent created this awesome color profile based on MetaGeek’s Eye P.A., and @WifiNigel blogged about how to add it to Wireshark here. The color scheme breaks it down into three basic color sets for each 802.11 frame type - Management, Control, and Data. It makes it so much easier to spot things quickly, and helps me better understand what I’m seeing. I love it!

Wireshark Coloring Rules for 802.11

To install it click on “View” and select “Colorization rules…”. You’ll see an option to import the file. Or, if you want to take the time to create your own color rule set just click on the “+” button and start creating your rules, frame by frame!

👉 Download it at WiFiNigel’s blog.

Happy coloring! 🖍


SharkTIP #4 - Create A List Of Commonly Used Display Filters

Just click on the little bookmark icon to the left of the filter entry field, select "Manage Display Filters", and add your most commonly used display filters for quick and easy access. Then just click and select them on the fly!

Wireshark Display Filters

@VergesFrancois created this 👉 great document listing the most common Wireshark 802.11 Display Filters .

 

Display Filter Buttons! (Wah????)

Another cool way to do filters are Filter Buttons! Ceate Filter Buttons in Wireshark toolbar for your most used filters. Just click and BLAMO! You're filtering, yo!

Easy to do. Here is how you create and remove an existing filter button. Here I'm adding a button to quickly filter on only frames that pertain to my MacBook, JAYNE.

Just click on the "+" on the filter bar and then add a label and the filter you want to use...


SHARKTIP #5 - Custom Name Resolution (The “ethers” file) 🕵🏻

Sometimes it hard to see through the mass of information Wireshark presents you.  For quick scanning I like to add name resolution for mac addresses so devices I’m looking for are easily identifiable in Wireshark.

It's simple to do. 

  1. On a Mac go to Wireshark > About Wireshark, and on Windows go to Help > About

  2. When the dialog pops up click on the “Folders” tab

  3. Click on the link next to "Personal configuration".

  4. Open the “ethers” file in your text editor of choice (If you don't see an "ethers" file you create a text file and copy paste the example below.)

  5. Add each device on a separate line, Mac address, followed by a space, and then the name:

    Example of an ethers file:

    # Use the ethers files to name devices. 
    # This will replace the MAC address with the name you specify here.
    # An example of adding a device MAC address and name.

    ######## EXAMPLE DEVICE ENTRY ############

    # 1A:2B:3C:4D:5E:6F DEVICE-NAME

    ######## ENTER YOU DEVICES BELOW! ########

    1a:2b:3c:4d:5e:6f ATV-HOME
    a1:b2:c3:d4:e5:f6 IAP-224
    00:01:02:03:04:0f MACBOOK
    a1:b2:c3:d4:e5:f6 IPHONE
    00:c2:c1:d3:dd:c7 IPAD


  6. Save the file in /etc, restart Wireshark and now you’ll see the device name instead of the Mac address.

 

IT will look something like this:

(Here I added my AppleTV and Aruba IAP-224:)

Wireshark Name Resolution with the Ether File

That's it of now. I'll post some more SHARKTIPS™ :-) in the next few weeks.  


If You're Going To Use Single-Channel Architecture, At Least Know What You're Doing (via @Badger_Fi)

I don't have much experience with SCA (Single-Channel Architecture), other than what I've read, and some not-so-pleasant experiences with Ubiquiti. Mitch Dickey (@Badger_Fi) does, and has some really good stuff to say.

He writes about troubleshooting a problem at a high school that implemented an SCA solution. The problem turned out to be Co-Channel Contention. WAT?! Yup. But, before you think you know what's up, read the post. SCA may not have anywhere near the footprint MCA does in today's world, but it always good to learn something new, especially from someone like Mitch.

Read it here.

Source: https://badger-fi.com/2016/08/31/single-ch...

♻︎ Today’s Quality Linkage

Lists of Lists

I was introduced to this new app called Li.st which also conveniently happens to be their URL. It's for creating and sharing list of things. Anything you want - text, pictures, URLs, etc. I wasn't sure what use I would I would have for it, but it turns out I do have a few and I really like it. 

So, here are a few of the first ones I made, and I'm working on a few others.

Hope you find them interesting!

Add a Custom AP + Antenna Combination in Ekahau

Shout out to @WiFiNigel for helping me figure this one out. I'm sure there are other folks out there that have figured this out, but I never did... until now.

So, I'm in the middle of a design in Ekahau Site Survey (ESS) for a fairly large manufacturing facility (about 1.2 million square feet) and I'm using a specific AP with various antennas types depending on the use-case at the facility.

When you place an AP in ESS the next time you place a new AP on the map it uses the last AP you placed, and it saves you previous configs such as TX power, antenna hight, and angle. However, if you customize an AP - like I did - by selecting an AP from the dropdown and then changing the antennas to a 3rd party antenna -the next time you place an AP it DOES NOT use that - it uses the default from the dropdown.

This is a bummer if you're a.) adding a lot of APs, and/or b.) are switching between antennas types (like say a patch for racks, and dipoles in open areas, etc). Every time you place an AP you have to manually go in and change EVERYTHING - the TX power, the antenna hight, the angles, and of course - the antennas themselves.

I knew you could make changes to the ESS conf files for adding custom antennas and APs, but I had never actually done that - until now. I edited the "accessPointTypes.xml" file and added the AP with the antennas I wanted. The antenna already existed in ESS, it just wasn't paired with the AP I wanted to use. I figured this was all I needed to do to get it to work.

Upon opening my project file in ESS I saw that the new customized version of the AP was there in the list! (Yay!) But, when I placed it I saw only the generic antennas matched with it. (Boo.)

Nigel then made the brilliant observation that I may just need to look at the antenna conf files and add the AP + ANT combination there - and when I looked at the antenna files I noticed that's exactly what Ekahau did. They had AP + the 2.4 and 5 GHz versions of the antennas there:

So, it was quite simple really - I just copied each of the antenna files I wanted (2.4 and 5 GHz) and then pasted them back into the same folder. Now I had version of each (with the "copy" appended at the end) and all I had to do was rename the file by adding the AP name "+" the antenna name and remove the "copy" at the end. I then edited the "accessPointTypes.xml" again, this time I used the name of the antenna file as the name of the AP and saved the file.

Lo, and behold, when I restarted ESS, there it was! When I added the AP it had the correct antennas for 2.4 and 5 GHz, and when I added the next AP it matched the antennas as well as all the setting changes I made for the first one (TX power, ANT height, angle, etc.). I was pretty stoked - so I wrote this blog.

So, if you have a project where you have lots of APs with a 3rd party antennas, and don't want to edit EVERY. SINGLE. ONE - try this:

* NOTE: This is NOT the "Custom AP" that shows up in ESS. You should never use that.

This is for creating your own existing AP and Antenna combinations.

When you add an AP and change the antennas type in Ekahau, the next time you add the AP it will not have the same antennas, or settings. You have to manually edit the AP everytime you add it if it's not a combination that already exists in the dropdown.

You can edit the config files for antennas and APs so that you can create custom AP/ANT combos for use in all of your projects.

* EDIT 05-31-2016  I forgot to mention that you'll need admin rights to edit anything in that folder. Just right-click on the folder and give yourself full-rights.

*IMPORTANT! @WJComms on the Twitters made a good point: BACKUP YOUR CONFIG FILES AFTER YOU EDIT THEM. If you don't they'll be written over when you update ESS and you'll lose your changes. Back them up somewhere else and copy the changes to the updated config files after you update.

♻︎ Today’s Quality Linkage for Monday, May 23, 2016

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone by @Ben_SniffWiFi. Apple's overly-aggressive power saving sometimes affects Wi-Fi.

It’s Not Just a Number, It’s the Journey…. @GCateWiFi shares his journey to CWNE.

[VIDEO] Mobile device roaming behaviors & client troubleshooting by @WirelesssGuru. George Stefanick once again showing why he's the Guru.

All the videos from this years Aruba Atmosphere Conference in Las Vegas

How to access OS X Wi-Fi Monitor via @KeithRParsons

Recommended settings for Wi-Fi routers and access points from Apple

Use Wireless Diagnostics to help you resolve Wi-Fi issues on your Mac One more reason why I love Macs. Great overview of it's built-in Wireless diagnostics tools.

Proving "It's not the Wi-Fi network" by @‪JustDoWiFi‬ Sometime (Most times) it's the CLIENT.

Airport Experiment Shows That People Recklessly Connect to Any Open WiFi Hotspot I always use a VPN on public networks.

pfSense HOWTO on Captive portal + FreeRADIUS + local MySQL user friendly single step

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs When are these people going to start talking to experts?!

Woman enraptured with talking Chewbacca mask If this doesn't make you smile you're dead inside. 😃