CTS 102: Capturing Wireless Frames

François and Rowell discuss their experiences capturing wireless frames for analysis and what tools they used to do it.

This episode is sponsored by Metageek

Sponsored by Metageek

Capturing Wireless Frames

It’s one of my favorite things to do. Capture wireless frames anywhere there’s a wireless network present. I know. I’m a boring guy. But I can’t help taking a look. In this episode on capturing wireless frames, we go over our favorite tools and apps which help us solve real world problems.

Why should you capture frames? If you want to learn how wireless works, then you need to start diving into frames. That’s how you’ll learn exactly what you need to know by seeing how it works. It’s perfect for learning any of the CWNP certifications and especially for the CWAP. By looking at wireless frames, you’ll begin seeing how wireless devices and access points talk to each other and acquire the shared medium.

A beacon frame displayed from Wireshark.

A sample beacon frame from Wireshark

Another reason for capturing wireless frames is to perform analysis. There may be an issue that’s hard to solve and requires wireless frame analysis. This could be as simple as finding out a device does not negotiate the same parameters as the BSS. Or maybe you’re trying to find out what could be slowing down wireless for every other device.

It’s the old saying, packets never lie. But in this case, frames never lie!

Screenshot from Metageek Eye P.A.

An example of using Metageek Eye P.A.

You can capture wireless frames on any platform such as MacOS, Windows, and Linux. When it comes to the platform of choice, we prefer to use MacOS. By default, you can place the MacOS wireless adapter in promiscuous mode. This mode is used to capture all frames, even those not destined to the host. By utilizing an app such as Airtool, it’s possible to fine tune a frame capture down to parameters such as the channel, channel width, payload or no payload, etc.

Then with Wireshark, the analysis can be performed.

Mojo Packets Analysis

A section of Mojo Packets analysis.

In the episode, François and I speak about our experiences in using frame analysis. I bring up a situation where Skype calls kept dropping but the issue was really a consumer level device trying to take up most of the airtime. There are other examples also described in the episode.

Here are some screenshots of different applications of frame capture and analysis.

Links and Resources

Download the Wireshark Cheat Sheet

Get your copy of the Common 802.11 Wireshark filters used to perform wireless frame analysis.

Powered by ConvertKit
About the Author
Rowell, CWNE #210, is a network engineer in Higher-Ed. He enjoys working with wireless networking technologies and loves to share and engage with the community. You can connect with him on Twitter, LinkedIn, and Facebook.

7 comments on CTS 102: Capturing Wireless Frames

  1. Adrian Granados says:

    Just a small comment. Monitor mode is what lets you capture frames from any nearby wireless station. It includes any frame type and you cannot be associated when using monitor mode. In promiscuous mode, the network interface passes up all the data frames it “hears”, including the data frames being sent to other receivers in that network. Promiscuous mode can only be used when associated.

    1. Rowell says:

      Thanks for the clarification Adrian! I always get those two mixed up.

  2. Craig Stodolenak says:

    Very informative content this week. Lines up helpfully with where I’m at with my studies! Thanks for all the tips.

    1. Rowell says:

      Thanks for the feedback Craig!

  3. Chris Shaw says:

    Loved this weeks episode. Definitely going to give it a 2nd listen. Keep it up!

  4. Keith Miller says:

    Hey guys!

    Thanks for making the Wireshark cheat sheet available, especially for free! Quick note:

    In the newer versions of Wireshark (2.4.x), they got rid of the wlan_mgt display filter option so for instance:

    wlan_mgt.ssid would be wlan.ssid

    https://www.wireshark.org/docs/dfref/w/wlan_mgt.html

    Might be a good idea to throw that out there as a disclaimer.

    Regards,
    Keith

Leave a Reply

Your email address will not be published. Required fields are marked *