CTS 125: 802.11 Frame Captures on Windows

We take a look at what resources are available to capture frames on Windows OS.

802.11 Frame Captures on Windows

Back in episode 121, we spoke highly of Macbook Pros being perfect tools for wireless frame captures. But not everyone has a Macbook Pro. Even I still have a Windows laptop and need to do frame captures on that every once and a while.

In this episode, we outline some of the resources we use for capturing frames on Windows OS. Both free and paid versions depending on how you’re trying to capture frames and how quickly you’re trying to accomplish the task.

Budgets will vary widely with each resource so check for the most updated pricing online.

Acrylic Wi-Fi Professional

You can try out Acrylic Wi-Fi with a trial version free for 4 days. As of June 2018, a license is $39.95 one time fee (or $19.95 for 1 year). It has a built in 802.11 packet capture tool without requiring additional hardware. But it only captures beacon frames if your Wi-Fi NIC does not support monitor mode.

The NDIS driver must be installed so your built in Wi-Fi NIC can be used in monitor mode.  If you want, you can use an external adapter to perform the capture. Acrylic recommends the following:

By default, it will be channel hopping. So don’t forget to set the channel on which you want to scan. We strongly recommend using a Riverbed AirPcap card if you are going to do anything professional.

Some of the packet capture features include:

  • Display the Packet Tree view including the details of the Radio Tap Header
  • Displays the Hex and Binary view of the packet
  • You can export the frames into a pcap file and analyze them with another tool (Wireshark)
  • Integration with Wireshark
  • 802.11ac not there with AirPcap Nx

Other Features:

  • Wi-Fi Scanner
  • Show Retry Rate when set to monitor mode
  • Displays the SSID detected (including the hidden SSID)
  • Displays some beacon details
  • Script editor built-in
  • Reports
  • Inventory

Links:

Microsoft Network Monitor

This tool is free to use with your operating system. You can download the application from Microsoft and check out a full tutorial.
You can find a Video Tutorial easily on YouTube.

Features:

  • Free. You just need a Wi-Fi USB adapter
  • It won’t work with all Wi-Fi NIC. We have tried a bunch for you guys.
  • NICs that work:
    • NIC 300
    • D-Link DWA-130
    • D-Link DWA-160
    • Linksys AE2500
  • NICs that don’t work
    • Realtek 8812AU
    • D-Link DWA-182
    • Netgear A6210
    • Edimax EW-7822UAC
  • Uses the NetMon L1 Header and not the Radio Tap header. With some adapters, you won’t have the RSSI right (Example: NIC 300 will always report an RSSI of 30dBm)
  • Capture can be exported in .cap file and analyzed in Wireshark

Airpcap

Airpcap allows you to captures frames in Wireshark.

You can capture with multiple Airpcap adapters on multiple channels at the same time (Roaming analysis). Check out the post from Revolution WiFi.

Metageek Eye P.A.

Metageek offers many tools including a way to capture frames using Eye P.A. Having used this tool in the past it has been very good especially with the visualizations. Capture from Metageek Eye P.A. with other adapters and NDIS drivers.

Adapters supported:

Savvius Omnipeek

Savvius was recently acquired by LiveAction and for good reason. Savvius has a strong frame capture utility called Omnipeek. It does a lot more than capture wireless frames as it can be useful on the wired side of things. But there’s a powerful expert analysis engine and there’s a way to aggregate wireless adapters in the application to capture on multiple channels.

You can find the Savvius Adapter on Amazon.

What tools are you using?

Is there anything missing from this list? Are you using one application more than the other? Let us know in the comments below.

Join Clear To Send

Come join the Clear To Send community.

Powered by ConvertKit
About the Author
Wireless Network Engineer and Owner at SemFio Networks. CWNE #180. Living in London ON Canada, born and raised in Dijon, France.

5 comments on CTS 125: 802.11 Frame Captures on Windows

  1. I used Acrylic as my first packet analyzer. Ben and Amy have great blogarticles on that.
    I bought both Netgear and D-Link adapter. But I got D-Link versjon c1, not a1.
    Was not happy with Netgear and Acrylic, so jumped over to ComView for WiFi thats supports D-Link 182 c1
    In CW for Wifi you could choose which type of frame you want to capture,; data,management or control

    But at the end of the day; use Airtool on Mac

    1. Rowell says:

      I’ve found Airtool to be the easiest. Other applications offer more beyond just staring at frames in Wireshark but I find that learning how to find the frames you’re looking for within Wireshark makes you a better analyzer.

  2. Scott Seifel says:

    I used VisiWave Traffic (http://www.visiwave.com/wifi/visiwave-traffic.php), and it reasonably priced ($300). It requires Microsoft Network Monitor to capture the frames, but the visuals are very insightful. Even though a floor plan is not required, using one eases troubleshooting. Once the capture is complete, the trace file can be imported into Wireshark. Getting the right wireless NIC work was a chore, which eventually I landed on the D-Link DWA-160. Seeing your list of wireless NICs before the purchase would have saved me some time.

    Thanks for the great work of putting together the podcasts.

    – Scott

    1. Rowell says:

      Thanks for your input here Scott. I’ll have to check out VisiWave pretty soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.