CTS 121: Capturing Wireless Frames with a Mac

Capturing wireless frames is a must know skill for any Wi-Fi network engineer.

Capturing Wireless Frames with a Mac

The Macbook Pro is an excellent tool for capturing wireless frames. The built-in wireless adapter can be used to sniff wireless frames in the air. As I like to say, the best troubleshooting tool you can have is the one that’s with you. Since I have my Mac with me all the time I tend to capture frames wherever I go.

There are many pros with capturing frames. It’s a great way to learn how Wi-Fi works. This is how I got started. Understanding how Wi-Fi communication works through frame captures gives you an upper-hand. One example is learning about the 802.11 State Machine.

When it comes to troubleshooting complicated issues, frames don’t lie. Not too long ago, my laptop had a difficult time connecting to public Wi-Fi. It frustrated me so much I decided to capture some frames. Within minutes I found out why. Just take a look at the screenshot below.

Frame capture of an association response


How To Capture Frames

  1. Install Wireshark
  2. Install the Metageek Profile
    1. Unzip the file
    2. Copy directory to /Users/user/.config/wireshark/profiles/
    3. Enable the profile in Wireshark by clicking on the bottom right of the open application. See screenshot below.
  3. Install Airtool
  4. Select channel & channel width to capture on
    1. Capturing frames with Airtool
  5. Start the capture and stop after a short time
  6. Analyze with Wireshark or Mojo Packets

Links and Resources

CTS 090: Don’t Contain Me, Bro!

Containment of a WLAN is the act of shutting it down! We discuss how you can find out if you’re being contained.

This episode is sponsored by Metageek

Sponsored by Metageek

WLAN containment is not a situation you want to deal with. The symptom you’ll see are devices dropping from your WLAN. When they are disconnected, they often stay disconnected. Sometimes those devices won’t be able to connect at all to your WLAN.

What is happening? Another network is containing your WLAN. This happens by sending deauthentication frames to devices connected to your WLAN or by sending broadcasted deauthetication frames.

You can troubleshoot this issue using the following tools:

Troubleshooting WLAN Containment

How do you know if containment is happening? Using Airtool, capture frames on your operating channels. After 5 minutes of capturing, open up the pcap in Wireshark.

Use this filter to show all deauthentication frames:

wlan.fc.type_subtype == 0x000c

Take note of the source BSSID. You may get lucky and find out who is containing your WLAN. Copy the BSSID and paste it into WiFi Explorer. If that same BSSID is broadcasting beacons for its own WLAN you will see it.

That’s how I used Airtool, Wireshark, and WiFi Explorer to find the source of containment. By looking at the RSSI within the frames in Wireshark, you can get close to the source AP of the offending frames.

Another option is to plug the BSSID into the AirCheck G2 and use the Locate feature to find the AP.

Here are some screenshots from my lab performing containment on one of my APs. Remember your regulatory laws regarding containment!

Rogue security policies

Cisco WLC Wireless Protection Policies for Rogues

Containing a BSSID

Containing an SSID

A status page of the BSSID contained

Rogue AP Detail


A list of deauthentication frames captured using Airtool and Wireshark

Deauthentication Capture

This Week In Wireless

CTS 080: Wi-Fi Apps for macOS

Let’s face it, we enjoy our Wi-Fi tools and apps. This episode talks about the apps we use in macOS. So if you’re a Mac guy, this episode is for you.

This episode is happily sponsored by Metageek

Sponsored by Metageek

Wi-Fi Apps for macOS

Being a Mac user meant not having enough apps to do your job. As a Wi-Fi professional, we rely on many apps to help get our jobs done. Fortunately, we have developers who hear the cry for professional Wi-Fi apps on macOS. Here’s a list of apps Francois and I use on a daily basis. This is in no particular order.

Wi-Fi Explorer

Great app developed by Adrian Granados who was interviewed back on 007. Double 007! This is an excellent Wi-Fi network scanner that is simple to use and updated regularly. It has built-in search functionality so you can find the network you’re looking for. You have the ability to add different columns to fit your troubleshooting needs and you can see advanced details such as information elements. This is a paid application.

Screenshot of Wi-Fi Explorer


Another powerful app from Adrian Granados. It’s a menu bar application capable of capturing Wi-Fi frames using the Mac’s built-in Wi-Fi network card. From the app you select a channel to capture frames from, select the channel width, and you’re off to the races. It can be used with Wireshark, Cloudshark, and Mojo Packets. This is the fastest way to capture frames using a Mac. One of my favorite apps to use. Also, it’s Free!

Screenshot of Airtool

Wi-Fi Signal

Adrian Granados strikes again! This is a menu bar application used to easily check the status of the Wi-Fi network you’re connected to. It can display information such as quality of the received signal, signal in dBm, noise, SNR, and current channel. It can send notifications of when you connect/disconnect to a Wi-Fi network and even if you roam.

Screenshot of Wi-Fi Signal


We interviewed the developer, Thomas Baudelet, in episode 70. This is a great app with a wireless module which displays details of Wi-Fi networks, displays statistics such as retry rate and Tx and Rx throughput. This app makes it easy to analyze other clients’ performance. This is a paid app.

Screenshot of Debookee


A free application to test throughput of your Wi-Fi network. What else is there to be said!?

Metageek InSSIDer Office (beta)

Currently in beta, Metageek has a macOS application that can scan Wi-Fi networks around you. It contains a search functionality to get through all the networks on the list. If you plug in a WiSpy dBx you can get a lite version of Chanalyzer. This is a paid app.

Screenshot of InSSIDer Office


Use this to SSH into your devices. You can build aliases and scripts to help you manage your network efficiently.

TamoSoft Throughput Test

Can operate as a server or a client. The server can be ran from macOS or Windows. The client can operate on macOS, Windows, Android, and iOS. It’s very easy to use and provides a visual throughput tester. You have the ability to set QoS and perform TCP or UDP tests.

Screenshot of TamoSoft Throughput Server

What tools are you using on macOS? Which are your favorite? Let us know in the comments below.

Links and Resources


CTS 046: CWAP-402 Study Guide Released

Hey what’s up everyone. In today’s episode we talk about TP-Link discovering what it’s like to ignore DFS, Google Fiber going Wireless?, Data frame slicing with Airtool, and CWAP exam gets updated and so does the study guide.

TP-Link Settles $200k with FCC for ignoring DFS and power limits

FCC reaches settlement of $200k with TP-Link for selling Wifi routers that ignore DFS requirements and power limits. This sounds very careless for a networking company. Is this what we accept now as hardware from these companies. Maybe TP-Link thought they could get away from it, or maybe an engineer wasn’t aware of the FCC regulations. But is this what we expect with inexpensive hardware? I don’t think so. Along with the fine, TP-Link has agreed to work with the open-source community to allow consumers to install third-party firmware on TP-Link routers.

This is a good move in my opinion but unprecedented from the FCC. This is a great way to move our wireless industry into embracing open-source.

Google Plans to Extend Fiber Into Wireless

CFO, Ruth Porat, said that Google Fiber would be exploring wireless due to the acquisition of Webpass. This was mentioned in Alphabet’s 2nd quarter earnings call. Why in the world would Google Fiber go into wireless? The main obvious reason I can think of is cost. It’s much cheaper to use hardware that costs a fraction of the cost of digging up fiber. Not to mention the labor costs of doing the work.

I think this is an interesting turn of events as Google Fiber now becomes fiber over the air. I can see the marketing lingo now….

Latest Airtool Update Gives Us Data Frame Slicing

Airtool is one of my favorite apps on OSX. It allows me to capture wireless frames using my built-in wireless adapter. But in doing so, some of these captures can take up precious hard disk space.

What Adrian Granados has done is enabled a feature to just grab the beginning of the frame and discarding the rest. What you have left is the 802.11 MAC headers.

Check out the latest update.

CWAP-402 Exam Released

The latest update to CWAP from CWNP is CWAP-402. It is 90 minutes and contains 60 questions. It is available now to test and has been available since June 28 2016.

Certified Wireless Analysis Professional

CWAP-402 brings changes to 5 subject areas.

Tom Carpenter has hinted that Troubleshooting is a big part of the exam from the CWAP update webinar.

These are the objectives.

5% – Troubleshooting Processes
25% – 802.11 Communications
15% – WLAN hardware
35% – Protocol and Spectrum Analysis
20% – Troubleshooting Common Problems

Troubleshooting processes is a very small chunk of the exam at 5%.

Focuses on a troubleshooting methodology. Mentions of industry and vendor recommended processes. Not sure how vendor neutral this sounds.
But with any troubleshooting process, OSI Model is mentioned. Just remember that Wireless is at the Data Link and Physical Layer.
May mention of Wireshark and Omnipeek as well as the tools baked into OS such as command line using ping and traceroute.

At 25% is 802.11 Communications.

This sounds like the MAC Layer Frame Formats and Technologies AND 802.11 Operation and Frame Exchanges from the previous exam. Looking at 802.11 communications from a troubleshooting perspective. Understand the frame exchanges when a device tries to join a BSS. Getting as detailed as finding out why a device would fail to join a BSS. Learn the different frame formats – management, control, and data. Learn the PHY header and preamble and why a device would have issues on a BSS because of the header and preamble.

15% is WLAN hardware.

Troubleshooting client devices and their issues connecting to wifi which includes dealing with drivers, security settings, and other configuration settings available on different drivers. There’s troubleshooting via protocol analysis using a tool such as wireshark. Do you know how to set up that application and look at wireless frames. There’s troubleshooting the spectrum using a spectrum analyzer. Do you know how to identify common interference sources. Other troubleshooting aspects include why APs can’t power up so we’re looking at PoE.

35% for Protocol and Spectrum Analysis.

Beginning with the basics of hardware and software protocol analysis, features of protocol analyzers, how to install and configure them, capture traffic and analyze them. On the spectrum analyzer side, again going over hardware and software spectrum analyzers, terminology that is used amongst different spectrum analyzers, features included in applications such as Spectrum XT and Chanalyzer, creating reports from your findings, and how spectrum analyzers integrate with your wifi adapter. Of course you should know how to use a spectrum analyzer by finding different forms of interference.

20% reserved for Troubleshooting Common Problems

This one is new for the CWAP. An obvious focus on troubleshooting. It may sound funny on a wireless analysis exam but you will need to know some wired issues with DNS, DHCP, switch configurations and WLAN controller access. These issues relate to services wireless clients use. Other common issues tackled are co-channel and adjacent channel interference, noise, hidden nodes, and more.

Just reading through the objectives it sounds like this may be an easier exam than the previous version but we’ll see how people react. Version 2 objectives are a lot more shorter than the previous.

CWNP Releases New CWAP Material

With the latest revision of the CWAP exam now comes the latest study guide. The author is Tom Carpenter of CWNP. The technical review is Lee Badman who I interviewed on the podcast back on Episode 13.

It’s available on Amazon in print and on Kindle. If you’d like to support the podcast, you can purchase this book on Amazon.

There’s a total of 8 chapters:

  • Troubleshooting Processes
  • 802.11 Communications
  • 802.11 Frames
  • WLAN Hardware
  • Protocol Analysis
  • Spectrum Analysis
  • Wired Issues
  • Common WLAN Issues

It would be beneficial to do a lot of packet captures with wireshark to help follow along with the book and get hands on. If you can, get ahold of a spectrum analyzer as well.

I use the Metageek Chanalyzer with the dBx dual-band adapter. Another popular spectrum analyzer that can be used alongside this study guide is AirMagnet Spectrum XT.