We take a look at what resources are available to capture frames on Windows OS.
802.11 Frame Captures on Windows
Back in episode 121, we spoke highly of Macbook Pros being perfect tools for wireless frame captures. But not everyone has a Macbook Pro. Even I still have a Windows laptop and need to do frame captures on that every once and a while.
In this episode, we outline some of the resources we use for capturing frames on Windows OS. Both free and paid versions depending on how you’re trying to capture frames and how quickly you’re trying to accomplish the task.
Budgets will vary widely with each resource so check for the most updated pricing online.
Acrylic Wi-Fi Professional
You can try out Acrylic Wi-Fi with a trial version free for 4 days. As of June 2018, a license is $39.95 one time fee (or $19.95 for 1 year). It has a built in 802.11 packet capture tool without requiring additional hardware. But it only captures beacon frames if your Wi-Fi NIC does not support monitor mode.
The NDIS driver must be installed so your built in Wi-Fi NIC can be used in monitor mode. If you want, you can use an external adapter to perform the capture. Acrylic recommends the following:
- D-Link DWA-182 Revision A1
- Netgear A6200
- Asus USB-AC53
- List of compatible Wi-Fi NICs
By default, it will be channel hopping. So don’t forget to set the channel on which you want to scan. We strongly recommend using a Riverbed AirPcap card if you are going to do anything professional.
Some of the packet capture features include:
- Display the Packet Tree view including the details of the Radio Tap Header
- Displays the Hex and Binary view of the packet
- You can export the frames into a pcap file and analyze them with another tool (Wireshark)
- Integration with Wireshark
- 802.11ac not there with AirPcap Nx
Other Features:
- Wi-Fi Scanner
- Show Retry Rate when set to monitor mode
- Displays the SSID detected (including the hidden SSID)
- Displays some beacon details
- Script editor built-in
- Reports
- Inventory
Links:
- https://www.acrylicwifi.com/en/wlan-wifi-wireless-network-software-tools/wifi-analyzer-acrylic-professional/
- https://www.youtube.com/watch?v=buMJ9NDCsGA
- https://www.acrylicwifi.com/en/blog/how-to-capture-wifi-traffic-using-wireshark-on-windows/
Microsoft Network Monitor
This tool is free to use with your operating system. You can download the application from Microsoft and check out a full tutorial.
You can find a Video Tutorial easily on YouTube.
Features:
- Free. You just need a Wi-Fi USB adapter
- It won’t work with all Wi-Fi NIC. We have tried a bunch for you guys.
- NICs that work:
- NIC 300
- D-Link DWA-130
- D-Link DWA-160
- Linksys AE2500
- NICs that don’t work
- Realtek 8812AU
- D-Link DWA-182
- Netgear A6210
- Edimax EW-7822UAC
- Uses the NetMon L1 Header and not the Radio Tap header. With some adapters, you won’t have the RSSI right (Example: NIC 300 will always report an RSSI of 30dBm)
- Capture can be exported in .cap file and analyzed in Wireshark
Airpcap
Airpcap allows you to captures frames in Wireshark.
You can capture with multiple Airpcap adapters on multiple channels at the same time (Roaming analysis). Check out the post from Revolution WiFi.
Metageek Eye P.A.
Metageek offers many tools including a way to capture frames using Eye P.A. Having used this tool in the past it has been very good especially with the visualizations. Capture from Metageek Eye P.A. with other adapters and NDIS drivers.
Adapters supported:
- Linksys AE1200
- Linksys AE2500
- Netgear A6200
- http://blogs.metageek.net/blog/2018/05/introducing-a-new-way-to-capture-packets/
Savvius Omnipeek
Savvius was recently acquired by LiveAction and for good reason. Savvius has a strong frame capture utility called Omnipeek. It does a lot more than capture wireless frames as it can be useful on the wired side of things. But there’s a powerful expert analysis engine and there’s a way to aggregate wireless adapters in the application to capture on multiple channels.
You can find the Savvius Adapter on Amazon.
What tools are you using?
Is there anything missing from this list? Are you using one application more than the other? Let us know in the comments below.
I used Acrylic as my first packet analyzer. Ben and Amy have great blogarticles on that.
I bought both Netgear and D-Link adapter. But I got D-Link versjon c1, not a1.
Was not happy with Netgear and Acrylic, so jumped over to ComView for WiFi thats supports D-Link 182 c1
In CW for Wifi you could choose which type of frame you want to capture,; data,management or control
But at the end of the day; use Airtool on Mac
I’ve found Airtool to be the easiest. Other applications offer more beyond just staring at frames in Wireshark but I find that learning how to find the frames you’re looking for within Wireshark makes you a better analyzer.
I used VisiWave Traffic (http://www.visiwave.com/wifi/visiwave-traffic.php), and it reasonably priced ($300). It requires Microsoft Network Monitor to capture the frames, but the visuals are very insightful. Even though a floor plan is not required, using one eases troubleshooting. Once the capture is complete, the trace file can be imported into Wireshark. Getting the right wireless NIC work was a chore, which eventually I landed on the D-Link DWA-160. Seeing your list of wireless NICs before the purchase would have saved me some time.
Thanks for the great work of putting together the podcasts.
– Scott
Thanks for your input here Scott. I’ll have to check out VisiWave pretty soon.
[…] https://www.cleartosend.net/wireless-frame-captures-windows/ […]
Very much enjoy listening to your podcast. Thank you for putting out such great content.
I’m pretty much a noob and the tools I us on my Macbook Pro, are Wireshark, Airtool, WiFi Explorer, and Mac’s native wireless diagnostics (mostly Performance and Info).
Question: You guys mentioned you use duration filter on Wireshark, do you use the wlan_duration or wlan_radio.duration, or both? I ask, because I get different readings from this two. The numbers can sometimes be identical, different, or one of them will have no data.
Mike
Thanks for listening Mike! We greatly appreciate it.
I use wlan.duration. In Wireshark you’ll find this right before the MAC addresses.