Capture WiFi traffic using Wireshark

How to capture WiFi traffic using Wireshark on Windows

Wireshark uses libpcap or Winpcap libraries to capture network traffic on Windows. Winpcap libraries are not intended to work with wireless network cards, therefore they do not support WiFi network traffic capturing using Wireshark on Windows. Therefore, Wireshark monitor mode for Windows is not supported by default.

Winpcap Capture Limitations and WiFi traffic on Wireshark

Capture is mostly limited by Winpcap and not by Wireshark. However, Wireshark includes Airpcap support, a special -and expensive- set of WiFi network adapters, which drivers support network traffic monitoring on monitor mode. In other words, WiFi network traffic capturing on promiscuous mode.

Acrylic WiFi products include an NDIS traffic capture driver that captures WiFi network traffic on monitor mode on Windows, capturing WiFi traffic with Wireshark on Windows Vista, Windows 7, Windows 8, and Windows 8.1. This driver adds wireless network compatibility on Windows to other WiFi sniffers.

NDIS Driver and WiFi interfaces on Wireshark

To make this integration possible, Acrylic installs an airpcap.dll library in the system. When Wireshark loads the installed airpcap library, it returns a fake list of airpcap network cards installed. One Airpcap device for each integrated WiFi network card or external USB WiFi network card.

WiFi network card using Wireshark on Windows

Through this method, you can use your preferred network analyzer compatible with Airpcap to monitor WiFi packets under windows. You can view wifi traffic by using Wireshark, cain & Abel, Elcomsoft wireless security auditor or with Acrylic. By double clicking on the network interface on wireshark, you can access the interface settings. You can see that the interface shows a link-layer header, which includes captured packet signal level information.

Wireshark NDIS WiFi interface detail on Windows

By clicking on the “Wireless settings” button, you can configure advanced settings, such as WiFi channel to monitor and FCS check. FCS, or Frame Check Sequence, is a WiFi network packet integrity signature that discards corrupt packets.

Wireshark select channel using NDIS WiFi network card on Windows

WiFi traffic capturing using Wireshark

All in all, after installing Acrylic WiFi, launch Wireshark with Administrator privileges (by right clicking on the Wireshark icon and selecting “Run as administrator”) and select any NDIS network interface WiFi network card. In this example, the Dell integrated WiFi network card (Dell Wireless 1702/b/g/n).
Wireshark Capture NDIS WiFi Windows

Video tutorial Acrylic WiFi NDIS driver with Wireshark on Windows

 


Source:https://www.acrylicwifi.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: