How to capture WiFi traffic using Wireshark on Windows
Wireshark uses libpcap or Winpcap libraries to capture network traffic on Windows. Winpcap libraries are not intended to work with wireless network cards, therefore they do not support WiFi network traffic capturing using Wireshark on Windows. Therefore, Wireshark monitor mode for Windows is not supported by default.
Winpcap Capture Limitations and WiFi traffic on Wireshark
Capture is mostly limited by Winpcap and not by Wireshark. However, Wireshark includes Airpcap support, a special -and expensive- set of WiFi network adapters, which drivers support network traffic monitoring on monitor mode. In other words, WiFi network traffic capturing on promiscuous mode.
Acrylic WiFi products include an NDIS traffic capture driver that captures WiFi network traffic on monitor mode on Windows, capturing WiFi traffic with Wireshark on Windows Vista, Windows 7, Windows 8, and Windows 8.1. This driver adds wireless network compatibility on Windows to other WiFi sniffers.
NDIS Driver and WiFi interfaces on Wireshark
To make this integration possible, Acrylic installs an airpcap.dll library in the system. When Wireshark loads the installed airpcap library, it returns a fake list of airpcap network cards installed. One Airpcap device for each integrated WiFi network card or external USB WiFi network card.
Through this method, you can use your preferred network analyzer compatible with Airpcap to monitor WiFi packets under windows. You can view wifi traffic by using Wireshark, cain & Abel, Elcomsoft wireless security auditor or with Acrylic. By double clicking on the network interface on wireshark, you can access the interface settings. You can see that the interface shows a link-layer header, which includes captured packet signal level information.
By clicking on the “Wireless settings” button, you can configure advanced settings, such as WiFi channel to monitor and FCS check. FCS, or Frame Check Sequence, is a WiFi network packet integrity signature that discards corrupt packets.
WiFi traffic capturing using Wireshark
All in all, after installing Acrylic WiFi, launch Wireshark with Administrator privileges (by right clicking on the Wireshark icon and selecting “Run as administrator”) and select any NDIS network interface WiFi network card. In this example, the Dell integrated WiFi network card (Dell Wireless 1702/b/g/n).
Video tutorial Acrylic WiFi NDIS driver with Wireshark on Windows