• Telecommunications Consulting

    Telecommunications Consulting

    Consulting Services from Network Design to Project Management Read More
  • Internetworking Training Experts

    Internetworking Training Experts

    Click on Training and then Courses. Read More
  • Wireshark Experts

    Wireshark Experts

    Packet analysis expertise is critical in today's networks, and being able to use the best packet analyzer application is a skill we can help you and your team attain. Read More
  • Are you a Network Scientist?

    Are you a Network Scientist?

    Online Learning, Instructor Led in person or Web-based delivery. Check out our online school. Read More
  • Online Certification Training

    Online Certification Training

    Find out about our Network Self Certification Program for Rural Service Providers here! Read More
  • IPv6 Experts

    IPv6 Experts

    Along with other Internet regions, ARIN is out of IPv4 Addresses. Are you IPv6 fluent? Are you IPv6 ready? Read More
  • Enabling the IoT with Wireless

    Enabling the IoT with Wireless

    Without wireless, we cannot have the Internet of Things. Read More
  • MPLS Book for iPad and iPhone

    MPLS Book for iPad and iPhone

    Get Mr. Walding's book here! Read More
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

Welcome to CellStream, Inc. - Telecom Consulting and Training!

Welcome to our home on the Internet, where we can not only share information, but also interact with each other. If you are a visitor to the site, there are a number of things to view: our FAQ'sNetworking and Computing Tips, our CellStream Blog, and other fun reading can all be found in the drop down menus above.  The Training menu provides access to our courses, our course calendar, and learning services.  The Consulting Menu provides information on our consulting services and a place to meet our consulting and teaching team.  Registered CellStream folks and our clients will log in using their private credentials to access projects, calendars and discussions.

Thanks for visiting! We always welcome comments and suggestions.

As many of my clients and students know, I have agreat solution for those who want to capture WLAN control and management frames using a Windows system without paying anyone any money for expensive interfaces or software.  THIS IS ONLY ABOUT SEEING THE Wi-Fi CONTROL AND MANAGEMENT – for example if you wanted to capture TCP traffic between your system and another system, to Wi-Fi this is considered Data traffic.  Wireshark allows capture of normal Wi-Fi data traffic with your Wi-Fi NIC in managed mode – however it just looks like Ethernet traffic (even though it isn't).  You can stop reading here.  

If, on the other hand, you want to put the NIC into monitor mode to listen to control and management frames, like beacons, Clear to Send, Request to Send, Association, Disassociations, etc. AND you have Microsoft Windows, then this article is for you.

The problem comes down to our friends at Microsoft.  Windows, by definition, does not allow users to put their interface into "Monitor Mode".  So if you use a great packet dissector like Wireshark, you can't really see the WLAN packets.  You have 4 options:

  1. Buy the Riverbed Airpcap tool which is ridiculously expensive ($700 plus) but works perfectly.
  2. Use Acrylic WiFi solutions to essentially install drivers that may or may not work.  I have not had any success with this, but some say it works for them.
  3. Run Linux as a dual boot, USB boot, or VM.  There are some complications to the VM part.  I have written separate articles on these VM options here.
  4. Want to stay with Windows only?  There are two possibilities:
    1. Use my solution below which is free and works 100% of the time
    2. Use the Npcap driver that now is a preferred option at install of Wireshark and used to come with nmap.  If you use the npcap driver and can get it to work, it is better than Winpcap because it has been updated and Winpcap is no longer being updated.  The problem is that for many - upgrading from Winpcap to Npcap has been troublesome and after installing Npcap they cannot see any interfaces in Wireshark.  The folks at Nmap are working on this. I have had mixed success with it.  Npcap requires that you get rid of Winpcap and vice versa.  If Npcap works, then you can run Wiresahrk in "Administrator Mode" and actually put the Wireless interface into monitor mode from the Wireshark Capture> Options screen.  If this could be made stable, it would be a great solution. If you can get Npcap working, you do not need to read any further.

Here is how you do it:

First go to this link and download/install Microsoft Network Monitor v3.4.  This is ancient software (actually in Microsoft's archives) but works on all older and newer versions of windows (I am using Windows 10 and it is perfect).  That said, you will see in the comments that some folks find they cannot get their newer generation USB Wi-FI NICs into monitor mode.  If that is you, then option 3 above is your best path.  Let’s continue:

Run the installation process.  It takes about 5 minutes.

You will need to reboot.   You will also need to have Administrator privileges.

Once rebooted - run the program.  It will look something like this:


You will note that all the interfaces (bottom left) are selected by default.  To capture Wi-Fi packets, deselect all except the Wi-Fi interface of your computer:


Next, select 'New Capture':


The screen will change as shown:


You will see the Wi-Fi interface selected, but you need to adjust the properties (the first time).  So select the interface so it is highlighted, then click the properties button:


You will get a Network Interface Configuration pop-up, and you will select the Scanning Options button:


When you do this you may get a permissions warning...of course, say yes to this.

You will then be presented with the Wi-Fi Scanning Options dialogue, and it is in this next screen that you must select Switch to Monitor Mode:


The bottom list of 802.11 options will now not be greyed out:


I suggest you leave them all selected.  Now the next step is tricky.  Even though the "Close and Return to Local Mode" button is highlighted, you will want to click on Apply.  Then close the dialogue with the "X" on top right.

We are now ready to capture!!

Click the "Start" button on the top menu:


And *POOF* you are capturing WLAN packets!!!


When you are ready to stop, click on the Stop button, and save the file (Save As something like test.cap to your desktop).

Now you can open that .cap file in Wireshark:


There are a couple of differences you might notice.

First instead of Radiotap headers, you will see Netmon headers.  They are almost identical, and you can still retrieve important WLAN information like speeds, signal, and noise levels.

Also, Wireshark may report Malformed packet errors, that can be ignored.

How cool is that!

Sorry Riverbed, and sorry to all those who say it can't be done without $$$.

Comments are welcomed!

[Note:  If you cannot get this to work, I suggest you read this article as well.]




Comments powered by CComment

Our Latest Content

  • Finding Text Strings in Wireshark Captures

    A common question regarding Wireshark packet analysis is "Can I find a text string in a packet capture?" The answer

    Read More
  • Fantastic New Free Wi-Fi Analyzer for Windows - WinFi Lite

    Recently released at the Microsoft Store is a new free Wi-Fi Analyzer called WinFi Lite by Helge Magnus Keck (@HelgeKeck

    Read More
  • Example IPv6 Fragmentation Attack

    I want to continue my articles on IPv6 Security with an example of IPv6 Fragmentation.  Needing some training on IPv6

    Read More
  • Example IPv6 SYN Flood Attack

    As folks are becoming more focused on IPv6, developing a solid security strategy with regards to IPv6 networking is essential. 

    Read More
  • Tweaking the Wireless Interface - Power Settings, Country etc. in Linux

    I ws asked in a recent WLAN class whether you can adjust the power level in a Wi-Fi radio.  The

    Read More
  • 1
  • 2
  • 3
  • 4

Our Most Popular Articles

  • What is the 'arp' command, and how can I use it?

    Let's answer the question.  If you want more details than what we have provided below, check out our chapter on

    Read More
  • Neighbor Discovery (ND) Table in IPv6 Windows, Linux and MAC Machines

    A great question I was asked in class was: "If Neighbor Discovery processes have replaced ARP in ICMPv6, how do

    Read More
  • IPv6 Windows Command Line Examples

    Here are some great Windows command line entries you can make to examine and configure IPv6 (assuming your version of

    Read More
  • A List of Network Monitoring Tools for Network and System Administrators

    Monitoring, analyzing, managing, and diagraming a network can often be a huge problem for Network and System Administrators.  They are

    Read More
  • How do I reset my "Default" profile in Wireshark?

    This is a commonly asked question that usually results from users learning the can have different profiles after they have

    Read More
  • 1
  • 2
  • 3
  • 4

Event Booking Mini Calendar

October   2019
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Subscribe to our Newsletter!

Subscribe to our monthly newsletter to learn about upcoming classes, new networking how to's and much more.

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP AToM Baseline BGP Bloom's Taxonomy Broadband Cable cat CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Coloring Rules Computer Consulting Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Evaluation Field Operations Fragmentation G-MPLS GeoIP Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Interface Control Internet IoT IPsec IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC Macro Microsoft mininet Monitoring MPLS mtr MTU Multicast Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap Npcap NSE Observations Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management PW3E Python QoS QUIC Remote Desktop Requirements Resume RIP Routing RPL RSVP Rural SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark Testing TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Windows Winpcap Wireless Wireless 5G Wireshark Wireshark Tip WLAN Writing Zenmap ZigBee

Twitter Feed