Networking/Computing Tips/Tricks

As many of my clients and students know, I have agreat solution for those who want to capture WLAN packets using a Windows system without paying anyone any money for expensive interfaces or software.

The problem comes down to our friends at Microsoft.  Windows, by definition, does not allow users to put their interface into "Monitor Mode".  So if you use a great packet dissector like Wireshark, you can't really see the WLAN packets.  You have 3 options:

1. Buy the Riverbed Airpcap tool which is ridiculously expensive ($700 plus).

2. Use Acrylic WiFi solutions to essentially install drivers that may or may not work.

3. My solution!  Which is free and works 100% of the time!

Here is how you do it:

First go to this link and download/install Microsoft Network Monitor v3.4.  This is ancient software (actually in Microsoft's archives) but works on all older and newer versions of windows (I am using Windows 10 and it is perfect).

Run the installation process.  It takes about 5 minutes.

You will need to reboot.   You will also need to have Administrator privileges.

Once rebooted - run the program.  It will look something like this:

msmonitor1

You will note that all the interfaces (bottom left) are selected by default.  To capture Wi-Fi packets, deselect all except the Wi-Fi interface of your computer:

msmonitor2

Next, select 'New Capture':

msmonitor3

The screen will change as shown:

msmonitor4

You will see the Wi-Fi interface selected, but you need to adjust the properties (the first time).  So select the interface so it is highlighted, then click the properties button:

msmonitor5

You will get a Network Interface Configuration pop-up, and you will select the Scanning Options button:

msmonitor6

When ytou do this you may get a permissions warning...of course, say yes to this.

You will then be presented with the Wi-Fi Scanning Options dialogue, and it is in this next screen that you must select Switch to Monitor Mode:

msmonitor7

The bottom list of 802.11 options will now not be greyed out:

msmonitor8

I suggest you leave them all selected.  Now the next step is tricky.  Even though the "Close and Return to Local Mode" button is highlighted, you will want to click on Apply.  Then close the dialogue with the "X" on top right.

We are now ready to capture!!

Click the "Start" button on the top menu:

msmonitor9

And *POOF* you are capturing WLAN packets!!!

msmonitor10

When you are ready to stop, click on the Stop button, and save the file (Save As something like test.cap to your desktop).

Now you can open that .cap file in Wireshark:

msmonitor11

There are a couple of differences you might notice.

First instead of Radiotap headers, you will see Netmon headers.  They are almost identical, and you can still retrieve important WLAN information like speeds, signal, and noise levels.

Also, Wireshark may report Malformed packet errors, that can be ignored.

How cool is that!

Sorry Riverbed, and sorry to all those who say it can't be done without $$$.

Comments are welcomed!

[Note:  If you cannot get this to work, I suggest you read this article as well.]

 

 

 

Comments powered by CComment

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Ad-Hoc Addressing Analysis Ansible Apple Architecture ARP Assessment AToM Automation Baseline BGP Bloom's Taxonomy Bluehost BPF Briefings Cable Capture Filter CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Company Policy Computer Consulting Data Center Data Networking Dependencies DHCPv6 Display Filter DNS Documentation dumpcap Earth Earthquakes ECMP Ethernet Ethics Etiquette Evaluation Field Operations Five Monkey Rule G-MPLS Gauge GeoIP GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Internet IoT IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP LifeNet Linux LLN LoL M-BGP MAC Macro Management Microsoft Milky Way mininet Monitoring MPLS mtr Multicast Murphy Name Resolution Netcat NetMon netsh Networking nmap NSE Observations OLPC Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Parrot PIM Policy POTS POTS to Pipes PPP Profile Project Management PW3E QoS QUIC Railroad Remote Desktop Requirements Resume Review RIP Routig Routing RPL RSVP Rural Scanning SDN Security Service Provider Small Business SONET Speed SSL Status Storms Subnetting Support T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Testing Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Windows Wireless Wireless 5G Wireshark WLAN Writing Zenmap ZigBee

Twitter Feed