As many of my clients and students know, I have agreat solution for those who want to capture WLAN control and management frames using a Windows system without paying anyone any money for expensive interfaces or software. THIS IS ONLY ABOUT SEEING THE Wi-Fi CONTROL AND MANAGEMENT – for example if you wanted to capture TCP traffic between your system and another system, to Wi-Fi this is considered Data traffic. Wireshark allows capture of normal Wi-Fi data traffic with your Wi-Fi NIC in managed mode – it just looks like Ethernet traffic. You can stop reading here.
If, on the other hand, you want to put the NIC into monitor mode to listen to control and management frames, like beacons, Clear to Send, Request to Send, Association, Disassociations, etc. AND you have Microsoft Windows, then this article is for you.
The problem comes down to our friends at Microsoft. Windows, by definition, does not allow users to put their interface into "Monitor Mode". So if you use a great packet dissector like Wireshark, you can't really see the WLAN packets. You have 4 options:
- Buy the Riverbed Airpcap tool which is ridiculously expensive ($700 plus) but works perfectly.
- Use Acrylic WiFi solutions to essentially install drivers that may or may not work.
- Run Linux as a dual boot, USB boot, or VM. There are some complications to the VM part. I have written separate articles on these options here.
- Want to stay with Windows only? There are two possibilities. Use my solution below which is free and works 100% of the time, or some say install the npcap driver that comes with nmap. I will not discuss the npcap driver here as I have had mixed success with it. While it works, it gets in the way of Winpcap, ofcourse, and this causes issues.
Here is how you do it:
First go to
Run the installation process. It takes about 5 minutes.
You will need to reboot. You will also need to have Administrator privileges.
Once rebooted - run the program. It will look something like this:
You will note that all the interfaces (bottom left) are selected by default. To capture Wi-Fi packets, deselect all except the Wi-Fi interface of your computer:
Next, select 'New Capture':
The screen will change as shown:
You will see the Wi-Fi interface selected, but you need to adjust the properties (the first time). So select the interface so it is highlighted, then click the properties button:
You will get a Network Interface Configuration pop-up, and you will select the Scanning Options button:
When you do this you may get a permissions warning...of course, say yes to this.
You will then be presented with the Wi-Fi Scanning Options dialogue, and it is in this next screen that you must select Switch to Monitor Mode:
The bottom list of 802.11 options will now not be greyed out:
I suggest you leave them all selected. Now the next step is tricky. Even though the "Close and Return to Local Mode" button is highlighted, you will want to click on Apply. Then close the dialogue with the "X" on top right.
We are now ready to capture!!
Click the "Start" button on the top menu:
And *POOF* you are capturing WLAN packets!!!
When you are ready to stop, click on the Stop button, and save the file (Save As something like test.cap to your desktop).
Now you can open that .cap file in Wireshark:
There are a couple of differences you might notice.
First instead of Radiotap headers, you will see Netmon headers. They are almost identical, and you can still retrieve important WLAN information like speeds, signal, and noise levels.
Also, Wireshark may report Malformed packet errors, that can be ignored.
How cool is that!
Sorry Riverbed, and sorry to all those who say it can't be done without $$$.
Comments are welcomed!
[Note: If you cannot get this to work, I suggest you read this article as well.]