Networking/Computing Tips/Tricks

Rate this content:
4 of 5 - 2 votes
Thank you for rating this article.

Check out these great references as well: 

 Our Wireless custom profile for Wireshark
 Our Udemy course on Wireless Packet capture
 Our other Wi-Fi related articles

In our article on putting your WLAN Wi-Fi interface into Monitor Mode so you can sniff Wi-Fi packets and troubleshoot WLAN's, we said that if you are running Windows, you are in trouble.  We pointed out that one option to overcome this challenge is to run Linux as a virtual machine, but that the VM cannot access the Wi-Fi interface directly as all the virtualization technologies bridge the NIC so they are seen as wired connections.

If you are looking at L3 and up, this is a non issue.  But if you need to sniff Wi-Fi L1 and L2 for radio performance data and power levels and such, this is a problem.

The article also suggested there was a way forward if you use an external USB Wi-Fi adapter that supports monitor mode.  This article explains how I do it.

First, you need the proper type of adapter.  Now, there are many, but you have to ensure that the adapter allows you to put it in monitor mode.  The one I am using is the Alpha Networks 802.11 b/g/n adapter AWUS036NHA which you can easily get from Amazon.  They make a number of adapters.

Second you need a VM set up - in my case I have Kali Linux set up in Virtual Box.  All free.

Third, with the Kali Linux VM shut down, I plug my USB wireless adapter into my computer's USB.  Then in Virtual Box, I add the USB Wireless adapter (think of it as assigning the adapter) to the Kali VM.

First we need to change the settings of the VM:

2019 02 18 8 23 26

Then in the settings dialogue:

  1. Select USB
  2. Select Enable USB controller and pick the correct USB version (my system would only allow the USB 1.1, if you try the others and your VM will not boot, use this)
  3. Click the "+" to add one of the USB devices
  4. Select the USB wireless from the list (mine was shown as Atheros)
  5. Click OK

2019 02 18 8 23 56

Now fire up the VM and log in.

It's a bit strange but, even though you assigned the USB Wireless adapter in the settings above, you still need to "turn it on".

This is done in VirtualBox from the Device Menu once the system is up and running:

2019 02 18 8 21 55

If you like to run in full screen mode, as I do, this menu is at the bootom of the VirtualBox screen:

2019 02 18 8 20 58

2019 02 18 8 20 25

As shown in both methods, make sure the wireless USB adapter is selected.

Great! Now we can put the adapter into Monitor mode.  There are multiple ways to do this (you can see our article on the choices here), but we are going to do this as follows (refer to the screen shot below):

First verify the adapter is present with the ifconfig command.

ifconfig

Second put the interface into monitor mode with the following commands:

sudo ip link set wlan0 down
sudo iw wlan0 set monitor none
sudo ip link set wlan0 up

 

2019 02 18 8 19 25

 

At this point you should have Wireshark installed, and we can fire it up.

You should see the wlan0 interface in the interfaces list.

First, turn on the Wireless tool bar:

2019 02 18 8 50 04

With the wireless toolbar on, you can select which channel to sniff:

2019 02 18 8 52 32

 

I selected Channel 11, and now simply click the the blue shark fin to start capturing:

2019 02 18 8 56 26

 You will know you are truly capturing the Wi-Fi traffic when you see Beacon Frames, ACK's, Request to Send, Clear to Send and all those types of WLAN packets.

Also, if you look at one of the packets, you will see the Radio Tap and 802.11 Radio headers which contain vital L1 performance information like signal and noise levels, data rates and much more.

One last thing.  To put the interface back into normal managed mode, use the following commands:

sudo ip link set wlan0 down
sudo iw wlan0 set type managed

I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!

 

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation dumpcap ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed