KisMAC and AirPort - A Match Made in Heaven (Almost)

I love free stuff. I love it even more when it works. And while I am a natural skeptic of the usefulness of free software (thus contradicting a timeless programmer's joke), the ability to run KisMAC-ng with an AirPort Extreme interface in Monitor mode is quite nice. Not as nice as it could be if a few little tweaks were made to the software, but for a free product it remains the best WiFi sniffer for Mac OS X.


Way back in January of this year (seems further back than that, which is interesting since years are supposed to feel faster as you get older, right?) I wrote about using a combination of KisMAC, Wireshark and a DWL-122 802.11b/g USB adapter to do WiFi sniffing when running Mac OS X. Six months later I wrote about sniffing with a Mac again, this time focusing on using a virtual machine. The basic gist of those updates was that running Windows on your Mac is the best way to sniff, but if you must run OS X then you can at least capture 802.11 b/g frames if you have a DWL-122 adapter.

802.11n adoption has exploded in 2010 (a good topic for a future blog post, I think), so the usefulness of an 802.11b/g adapter to capture is starting to wane. It is true that the majority of enterprise-class WLANs still have a preponderance of 802.11b/g devices in use, but if you run into that odd 802.11n laptop, tablet or phone, you'll regret restricting yourself to 802.11b/g. This made KisMAC with a DWL-122 a limited option. I could use it on airplanes and other public spaces that are still have yet to upgrade to 802.11n, but for money sniffing KisMAC had all but been retired.

My use of KisMAC changed when I switched from a MacBook Pro to a MacBook Air recently. (As an aside, the move from HDD to SSD is like the move from SD to HD television: I'll never go back.) Though I now have to keep my iTunes library stored on an external drive due to my scant 64 GB of disk space, the MacBook Air's AirPort drivers now support Monitor mode. (As another aside, I've been told that some newer and older MacBook Pros had AirPort drivers that supported Monitor mode, but I could never get it to work with the non-unibody model I bought back in June, 2008.) Since the MacBook Air boasts an 802.11n (that's MIMO-802.11n, not an iPad-esque 65 Mbps 802.11n) AirPort interface that can be placed in Monitor mode, I can now capture 802.11n traffic with the free combination of KisMAC and Wireshark. See:


Now, notice that there are some limitations here. The supported rates read as if this were an 802.11b/g capture. In addition, KisMAC remains a 2.4 GHz-only sniffing tool, so if you need to analyze a full throttle (meaning 5 GHz) 802.11n network, you're out of luck. Still, it's nice to able to see how the Retrys are looking on my home WiFi network without having to boot into Windows or run a virtual machine. (Below 0.01% Retry bytes, if you're curious. Also, reason #177 why every 2.4 GHz WLAN should have a RTS Threshold of 0.)

As always, for professional analysis I'm still avoiding Mac OS X, but if you're just looking to play around with some WiFi frame captures on your Mac, the KisMAC/Wireshark combination has become much more useful.

Comments

Popular posts from this blog

Spectrum Deception

Free Sniffing in Windows! (Kind Of)

What's New (and Missing) in the WiFi for iPhone 6