Free Sniffing in Windows! (Kind Of)

Nine months ago (bad way to start a blog post, I know) I wrote a blog about the future of WiFi sniffing.  In the comments section (perhaps the only worse thing for a blogger to say), someone mentioned a free, Windows-based application called Acrylic WiFi.   I briefly checked out the app and dismissed it as yet another Discovery utility disguised as a something more. 

Then I actually used Acrylic WiFi and...  it works!  It sniffs WiFi frames (sort of) and it does it for free (outside of the cost of an ordinary 802.11 USB adapter)!  This changes everything (kind of)!

For years, the method for free WiFi sniffing on a Mac has been simple.  Head down to the bottom of this post for a reminder.

Now, we can do similar things in Windows.  It's not quite as simple and it's not totally free, but it works (pretty much).

1. Download and install Acrylic WiFi Free, including Monitor Mode support (and, actually, if you can find an old download of Acrylic v1, then you'll be able to save captured frames in a *.pcap file, just like you can in Mac OS X Wireless Diagnostics.  If you download Acrylic v2 [the current version], then you can't).

2. Procure (see, I can use corporatey talk sometimes too) a USB adapter that allows monitor mode capture in Acrylic (I use the Netgear A6200, and if you use that link then you'll be supporting this blog by giving me a kickback from Amazon).

3. Open Wireshark (and if you're a Mac user running 64-bit Windows in Bootcamp or as a Virtual machine, you'll have to Run as Administrator).


4. Select the Acrylic NDIS Netgear A6200 (or whichever model of USB adapter you procured) Adapter and click Start.


Bingo!  A real-life 802.11 Monitor Mode capture in Windows (just about), done for free!  (Actually, for the cost of an ordinary WiFi USB adapter, but still...)

And here's a tip for enabling a channel scan by using Acrylic with Wireshark:

Normally, Wireshark only allows for monitor mode capture on a single channel.


Just look at that screenshot above.  No channel scanning option to be found.  

If you decide that you want to scan channels for whatever reason, all you have to do is let Acrylic control the capture.  Just open Acrylic (while keeping Wireshark open and capturing), click Monitor in the upper right until it says, Monitor: ON, and then click the channel number just to the left to choose which channels you want to scan.  See:


Fantastic.  We can not only do a (nearly) free monitor mode capture with channel scanning in Windows (more or less).

About that, "more or less" (and the "kind of" and "sort of" and all the rest)...

Monitor mode capture with an Acrylic driver is flawed.

Check out this little capture I did of my iPod Touch (the most underrated device in the history of WiFi site surveying, troubleshooting and analysis, by the way) streaming the 2015 Royal Rumble on WWE Network:


Specifically, check out the Rate column in that screen shot.  Every single cotton-pickin' frame captured by my Netgear A6200 using the Acrylic WiFi driver shows the same rate: 0.0 Mbps.

(And just to show that it's not a problem with my setup, here's what it looks like when the Airpcap NX adapter does a monitor mode capture into Wireshark:


Notice that the rate of 58.5 Mbps comes through loud and clear.)

So, there you have it.  You can now do free sniffing in Windows, but there are still kinda/sorta limits to how useful it can be.

***

If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU

ben at sniffwifi dot com

Twitter: @Ben_SniffWiFi

***

Free sniffing in Mac OS X:

1. Open Wireless Diagnostics (in Mac OS X 10.10 [Yosemite], holding down alt/option while clicking the WiFi Settings icon on the top menu bar reveals Wireless Diagnostics).


2. Open the Sniffer window (older versions of Mac OS X have different methods of sniffing, but a monitor mode capture has always been an option in Wireless/WiFi Diagnostics).


3. Choose your Channel and click Start.


4. When finished, click Stop, and then go to the Desktop to open the captured frames (in the form of a *.pcap file) in Wireshark.


***

If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU

ben at sniffwifi dot com

Twitter: @Ben_SniffWiFi

Comments

  1. Great post. Very good to know about this utility EVEN IF the new version doesn't support packet capture to PCAP. The reality is finding quality "netstumbler" replacements that support 11ac and are free is not the easiest thing these days.

    ReplyDelete

Post a Comment

Popular posts from this blog

What's New (and Missing) in the WiFi for iPhone 6

Spectrum Deception