On Second Thought, I Am Into Airpcap... Sometimes
At the risk of sounding like a flip-flopper, I have to reassess my previous post about Airpcap. I was doing some sniffing on a few flights recently and I realized that there are some pretty nice things about CACE Technologies' signature product.
Nine days ago, I was frustrated. After using Wireshark to view WiFi packet dumps from KisMAC for years, I thought that I was finally being upgraded to first class. I had my Airpcap NX, my CACE Pilot and a few days off from my real work to finally become the acolyte of the open source sniffing movement that I've always wanted to be. (O.K., not really.) I spent my time with the CACE Tech Triumvirate and at every turn I became more and more angered. Every standard sniffing activity seemed three steps harder and two times slower than it should have been. Association tracking, retry analysis; you name it. They all were a pain.
I finally gave up and wrote a regrettably titled column citing my displeasure with the whole lot of them. I then tossed the Airpcap NX into my computer bag and figured that was the last time I'd see it for a while.
A few days later, I took a flight on United. Though a joyous experience in most cases due to the extra legroom of Economy Plus (I'm 6'3" with no torso), this flight saw me crammed five rows from the back in a middle seat due to some standby shenanigans. There was no WiFi on-board, which I saw as an opportunity rather than a handicap. I figured I'd do a little sniffing and see who's being naughty by leaving their laptop WiFi enabled on a no-wireless flight.
I fired up my usual Snow Leopard/KisMAC 0.3/DWL-G122/Wireshark combination and commenced sniffing. I scanned channels and I set channels and I refreshed packets and I realized... this sucks! I don't like having to refresh Wireshark to get the latest packets. I don't like not being able to see the signal strength when I see some laptop still sending Probe Requests for "Boingo Hotspot". And I really don't like having to remember to delete dump files after I'm done sniffing so that I don't forget which ones are useful and which ones are junk. In short, I don't like not having my Airpcap.
Luckily, my computer bag was with me at my seat. (Isn't it always, fellow IT travelers?) I booted into Windows, grabbed my Airpcap NX and I was back seeing all of the stuff I was missing by not having that direct capture into WIreshark.
So maybe the Airpcap/Pilot/Wireshark combo can't do what OmniPeek can do. What can? OmniPeek is great and all but as I sat there in 28B I realized that for folks that are committed to Wireshark, having an Airpcap adapter is borderline essential for sniffing WiFi. And here I was poo-poohing it using the title of a banal romantic comedy. What sort of monster had I become?
Well, I'm a contrite monster at this point. I now think that I was too negative about Airpcap NX. It really is a useful tool for using Wireshark. I'm not going to put out positive notices about CACE Pilot, yet -- that one still has a ways to go. But the Airpcap adapters really do offer a dramatic improvement to the WiFi sniffing experience on Wireshark and I'd recommend them for folks who see the cost of OmniPeek or AirMagnet as beyond their range.