I Have Seen the Future (of WiFi Sniffing), and It Is OmniPeek (on a Mac)
Yours Truly has been worried about the future of WiFi sniffing.  Yours Truly worries about the people (they seem to prefer site surveyors) the software (AirMagnet has yet to support 802.11ac adapters) and the methods (WildPackets has been pushing AP-based capture).  To a person who believes that portable WiFi sniffing is essential for optimizing WiFi performance, it is all very disconcerting.  And yet, there is hope.  WiFi sniffing is ready to step into the 802.11ac/Internet of Everything era, and here is how it can be done.
WildPackets OmniPeek has long been the author's favorite WiFi sniffer, but it only runs on Windows. For years and years and years that was fine. There were always a few Windows-compatible WiFi adapters that worked great with OmniPeek. Now, however, WildPackets has gone in a different direction. They are promoting WiFi sniffing via an AP (which often results in a worthless capture) and saying that they don't expect USB-based capture to be viable for 802.11ac.
So, what to do? OmniPeek only runs on Windows, but they're not planning to support capture via Windows-compatible USB adapters.
The answer is to switch to a Mac and use virtualization software. Here is what I did:
1) Buy a Mac
I prefer the MacBook Air because it is cheap, light and cool. (Literally cool. Meaning temperature. The darned MacBook Pro gets too hot to place comfortably on your lap.)
2) Buy Parallels
Parallels is virtualization software and it runs seamlessly on a Mac. Check out OmniPeek:
Thank you.
WildPackets OmniPeek has long been the author's favorite WiFi sniffer, but it only runs on Windows. For years and years and years that was fine. There were always a few Windows-compatible WiFi adapters that worked great with OmniPeek. Now, however, WildPackets has gone in a different direction. They are promoting WiFi sniffing via an AP (which often results in a worthless capture) and saying that they don't expect USB-based capture to be viable for 802.11ac.
So, what to do? OmniPeek only runs on Windows, but they're not planning to support capture via Windows-compatible USB adapters.
The answer is to switch to a Mac and use virtualization software. Here is what I did:
1) Buy a Mac
I prefer the MacBook Air because it is cheap, light and cool. (Literally cool. Meaning temperature. The darned MacBook Pro gets too hot to place comfortably on your lap.)
2) Buy Parallels
Parallels is virtualization software and it runs seamlessly on a Mac. Check out OmniPeek:
You can see the little Apple logo in the upper left, showing that I'm running Mac OS X as I run OmniPeek.
3) Capture in Wireless Diagnostics
I even made a video to show you how!  
In case the video is unclear, you hold down the alt/option before clicking the WiFi icon on the top menu bar.  Then you select "Wireless Diagnostics", go to the "Window" menu, choose "Utilities", click on "Frame Capture" and select your capture channel & bandwidth before clicking "Start".  YOu click "Stop" when you're done capturing.
4) Open the capture file into OmniPeek
In case the picture above is unclear, you go to the Desktop, right-click on your *.wcap capture file, select "Open With" and select OmniPeek.
5) That's it!
The limitation of this method is that you're unable to see live frames as they are captured.  Boo hoo.  (Actually, it's more than boo hoo.  For certain tasks (like analyzing Probing behavior), not having access to a live capture is a real problem.  But for most tasks, analyzing a capture file after the actual WiFi sniffing is done is just fine.)
On a MacBook Air, the capture I open in OmniPeek is a two-stream, 802.11ac capture.  On a MacBook Pro, it would be a three-stream 802.11ac capture.  That means capturing on an Air will result in me missing data sent and received by a Pro.  Most 802.11a/b/g/n/ac devices will have all of their WiFi traffic captured just fine by an Air, however.
I am still hoping that someone creates a three-stream 802.11ac USB adapter that I can use for OmniPeek (or Fluke AirMagnet WiFi Analyzer, for that matter) capture, but in the meantime these steps will allow you to do useful, portable captures now and in the future.
***
If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU
Thank you.


 
Excellent blog Ben. Nicely done.
ReplyDeleteHow about instead of a Mac you use an AP to capture data. The steps that follow are the same and 3 stream APs are getting cheaper every day compared to a Mac.
ReplyDeleteYou would still need OmniPeek to analyze the data. You can also use multiple USB adapters to capture on multiple channels for roaming analysis.
DeleteDevin: Thank you, my man.
ReplyDeletePrimož: APs aren't portable enough.
I know, I'm late to the game, but I'm sure many view this post daily :-). APs are definitely not portable enough, but you can get a Cisco WAP371 and a power adapter, then you can take it to a user's work area, plug in and connect it to Ethernet and then remote cap with wireshark or OmniPeek (in a VM) on your MacBook. This is better than settling for 2x2 ac capture if you lack a MacBook Pro or a COMPUTER WITH AN EXPRESSCARD! Of course no one knows what I'm talking about there :-)
DeleteHello Ben,
ReplyDeleteContratulations for your article.
You can capture WiFi packets with Wireshark under windows by installing Acrylic WiFi https://www.acrylicwifi.com/en/blog/how-to-capture-wifi-traffic-using-wireshark-on-windows/
Acrylic WiFi is free, and enables monitor mode capture under windows with most wifi cards
Acrylic doesn't do monitor mode that I can tell.
DeleteYou can also use Wireshark in OS X to capture in monitor mode live. Wireshark has the ability to enable the airport card into Monitor Mode through the interface options. You can also use the 'airport' terminal command to change the channel or even dissociate from the network.
ReplyDeleteThe 'airport' command is hidden away in a folder: '/System/Library//PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport' but a simple symbolic link to /usr/bin (or other folder) will give you quick and easy access in the Terminal.
sudo airport -h to get a list of all commands.
sudo airport -z to dissociate
sudo airport -I to get info about the current connection/configuration of the airport card
sudo airport --channel=x to set to channel x (may have to run this a couple times to get the card to switch -- works best when not connected to a network [like after issue airport -z])
sudo airport enX sniff will start a monitor mode capture on interface X (probably en0 on an MBA)
Hope this helps!
Ben, We have released a new wireless version of the TCPDump Remote Adapter that can capture 802.11ac in real-time from a MacBook or MacAir. http://bit.ly/1zRaGBT
ReplyDelete51C5C7CA8E
ReplyDeletekiralık hacker
hacker arıyorum
kiralık hacker
hacker arıyorum
belek