Lets start with Airpcap adaptor. Its a great tool, you plug it in to a Windows PC and appear as an interface in Wireshake. Simply set the channel and start capture. It is the easiest way to do an off the air capture. BUT ... you will realise that you don't see unicast data packets in the capture. Here is an example of me trying to capture a 4-way handshake using Airpcap adaptor, interestingly I could only see 2/4 and 4/4 message,
*** 4/4 message is displayed as 2/4. I have reported this bug to Wireshark [Bug 11994]
Then I did the same capture directly from the AP using remote capture function in the AP and I checked what was difference in 1/4 and 2/4 messages. It turned out that the AP is sending those messages using 802.11ac data rates. Airpcap adaptor is only 802.11n and was not able to listen to the 802.11ac transmission which was using 256 QAM.
This was the same reason why I couldn't see any data packets when capturing communication using Airpcap. All QoS Data packets were sent using mcs rates,
A really good tool to capture wifi packets is MacBook. Depending on the model you will be able to capture 802.11ac traffic. I am using a MacBook pro 13" retina with 802.11ac 3x3:3 wifi for this example. Search and open "Wireless Diagnostic tool", set the channel and start capture. The capture will be saved to desktop with extension xxx.wcap. Simply change the extension to .pcap and open with Wireshark. Filter
I entered by wifi SSID PSK in to Wireshark, therefore the data packets are decrypted by Wireshark.
To be fare to the Airpcap adaptor I setup an 802.11n AP and tried to do a capture to see whether the Airpcap adaptor will be able to capture QoS data frames. For this test I am going to use a 2x2 AP because Airpcap is a 2x2 adaptor. Still Airpcap is not really able to capture any unicast data traffic.
Same AP and client captured using Macbook wifi diagnostics tool is able to capture unicast traffic,
No comments:
Post a Comment