How to analyze Wi-Fi® air traffic

This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.
Back to main page

1. Introduction

Monitoring air traffic is a useful practice to debug problems and to understand how different radio protocols work. This section is dedicated to a few tools and methods which are used commonly to check Wi-Fi frames in the air.

2. Wireshark

Wireshark is a powerful tool to analyze wireless traffic over the air. Please visit the [official documentation] for more details.

2.1. Prerequisite

In order to monitor air traffic, it is advised to use a Linux PC because on linux it is easier to put wireless interface in monitor mode which is mandatory to sniff air traffic. Internal Wi-Fi cards are usually not opened to be set to monitor mode. An external dongle must be used instead (For example: Nighthawk AXE3000 Wi-Fi 6E USB 3.0 Adapter).

Ensure that the wifi is OFF from top right corner, An example based on ubuntu 22.04 version is shown below

Else the below mentioned command can be used to disable network manager completely. 

sudo systemctl stop NetworkManager.service
sudo systemctl disable NetworkManager.service

This service can be enabled after with : 

sudo systemctl start NetworkManager

2.2. How to enable Monitor mode

Follow below steps to put interface in monitor mode under Linux:

Get interface
To get the interface, open a Linux terminal and run the following command: 

ip a

Re-set interface 

sudo ifconfig [interface] up
sudo ifconfig [interface] down

Put interface in monitor mode 

sudo iwconfig [interface] mode monitor

Start interface 

sudo ifconfig [interface] up

Select frequency (channel 6 or 2.437GHz in this example) 

sudo iw dev [interface] set freq 2437

Run Wireshark 

sudo wireshark

Ensure that the selected Wi-Fi interface (wlp1s0 in above mentioned image) is available for Wireshark. If it is available, click on top left icon to start capturing the traffic. Once started, session can be stopped at anytime using stop icon in the toolbar. Captured packets are saved with .pcap extension file.

2.3. Sequence

If AP is enabled with WPA2 level security, then the usual sequence of events is mentioned below:

  1. Authentication
  2. Association
    Request sent from STA to AP, Response sent from AP to STA.
  3. 4-Way handshake
    Upon completion of Authentication, AP starts the 4-way handshake procedure.
    After 4-way handshake completion, connection between AP and STA is established.
  4. DHCP
    Used to obtain IP address from AP.

An example of this sequence with EAPOL + DHCP as seen with Wireshark is given below:

2.4. Decrypt traffic

Store the credentials of access point in wireshark to decrypt traffic (4-way handshake, traffic, etc.) 

Go to Edit->Preferences->Protocols->IEEE802.11->Decryption keys Edit->Create new entry

It is mandatory to start capturing before launching the connection because 4-way handshake is needed to decrypt air-traffic.

2.5. Add filters in Wireshark

To precise the search, it is advised to put filters in Wireshark. An example of adding a filter from a trace directly is shown below.

There are various possibilities which can be used as filters for e.g

  • For multiple filters, when all the conditions are true, use && for example to filter packets only with a specific MAC address as a source and EAPOL
wlan.sa == MAC_ADDRESS && eapol
  • For multiple filters, when any of the given conditions are true, use || for example: to filter packets with a specific MAC address as a source or EAPOL
wlan.sa == MAC_ADDRESS || eapol

Refer to the [official website] to know more about different filters

2.6. ARP updates

Devices often ask for IP address in order to update their ARP tables. This is normal and every ARP request must receive a response. If there is no response, the connection may get dropped.

ARP exchange between devices

2.7. Troubleshooting

Some of the most common errors and commands to resolve are shown below.

Error message Solution
Operation not possible due to RF-KILL Enter following command: 
sudo rfkill unblock wifi
Device or Resource busy Restart your interface with steps mentioned above
Unable to launch Wireshark Check if the interface is up, if still unable then give permissions to user to run Wireshark 
sudo usermod -aG $USER wireshark

3. Other useful tools

3.1. ARP Tables

ARP tables are populated once traffic exchange is attempted or happen between two devices.

In Linux, use the below command to check the ARP tables 

cat /proc/net/arp

An example is provided below 

$ cat /proc/net/arp 
IP address       HW type     Flags           HW address            Mask      Device 
DUT_IPADDERSS    0x1         0x2         DUT_MACADDRESS             *       LOCAL_IFACE

3.2. tcpdump

tcpdump is another command line tool for Linux to observe traffic on the WLAN interface. This tool sniff packets over the air but not as good as wireshark or tshark.
Please visit the [official documentation] for more details.

An example of tcpdump command to analyze traffic locally is shown below 

tcpdump -i wlan0 | grep ICMP

3.3. tshark

tshark is approximately similar to Wireshark and can be seen as its command line equivalent.This tool is preferred on a headless linux machine (no screen/GUI available),sniffing on a machine connected via SSH and it is easier to be used for automation.
Please visit the [official documentation] for more details.

Basic testing command for tshark is 

sudo tshark -i wlan0

tshark output can be stored into a .pcap file and can be opened later using Wireshark 

sudo tshark -i wlan0 -w output.pcap

Open this output using Wireshark 

sudo wireshark output.pcap
Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Connectivity:Wifi_How_to_analyse_air_traffic&oldid=86944"