Just another site

Archive for March 2012

Windows and Wireshark: Still Searching for the (Free) Answer

with 6 comments

There is an old joke in the IT world that software is like sex: you’ll need support after you buy it. 

Actually, the punchline to that joke is usually, “it’s better when it’s free.” The problem is that the latter punchline fits poorly in the world of WiFi sniffing. The stuff you pay for really is a lot better. That said, a lot of people like to use free software whenever possible, and for Mac OS X and Linux users, there are some decent free WiFi analysis tools out there. For Windows users, however, the search goes on (and on, and on, and on…).

Long time readers of this blog may be aware that I prefer commercial WiFi sniffing software when doing real work. But free WiFi sniffers do have a place. If you are trying to learn about the technology, troubleshoot your own personal WiFi device or study for a CWNA/CWSP/CWAP certification exam, then you’ll probably want some protocol analysis software but you probably won’t want to pay a lot of money for it.

The best choice for free protocol analysis software (be it for wired or wireless) is Wireshark. The trouble with Wireshark is that it is sometimes tricky to get Wireshark to sniff in the way I need it to sniff. For any real WiFi sniffing, I would recommend the following:

  • Monitor mode
  • 802.11a/b/g/n
  • Preservation of physical layer information (channel, rate and RSSI)
Linux: My understanding is that most WiFi adapters can be placed into monitor mode for the Linux version of Wireshark. That is as much information as I have to share with you, because I am a Windows and Mac kind of guy. (And if there are any Linux folks out there who would like to guest-blog on using Wireshark or who have their own blog post that they would like me to link to, tweet me.)
Mac OS X: I like using the Mac OS X 10.7 (Lion) utility Wi-Fi Diagnostics to do monitor mode captures. Then I open the captures in Wireshark. With this setup I get 802.11a/b/g/n and I get physical layer information. The only thing I don’t get is full data frames. Wi-Fi Diagnostics captures redact the contents of data frames, ostensibly to prevent hacking. I am not trying to hack, so this setup works for me.
Windows: Soooo close. But yet, so far away.
There is a Windows-based option that does monitor mode, captures 802.11a/b/g/n and preserves physical layer information. Unfortunately it costs seven hundred bucks ($698 to be exact). With the Riverbed AirPcap NX USB adapter I can do what I need to do in Windows with Wireshark, but what’s the point? If I’m going to spend hundreds of dollars, I might as well get WildPackets OmniPeek Basic for $1,194 and a D-Link DWA-160 802.11a/b/g/n USB adapter for $60 (or less). And neither of those options gives me what I’m looking for here: free Windows-based WiFi analysis.
An option that is free (or at least extremely low cost) is to capture using the Airodump application from Aircrack and then view the frames in Wireshark. You get monitor mode and you keep it free. Unfortunately, you don’t get physical layer information and — at least to my knowledge — you can’t capture with an 802.11n adapter. I have had success using the Netgear WAG511 PC Card, but that is an 802.11a/b/g adapter (and who the heck wants to use an 802.11a/b/g adapter nowadays, anyway?).
I also tried other options that did not satisfy my WiFi sniffing needs. I found a Windows-based version of Kismet, but it only works with the expensive AirPcap adapters. I installed Network Monitor 3.4 from Microsoft, but it seems to not do monitor mode. I’ve even done captures in commercial software and then saved those captures in the Libpcap file format so that the frames could be viewed in Wireshark, but that sort of defeats the purpose of trying to use free software.
To summarize, I must conclude that free WiFi sniffing in Windows is just one of those things that does not exist in any real way at this point. So if you want to do your 802.11 frame captures on the cheap and you don’t want to buy a Mac, it may be time to break out that ol’ dusty copy of Linux for Dummies.

Written by sniffwifi

March 26, 2012 at 1:24 am

Posted in Uncategorized