How to Monitor a Wi-Fi Network with Wireshark: A Step-by-Step Guide

Wireless traffic analysis is the pinnacle of network problem diagnostics, allowing you to see what's hidden from the average user. When standard speed or ping testing methods don't provide a complete picture of what's going on, wireless traffic analysis comes into play. Wireshark — a powerful tool for in-depth protocol analysis. However, unlike wired Ethernet, working with wireless networks has its own fundamental characteristics that must be taken into account to obtain accurate data.

The main difficulty lies in the fact that most network adapters operate in Managed Mode by default, ignoring all traffic addressed to other devices. To turn your laptop into a professional analyzer, you'll need to switch your network card to Managed Mode. monitorThis mode allows the sniffer to capture all packets in the air, including broadcast frames and data not intended for your device.

It is important to note right away that to successfully monitor Wi-Fi you will need not only software, but also compatible ironNot all USB dongles or built-in modules support the necessary low-level driver commands. In this article, we'll cover the setup process, hardware selection, and interpretation of the data so you can effectively diagnose your network.

Hardware and driver requirements

The first and most critical step is choosing the right Wi-Fi adapter. Standard integrated modules in laptops often have limited driver functionality, which prevents switching to monitor mode or frame injection. You need a device based on chipsets from Atheros, Ralink or Realtek, which have historically been best supported by the developer community.

Particular attention should be paid to the operating system. Although Wireshark is available on Windows, macOS, and Linux, it is Linux distributions (such as Kali Linux or Ubuntu) provide native access to wireless interface management tools such as aircrack-ngOn Windows, you will have to rely on specific drivers such as Npcap with support for raw 802.11, which does not always work stably.

  • 📡 The adapter must support the mode Monitor Mode to listen to the broadcast.
  • 🖥️ It is recommended to use Linux for maximum control over the network interface.
  • 🔌 USB adapters with an external antenna provide better signal reception for analysis.
  • 💾 Install the latest version of Wireshark with 802.11 protocol support.

If you plan to do serious analysis, consider purchasing a specialized adapter, such as one based on a chip. AR9271These devices are often sold as "Wi-Fi Pentest adapters" and are guaranteed to work with the necessary utilities. Without the correct driver, you'll only see packet headers or nothing but noise.

⚠️ Warning: Using monitor mode may temporarily interrupt your current connection to the Wi-Fi network, as the adapter stops acting as a normal client.

Setting up monitor mode in different operating systems

The process of activating monitor mode varies significantly depending on the platform. In Linux, this is done via the terminal using the utility airmon-ng, which automatically disables interfering processes and switches the interface. The command is simple: sudo airmon-ng start wlan0, Where wlan0 — the name of your wireless interface.

In Windows the situation is more complicated. After installation Npcap During installation, you need to check the "Support raw 802.11 traffic" box. In Wireshark itself, when selecting the interface for capture, you need to select not the standard Wi-Fi adapter, but the interface marked as Wi-Fi (Monitor Mode)If this option is not available, it means the driver does not support this function or it is blocked by the router firmware.

📊 What operating system do you use for analysis?
Windows
Linux (Kali/Ubuntu)
macOS
Other

On macOS, integrated Broadcom cards often don't allow software-based display mode. Apple laptop users are forced to purchase external USB adapters compatible with macOS drivers or use Linux virtual machines, passing the USB device through to the guest OS. This adds additional overhead, but is the only viable option for many.

☑️ Checking readiness for capture

Completed: 0 / 4

Packet capture and traffic filtering

Once the interface has been successfully switched, you can start capturing. In the main Wireshark window, select your wireless interface, which should now be listed as "Monitor Mode." Click the start button, and you'll see a stream of data, which at first may resemble a chaotic waterfall of multicolored lines.

The key skill here is the ability to filter this flow. A wireless network generates a huge number of control frames (Beacon frames, Probe Requests), which can clog the buffer. To begin, filter the traffic by protocol by entering [protocol] in the filter string. wlan.fc.type_subtype == 0x08, which will leave only the data frames, or use a filter wlan.addr == xx:xx:xx:xx:xx:xx to track a specific device.

Pay attention to the "Info" column, which briefly describes the packet's contents. You'll see DHCP requests, DNS queries, and TCP connection attempts. If the network is unencrypted, the packet contents will be visible in plaintext. However, in modern networks, you'll encounter encryption, and most fields will be hidden.

Frame Type Description Why is it needed?
Beacon (0x08) Signal frame from the access point Announces the presence of a network (SSID)
Probe Request Request from a client Search for known networks
Association Request Connection request Starting the authorization process
Data (0x20) User data Payload transfer

Don't be alarmed by the large number of red lines at the beginning of the analysis. This often indicates FCS errors, which is normal for monitor mode, as you're receiving packets with low signal strength or corrupted frames that a regular card would discard.

Decrypting WPA2 traffic

The most common problem when analyzing a home network is the inability to read packet contents due to encryption. Wireshark can't magically decrypt traffic without the key. You need to embed encryption keys in the program settings. Go to the menu Edit → Preferences → Protocols → IEEE 802.11.

In the decryption keys section you need to add a key in the format wpa-pwdThe syntax requires a password and network SSID. The line format is: wpa-pwd:password:SSID. For example, if your password MyPassword123, and the network is called HomeWiFi, the line will be: wpa-pwd:MyPassword123:HomeWiFi.

Why is the traffic not decrypted?

Even with the correct password, decryption may fail if you started the capture after the client has already completed the four-way handshake. Wireshark requires the first four handshake packets to generate temporary encryption keys. Solution: Wait for the device to reconnect or use deauthentication to force the client to reconnect during the capture.

After adding the key and restarting the capture (or reconnecting the client), you should see that the data packets are no longer marked as encrypted, and a tab will appear in the packet details. Data with readable content. This allows for the analysis of HTTP requests, DNS names, and other metadata.

⚠️ Please note: Traffic decryption is only possible on a network where you know the password. Analyzing other people's networks without permission is illegal.

Analysis of performance issues and

One of the main tasks of monitoring is to find the causes of slow speeds or connection interruptions. Wireshark can help identify a high level of retransmissions. If you see the same packet being sent multiple times (you can filter by wlan.fc.retry == 1), this indicates a poor signal or strong interference.

It's also worth paying attention to the ratio of frame types. If the network is swamped with broadcast packets or Probe requests from multiple devices, this may indicate a broadcast traffic storm. In densely populated areas with numerous neighboring routers, the channel may be overloaded, which is evident by a constant background noise and collisions.

To diagnose interference from household appliances (microwaves, Bluetooth devices), analyze packets in the 2.4 GHz band. Sharp spikes in error rates at certain times may coincide with the activation of powerful power consumers that create electromagnetic interference.

Compare the channels of neighboring networks. If your router operates on channel 6, and your neighbors are using channels 5 and 7, spectrum overlap is inevitable. Wireshark will display Beacon frames from all visible access points, allowing you to create an airtime map and select the clearest channel in your router settings.

Security and anomaly detection

Monitoring allows you not only to repair your network but also to protect it. By analyzing the list of MAC addresses, you can detect unauthorized devices. Filter wlan.addr contains xx:xx:xx This will help you track the activity of a specific hardware vendor. If you see a device that isn't on your home network, this is cause for concern.

Wireshark also helps to identify attempted attacks like Deauth Flood (deauthentication), when an attacker sends connection-breaking packets on behalf of the router. In the log, this appears as a flood of Deauthentication frames, followed by an immediate reconnection of clients. This is a classic sign of the work of tools like Aireplay-ng.

Check if passwords are being transmitted in cleartext. Filter traffic by protocol. telnet, ftp or httpIf you see such packets, it means the data is being transmitted without encryption, and anyone nearby with the monitor mode enabled can intercept your credentials.

Regular network auditing using sniffers helps maintain a high level of digital security hygiene by promptly detecting vulnerable IoT devices, which often become a breach in perimeter defense.

Frequently Asked Questions

Why doesn't Wireshark see any Wi-Fi packets?

Most likely, your network adapter doesn't support monitor mode or the driver isn't configured correctly. Check that the interface labeled "Monitor Mode" is selected in the capture settings. On Windows, ensure Npcap with raw 802.11 support is installed.

Is it possible to monitor Wi-Fi without root access?

No, switching the network card to monitor mode and capturing low-level packets requires administrator privileges (root in Linux, run as administrator in Windows). Without these privileges, the operating system will block access to the hardware.

Is the content of HTTPS traffic visible in Wireshark?

Without installing special certificates on the client device and using session keys—no. You'll only see the connection being established and the encrypted data stream. HTTPS decryption is only possible with SSL/TLS keys exported from the browser.

Will monitoring slow down my network?

Passive monitoring (listening) itself doesn't introduce any latency into the network, as the adapter only receives packets. However, if you initiate active actions, such as packet injection or deauthentication, this will create additional bandwidth usage.