Capturing Wi-Fi Packets with Wireshark: From Theory to Practice

Network packet interception and analysis is a key tool for diagnosing Wi-Fi problems, testing security, or debugging applications. Wireshark As a leading traffic analyzer, it allows you to "sniff" wireless networks, but the process requires proper hardware configuration and an understanding of protocols. Without a special adapter with support monitor mode You will only see packets addressed to your device - and this is only a small part of the actual traffic.

In this article, we'll explore how to legally and securely capture packets on your network, from choosing the right equipment to decrypting encrypted traffic. You'll learn why a standard laptop Wi-Fi adapter isn't suitable for in-depth analysis, how to bypass driver limitations, and which Wireshark filters will speed up your search for the information you need. Important: Intercepting someone else's data without consent violates the laws of most countries (including Article 272 of the Russian Criminal Code on unauthorized access to information). All examples in this article apply only to your own network.

What equipment is needed to intercept Wi-Fi packets?

Most built-in Wi-Fi adapters (for example, in laptops Dell or HP) work in managed mode — they only see packets destined specifically for your MAC address. For full interception, you need an adapter that supports it. monitor mode, which allows you to “listen” to the entire broadcast.

Popular models for traffic analysis:

  • 🔹 Alfa AWUS036ACH — dual-band (2.4/5 GHz), compatible with Kali Linux And Wireshark "out of the box".
  • 🔹 TP-Link TL-WN722N (version 1.0) is a budget option, but requires flashing drivers for new OS.
  • 🔹 Panda PAU09 — supports 802.11ac, suitable for analyzing modern networks.
  • 🔹 Atheros AR9271 — a chipset with open documentation, often used in hacking tools.

Before purchasing, check the adapter's compatibility with your OS. For example, TL-WN722N v3.0 uses a chip Realtek RTL8188EU, which does not support monitor mode on Linux. For Windows, you may need to install drivers. AirPcap (paid solution from Wireshark developers).

⚠️ Please note: In some countries (e.g., Germany), the use of adapters with traffic interception capabilities requires a license. Check local laws before purchasing.
📊 What adapter do you use for Wi-Fi analysis?
Alfa AWUS036ACH
TP-Link TL-WN722N
Panda PAU09
Another
I don't use it

Configuring Wireshark to work with a Wi-Fi adapter

After connecting a compatible adapter, you need to switch it to monitor mode. IN Windows This is done through drivers AirPcap or utilities like Zydas/CommView. IN Linux (For example, Kali Linux) a few commands are enough:

# Checking available interfaces

iwconfig

Switch to monitor mode (replace wlan0 with your interface)

sudo airmon-ng start wlan0

Checking the creation of a monitor interface (usually wlan0mon)

iwconfig

In Wireshark, select the created monitor interface (wlan0mon in Linux or AirPcap (in Windows) and start capturing. If packets are not displayed:

  • 🔄 Make sure the adapter supports monitor mode (check through iw list | grep "Supported interface modes").
  • 🔄 Disable Wi-Fi power saving in your OS settings.
  • 🔄 Update your adapter drivers (on Linux use sudo apt update && sudo apt upgrade).

Install a compatible Wi-Fi adapter|

Switch the adapter to monitor mode|

Update drivers (if necessary)|

Run Wireshark as administrator|

Select monitor interface in Wireshark-->

Packet Filtering: How to Find the Data You Need in a Traffic Stream

Without filters, Wireshark will show thousands of packets per second - from beacon frames (router broadcast signals) to service messages ARPTo narrow your search, use the filters in the line Apply a display filter:

Purpose of analysis Wireshark Filter Example of use
Only your device's packages wlan.addr == XX:XX:XX:XX:XX:XX Tracking the traffic of a specific smartphone
HTTP/HTTPS traffic http || tls Web Request Analysis (HTTPS Passwords Are Not Visible!)
Management Packets (Authentication) wlan.fc.type_subtype == 0x0b Search for attacks on network connectivity
DNS queries dns Checking which websites the device is requesting
Transmission errors wlan.fc.retry == 1 Diagnosing signal problems

For analysis handshake packages (used when connected to Wi-Fi) apply filter eapolThis will help check how securely the device connects to the network. For example, if the capture shows Pairwise Master Key (PMK) in the open - the network uses an outdated protocol WEP or weak WPA.

Decrypting Encrypted Traffic: What You Can See in WPA2/WPA3

Modern Wi-Fi networks use encryption. WPA2-PSK or WPA3, which prevents packets from being decrypted without knowing the password. However, there are legal methods for analysis:

  1. Metadata analysis: Even encrypted packets contain information about MAC addresses, transmission time, and data size. This helps identify anomalies (e.g., flood attacks).
  2. Intercepting a handshakeWhen a device connects to a network, four authentication packets are exchanged. You can save them and try to guess the password offline (legally, only for your own network!).
  3. Using a known passwordIf you know the network key, Wireshark can decrypt the traffic. To do this, go to the protocol settings. 802.11 add the key to the field Decryption Keys.

To intercept handshake in Kali Linux, use the utility airodump-ng:

sudo airodump-ng wlan0mon --bssid [router MAC] -c [channel] --write capture

Capture file (.cap) then you can open it in Wireshark and apply a filter eapol to search for handshake. Warning: brute-forcing passwords to other people's networks is a criminal offense in most countries. This method is only suitable for testing your own security.

⚠️ Note: Since WPA3 (2018), the handshake interception attack has become less effective due to the mechanism SAE (Simultaneous Authentication of Equals)To analyze such networks, specialized tools like hcxtools.

Common Mistakes When Capturing Wi-Fi Packets and How to Avoid Them

Even experienced users encounter problems when intercepting traffic. Here are the most common errors and their solutions:

  • 🚫 The adapter does not see packets: check that it actually supports monitor mode (some Chinese clones Alfa sold with counterfeit chips). Use the command iw list for diagnostics.
  • 🚫 Wireshark only shows broadcast packets.: The adapter is probably not set to monitor mode. In Windows, try the drivers. AirPcap, in Linux - airmon-ng check kill (kills interfering processes).
  • 🚫 Traffic from a specific device is not visible: Make sure it is actively transmitting data (for example, run a ping or a video on YouTube).
  • 🚫 The capture is interrupted after a few minutes.: Disable Wi-Fi power saving in the OS and adapter settings.

Another common problem is buffer overflowWhen the network is heavily loaded, Wireshark may drop packets. Solutions:

  • 🔧 Reduce the capture buffer size in Capture → Options → Buffer Size.
  • 🔧 Use capture filters (Capture Filter), For example, ether host XX:XX:XX:XX:XX:XX for a specific MAC.
  • 🔧 Save the capture to multiple files with a size limit (Capture → Options → Multiple Files).
Why are there no packets from the smartphone in the capture?

Android/iOS smartphones aggressively optimize Wi-Fi connections. If the screen is off, the device may enter a low-power mode and transfer almost no data. To force it to generate traffic:

1. Enable video transmission via Wi-Fi on your phone (YouTube in 1080p).

2. Launch ping on the router in an infinite loop (ping 192.168.1.1 -t in Windows).

3. Turn off the "Wi-Fi Assist" (on iPhone) or "Adaptive Wi-Fi" (on Android) feature, which automatically switches to the mobile network.

Legal Uses of Wi-Fi Packet Interception

Despite the risks of abuse, Wi-Fi traffic analysis has many legitimate uses:

  1. Diagnosing network problems: If a device loses connection, Wireshark will show at what stage the failure occurs (e.g. Deauthentication packets from the router).
  2. Data Leak Detection: some applications (eg IoT devices) transmit logins and passwords in cleartext. Traffic analysis helps identify such vulnerabilities.
  3. Security testing: If you administer a network, packet sniffing allows you to test how easy it is to guess your Wi-Fi password.
  4. Performance optimization: delay analysis (Retransmission) and collisions helps to select a less loaded router channel.

Example of legal use: Did you notice that Xiaomi smart light bulb connects to unknown servers in China. Intercepting its traffic in Wireshark will show:

  • 🔍 What data does it send (eg. MQTT-messages with your geolocation).
  • 🔍 Does it use encryption (if not, it's a vulnerability).
  • 🔍 How often does she "call home" (may indicate a botnet).

For such tasks, analysis is sufficient DNS queries And unencrypted traffic - WPA2 decryption is not required.

Alternatives to Wireshark for Wi-Fi Analysis

Wireshark isn't the only tool for packet capture. Depending on the task, the following may be useful:

Tool Advantages Flaws
TShark Console version of Wireshark, suitable for automation Complex command syntax
Airtool (macOS) A simple interface for capturing handshake Works only on Mac
CommView for WiFi Supports Windows, convenient VoIP analysis Paid license (~$500)
Kismet Specialized for wireless networks, detects hidden SSIDs Complex setup, no graphical packet analysis

For a quick analysis of Wi-Fi security (for example, checking router vulnerabilities), it is convenient to use Kali Linux with pre-installed tools:

  • 🛠️ aircrack-ng — WEP/WPA hacking (only for testing your network!).
  • 🛠️ reaver — WPS vulnerability check.
  • 🛠️ wifite — automatic security audit.

If you want maximum compatibility with Windows, consider Acrylic Wi-Fi - It supports most adapters and has built-in tools for deauthentication (legal for testing only).

FAQ: Frequently asked questions about Wi-Fi packet sniffing

Can I capture packets from a regular laptop without an additional adapter?

Technically yes, but you'll only see packets addressed to your device (about 1-5% of total traffic). For full analysis, you'll need an adapter that supports it. monitor mode.

How can I find out the Wi-Fi password if I intercepted the handshake?

The handshake itself doesn't contain a password—it's an encrypted key exchange. To decrypt it, you need a password dictionary and a tool like Attempt. aircrack-ng or hashcat. Attention: This is only legal for restoring access to your network!

Why does Wireshark show packets but not decrypt them?

Most likely, the network uses WPA2/WPA3 with an unknown password. Wireshark can only decrypt traffic if:

  1. You entered the key in the protocol settings. 802.11.
  2. Traffic is transmitted over an unsecured protocol (for example, HTTP instead of HTTPS).
  3. The outdated WEP is used (decrypted in seconds).
Is it possible to intercept a smartphone's traffic if it is connected to another network?

Technically possible, but only if:

  • You are within the coverage area of ​​this network.
  • The network uses weak encryption (WEP or WPA with a simple password).
  • You have the permission of the network owner.

In practice, modern networks (WPA2/WPA3) make this extremely difficult without physical access to the router.

How to protect your Wi-Fi from packet sniffing?

To make your traffic more difficult to analyze:

  • 🔒 Use WPA3 instead of WPA2.
  • 🔒 Turn it off WPS - This is the most vulnerable part of most routers.
  • 🔒 Set up MAC filtering (although it is easy to get around).
  • 🔒 Turn on guest network for IoT devices.
  • 🔒 Use VPN on all devices - this encrypts traffic even on open networks.