Wireless network analysis is a fundamental skill for information security professionals and network administrators. Tool Wireshark It allows for a detailed examination of the structure of transmitted data, identification of protocol vulnerabilities, and diagnosis of connection problems. However, working with WiFi traffic requires specific knowledge and equipment that differs from analyzing wired Ethernet.
The main difficulty is that wireless interfaces operate in management mode by default, ignoring packets addressed to other devices. To intercept all over-the-air traffic, you need to switch the network card to monitoring modeThis allows the sniffer (protocol analyzer) to capture all frames within the antenna's range, regardless of whether they are intended for your device or not.
In this guide, we'll explore the technical nuances of sniffer configuration, methods for filtering large data sets, and the specifics of decrypting secure traffic. Understanding these processes is critical for assessing the resilience of your corporate or home network to external attacks.
Hardware and driver requirements
To successfully intercept packets, a laptop's standard built-in WiFi module is often insufficient. Most integrated adapters have proprietary drivers or hardware limitations that prevent them from fully processing raw data. You'll need an external USB adapter that supports Wi-Fi technology. Packet Injection and monitor mode.
Devices with chipsets demonstrate the most stable operation. Atheros AR9271, Ralink RT3070 or Realtek RTL8812AUThese models have open documentation and are well supported by Linux operating systems, which are the preferred platform for network analysis. On Windows, functionality may be limited by the capabilities of the Npcap driver.
⚠️ Attention: Using sniffers on other people's networks without the owner's written permission is illegal. Perform all actions only in your own lab environment or on networks where you have administrator privileges.
When choosing an adapter, it's also worth paying attention to support for the 5 GHz band if your target network operates in that standard. Older models can only see 2.4 GHz, which significantly limits the range of events they can monitor. Compatibility checking is often performed using the command airmon-ng in distributions like Kali Linux.
Setting up the interface monitoring mode
The first step after connecting the adapter is to set it to listen to all broadcasts. In Linux operating systems, this is done using the package utilities. aircrack-ngFirst, you need to stop processes that may interfere with the network interface, such as network managers.
Next, monitor mode is activated. This command creates a virtual interface, which will be used by Wireshark. It's important to remember the name of the new interface, as it may differ from the name of the physical device.
sudo airmon-ng start wlan0
After executing the command, a new device will appear in the list of interfaces, usually with the suffix mon (For example, wlan0mon). This is what you need to select in the Wireshark capture settings. If you're running Windows, make sure you selected the option to support raw 802.11 traffic when installing Npcap.
In some cases, the driver may not support saving FCS (Frame Check Sequence) headers, which is important for analyzing errors at the physical level. Driver capabilities can be checked using the utility iw list, where in the Supported interface modes section monitor should be listed.
Launching capture and primary filtering
After selecting the correct interface in Wireshark, the sniffing process begins. The screen will quickly fill with multicolored lines representing thousands of packets per second. Without filters, it's virtually impossible to find the information you need in this stream, so use the filter field immediately.
First, filter out the service control frames (Beacon, Probe Request), leaving only the data. Filter wlan.fc.type == 2 or wlan.fc.type == 0 This will help you focus on control frames or data frames, respectively. This will significantly simplify the visual perception of the network structure.
| Frame Type | Description | Value in the filter |
|---|---|---|
| Management | Service personnel (network search, association) | wlan.fc.type == 0 |
| Control | Environment Access Control Frames | wlan.fc.type == 1 |
| Data | User data and encrypted traffic | wlan.fc.type == 2 |
| Beacon | Access Point Beacon Frames | wlan_mgmt.tag == 0 |
To filter traffic from a specific access point, use the MAC address filter: wlan.addr == 00:11:22:33:44:55This will allow you to ignore neighboring networks and focus on the target device. It's also useful to filter by upper-layer protocols, such as http or dns, unless they are hidden by encryption.
WPA2 Handshake Analysis and Decryption
Modern WiFi networks are protected by encryption protocols, so you'll see unreadable data in the Payload field. To analyze the content, you need to obtain the encryption key. For WPA2-PSK, this requires process interception. 4-way handshake (four-way handshake) when connecting a client.
The process is as follows: the sniffer waits for a legitimate user to connect to the network. At this point, a key exchange occurs, and one of the packets contains a password hash, which can be recovered via brute force. In Wireshark, this is easily detected by the appearance of EAPOL packets.
What to do if no one connects?
If there are no active clients on the network, you can use a deauthentication attack, forcibly disconnecting the device from the router. The device will automatically attempt to reconnect, and you'll receive a handshake.
To decrypt traffic directly in the program interface, go to Edit → Preferences → Protocols → IEEE 802.11In the decryption keys field, you need to enter the key in the format wpa-pwd:password:SSID or wpa-pwd:hexkey:SSIDAfter applying the settings, Wireshark will attempt to decrypt packets previously marked as encrypted.
⚠️ Attention: The WPA3 protocol uses a more robust SAE (Simultaneous Authentication of Equals) mechanism, which makes intercepting a handshake for subsequent password cracking virtually impossible using classic methods.
Successful decryption will reveal HTTP requests, DNS queries, and other metadata. However, if HTTPS is used (which is the standard today), the packet contents will remain hidden, although domain names are often visible in SNI (Server Name Indication).
Diagnosing wireless network problems
Beyond security issues, Wireshark is a powerful tool for troubleshooting unstable connections. By analyzing timestamps and frame types, you can identify retries (retransmissions), high noise levels, or roaming issues between access points.
Pay attention to the field Retry in the frame details. A high retransmission rate indicates a poor signal, interference, or channel congestion. It's also worth checking for Deauthentication and Disassociation frames, which can appear spontaneously during attacks or equipment failures.
☑️ WiFi Diagnostic Checklist
To analyze the signal quality, it is convenient to use a graph Statistics → WiFi → Packet CountsIt visualizes the airtime load and allows for correlation of connection interruptions with service traffic surges or CRC errors. This helps distinguish software failures from physical issues with the radio channel.
Advanced analysis techniques and filters
Experienced administrators use complex filters to detect anomalies. For example, the filter wlan.fc.subtype == 11 && wlan_mgmt.tag == 0 will help you find all Beacon frames, which is useful for mapping all available networks and identifying access points with the same SSID (Evil Twin).
It's also worth paying attention to Probe Request frames, which your device sends out in search of known networks. They may contain a list of previously visited SSIDs, which could leak information about the user's movements. wlan_mgmt.ssids allows you to quickly extract this data from the log.
Don't forget to use the Follow TCP Stream or Follow UDP Stream functions to reconstruct the data exchange sequence between specific nodes. This allows you to clearly see the question-and-response dialogue if the traffic is unencrypted or decrypted.
Frequently Asked Questions (FAQ)
Can I use my laptop's built-in WiFi adapter?
In most cases, no. Integrated cards often don't support monitor mode at the driver level, especially in Windows. For reliable operation, an external USB adapter with an Atheros or Realtek chipset is required.
Why does Wireshark show packets but can't decode them?
Most likely, the traffic is encrypted. To decrypt WPA2, you need to intercept the 4-way handshake and enter the correct network password in the IEEE 802.11 protocol settings in the Preferences menu.
Is it safe to run Wireshark on public networks?
Running the program is safe, but passively eavesdropping on other people's networks may violate the law. Active actions, such as deauthentication or packet injection, are strictly prohibited without the permission of the infrastructure owner.
How do I open an Aircrack-ng .cap file in Wireshark?
The .cap format is compatible. Simply use the File → Open menu and select the saved file. Wireshark will automatically detect the format and apply the appropriate packet analyzers.