Wireshark (formerly Ethereal) is a free and open source packet sniffer and network traffic analyzer with good support for decoding raw 802.11 traffic. Wireshark runs on all popular operating systems, but its ability to capture wireless traffic is limited by operating system support. At the time of this writing, wireless capture is limited to popular open source operating systems and with a small number of cards on Windows using WinPcap. Decoding and analyzing 802.11 traffic is not the primary function of Wireshark, but its ability to decode protocols deep within wireless packets adds richness to traffic analysis that cannot be found in any of the other tools discussed here. The drawback is that to get a full analysis of the traffic, Wireshark requires a stronger understanding of the underlying protocols from the user.
This section is only about the 802.11-specific features of Wireshark, the interface of which is shown in Figure 5-8. For a more complete discussion of all of Wireshark's other uses, see Ethereal/Wireshark.
Before you can use Wireshark to capture wireless traffic, you need to enable rfmon mode for your card. If you do not, it will only show you traffic on a network that you are associated with, and will do so as though the traffic was from an Ethernet network and not 802.11. This is because in the early days of 802.11, before operating systems had native support for it, driver developers implemented an 802.11 to Ethernet translation to fool the operating system into supporting the protocol.
The procedure required to enable rfmon mode is different for every operating system and sometimes for each wireless card. Here are the most common ways to make it work on the most common systems.
On Linux, the following commands work for most supported wireless devices:
% iwconfig eth0 mode monitorWarning
When you start capturing traffic in rfmon mode through some wireless cards, you may still receive an error message complaining about an unsupported ARP type. When this happens, Wireshark is able to display the raw 802.11 frame data but does not know it is 802.11, so it does not do any decoding for you.
There are two ways to get around that problem. The first solution is to use a program such as Kismet to capture the traffic for you and then open it later. The second solution, which lets you capture live traffic, is to use a program that forwards traffic to the Linux tap device. The new core version of Kismet will do just this. To get this working, simply start up the new core version of Kismet and then in Wireshark, open the tap0 device instead of the usual interface.
On these BSD operating systems the following commands work for supported wireless devices:
% sudo ifconfig eth0 monitorYou need to be sure that the user you run Wireshark for has access to read from your Berkeley packet filter device files. This means you either need to run as root or change permissions to your various bpf devices using a command such as the following:
% sudo chmod 644 /dev/bpf*OS X does not currently have any reliable method for enabling rfmon mode on any of its supported cards. A number of people are working on this, so keep checking the Wireshark forums for future updates.