Wireshark monitor mode windows

Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the WiFi cards to capture the radio layer. All you could do was capture packets on your WiFi card from the Ethernet layer and up. That’s  unless you spent money on the now discontinued AirPCAP USB adapters. But now there is a silver lining on the horizon in the form of the npcap library.

I have to admit that capturing wireless traffic isn’t my strong suit. Dealing with radio waves is a whole different topic than picking up packets from a cable, so there’s a different set of skills required to troubleshoot WiFi issues. But at least I know that there’s a difference between being able to use “Monitor Mode” and not being able to. Of course I can capture on a WiFi card, e.g. picking up packets like this on my “Wi-Fi 2” card:

Картинка с сайта: blog.packet-foo.com

Figure 1 – “Wireless” capture without monitor mode

As you can see, the capture looks just like a normal Ethernet capture would. There’s nothing related to the radio layer, so troubleshooting the wireless connectivity is not possible this way. To get the radio layer information, you need at least three things (other than Wireshark, of course):

1. A WiFi card that supports monitor mode.
2. The npcap capture libraries (instead of WinPCAP).
3. A tool to enable monitor mode

Requirement 1 – a WiFi card with monitor mode

Unfortunately, not all WiFi cards support monitor mode on Windows. There’s a matrix available that you can use to check if your card is supported: https://secwiki.org/w/Npcap/WiFi_adapters.

I use either Alfa cards or, in this case, a NetGear A6210, which I bought at a local electronics store.

Requirement 2 – the npcap libraries

Since Wireshark 3.0 came out WinPCAP is no longer the default capture library installed. Instead, the npcap libraries are used, which replace the discontinued WinPCAP libraries. If you want to know more about the differences between the two, check this comparison. If you recently installed Wireshark 3.x (or later) you should automatically have replaced WinPCAP with npcap, unless you didn’t allow the installer to do that. Important: you need to make sure “Support raw 802.11 traffic (and monitor mode) for wireless adapters” is checked:

Картинка с сайта: blog.packet-foo.com

Figure 2 – npcap Installation Options

Requirement 3 – A tool to enable monitor mode

Картинка с сайта: blog.packet-foo.com

Figure 3 – enabling Monitor Mode fails

If you run Wireshark, you’ll notice that you have a “Monitor Mode” checkbox in the capture interface dialog for your WiFi cards. You can open that dialog from the main menu via “Capture” -> “Options” or by pressing CTRL-K. Unfortunately, even with npcap installed correctly it doesn’t seem to work if you click it (at least in my case), because the check mark disappears again after a short moment.

I’m not sure if that’s normal, but as far as I found out Wireshark can’t modify that setting because it doesn’t have the sufficient privileges to do that. You can either run Wireshark in administrative mode – which I strongly advise against, because it could allow malicious packets to compromise your system. Check out this blog post about “Attacking Wireshark” for details.

The much better plan is to use the wlanhelper utility in an elevated command prompt, which is why I added it specifically to the list of requirements. Fortunately, this comes as part of the npcap installation and is called wlanhelper.exe. You can find it in C:\Windows\System32\Npcap\

Check which mode your WiFi card is in using the “wlanhelper.exe” tool. You should run a command line prompt as administrator and change into the directory “C:\Windows\System32\npcap”. To check the current WiFi card mode, run this command (replace “Wi-Fi 2” with the name of your network card you want to manage):

C:\Windows\System32\Npcap>wlanhelper "Wi-Fi 2" mode
managed

“Managed” is the default mode that your card should usually be in. It means that it is ready to be used for normal WiFi connectivity. To put it into monitor mode you use the following command:

C:\Windows\System32\Npcap>wlanhelper "Wi-Fi 2" mode monitor
Success

But you may also see a result like this:

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi 2" mode monitor
Error: SetWlanOperationMode::SetInterface error, error code = 5 (Access is denied)
Failure

As you can see we got an error back, which is most likely caused by the fact that the command line prompt wasn’t started as administrator – so if you get this, close your command prompt and start it again, as administrator. If you’re not sure how to do that, follow these steps:

1. Press CTRL & ESC to open the start menu
2. type “cmd”, which should find the “Command Prompt” icon
3. Click “Run as Administrator” or (if you want to impress people standing behind you) press CTRL & Shift & Enter to launch the icon in administrative mode.
4. Confirm the User Access Control prompt

Now, we we run Wireshark again, we can “turn on” monitor mode (which we already did; we’re just telling Wireshark to try it to make it realize it works now):

Картинка с сайта: blog.packet-foo.com

Figure 4 – enabling Monitor Mode works

As you can see, the “Link-layer Header” changes from “Ethernet” to “802.11 plus radio tap header”, which tells us that we’re now going to capture radio layer information as well. Now, when we start a capture on a card like that, we’ll see a different story:

Картинка с сайта: blog.packet-foo.com

Figure 5 – Capturing with Monitor Mode enabled

We get a ton of management frames, and we also see the typical “Radiotap Header” that tells us about the radio layer. Exactly what we wanted.

Changing channels

One thing that will probably bug you is that Wireshark 3.x doesn’t yet come with a WiFi toolbar, which allows to change channels in a convenient way from the GUI. Unfortunately you’ll have to change channels manually until that problem is solved, and you can do that (again) with the help of the wlanhelper utility, using the according commands:

C:\Windows\System32\Npcap>wlanhelper
WlanHelper for Npcap 0.992 ( http://npcap.org )
Usage: WlanHelper [Commands]
or: WlanHelper {Interface Name or GUID} [Options]

OPTIONS:
mode : Get interface operation mode
mode <managed|monitor|master|..> : Set interface operation mode
modes : Get all operation modes supported by the interface, comma-separated
channel : Get interface channel
channel <1-14> : Set interface channel (only works in monitor mode)
freq : Get interface frequency
freq <VALUE> : Set interface frequency (only works in monitor mode)
modu : Get interface modulation
modu <dsss|fhss|irbaseband|ofdm|hrdsss|erp|ht|vht|ihv (VALUE)|..> : Set interface modulation
modus : Get all modulations supported by the interface, comma-separated

Final Words

Capturing Wireless on Windows got a lot easier now, and with npcap it’s also possible to capture on more recent cards than the old WinPCAP adapters which stopped at the 802.11n technology as far as I know. One thing to keep in mind: capturing in monitor mode means that the card becomes a “receive-only” card. So don’t be surprised when you lose connectivity if you have only one WiFi card in your system. If you need to stay connected to a wireless network while capturing it you need two cards – one in managed mode, one in monitor mode.

Introduction

Ever wondered how Wi-Fi really works? There’s a cool feature called “monitor mode” which enables you to peek behind the scenes of Wi-Fi networks. Think of it like having superpowers for your Wi-Fi adapter.

In this article, I will explain what “monitor mode” is, and show you how it can be your secret weapon for a better understanding of Wi-Fi. Whether you’re a tech guru or just curious about how your things connect wirelessly, we’re about to dive into a world where we uncover hidden signals in the air.

Monitor mode enables a computer equipped with a wireless network adapter to observe all Wi-Fi traffic flowing within range. In contrast to promiscuous mode, which serves a similar purpose for packet sniffing, monitor mode permits the capture of packets without the necessity of establishing a connection with an access point beforehand.

This guide will provide you with basic theory as well as a tutorial on how to get started with Wi-Fi monitoring.

Normal, Promiscuous and Monitor mode

In the default Normal mode, a Wi-Fi adapter selectively allows broadcast packets and packets specifically addressed to your device to pass through its filter at the lower network layers. However, to capture a broader range of packets beyond those directed at your device, it’s necessary to configure the Wi-Fi adapter into either Promiscuous or Monitor mode, depending on the intended purpose. Notably, Monitor mode not only facilitates the capture of packets but also extends the capability to capture 802.11 management and low-level control packets.

IEEE 802.11 refers to the set of standards that define communication for wireless LANs (wireless local area networks, or WLANs), commonly known as Wi-Fi.

When sniffing packets in Promiscuous mode, establishing an association with an access point is requisite. This configuration grants Wireshark visibility into all packets traversing the network, albeit limited to a single channel at any given time.

To draw an analogy, envision joining a group conversation where, despite not being the intended recipient, you can overhear someone saying, “Hey, Mike, I have a new Wi-Fi adapter.” Similar to this scenario, in Promiscuous mode, you gain access to all network communications, though limited to one channel.

On the other hand, Monitor mode allows packet sniffing without the necessity of associating with any access point. In this mode, encrypted packets remain encrypted by the adapter or the driver; however, they are still presented to Wireshark for analysis.

To illustrate, picture yourself strolling down a street, casually listening to people conversing in foreign languages. In this analogy, the foreign languages represent encrypted packets, and your ability to understand them symbolizes Monitor mode’s capacity to capture packets without establishing an association with an access point.

Entering Monitor mode

Once you have setup your environment as described in the Appendix, or in other ways suitable for your system, you are ready to do Wi-Fi sniffing.
To enable monitor mode simply execute:

sudo airmon-ng start wlan0

replace wlan0 with the interface on your system.

Capturing packets with Wireshark

Start Wireshark as super user and select wlan0. You should now see some packets being captured. You will most likely see packets received from only a single channel, in my case it’s channel 10.
Some of the packets are show below. Most of them belong to the IEEE 802.11 layer.

Probe Request: A device requests to join a network with a given SSID
Probe Response: An Access Point responds to a request
Beacon frame: An Access Point advertises its existence
Data: These are encrypted packets on one of the networks Wireshark can’t decode without knowing the network passwords. These are shown as 802.11, because Wireshark can only decode the 802.11 header.

If you are interested in a different channel you can switch by executing:

iw dev wlan0 set channel <channel>

Wi-Fi connection sequence

The Wi-Fi connection sequence involves a series of steps for a device to join a wireless network. First, the device scans for available networks and sends out probe requests. Upon finding a suitable network, it initiates a connection request. The access point then responds, and both devices negotiate security parameters before the device is authenticated and associated with the network, thus completing the connection sequence.

The sequence is shown below together with the actual packets captured from a real connection.

Decrypting packets

Now the most interesting part, namely decrypting packets without associating your device with a network.

This is described in details in this tutorial HowToDecrypt802.11.

It’s important to note that this method won’t extend to decrypting packets that undergo additional encryption at the application layer, such as those associated with SSH traffic.

To illustrate the significance of this decryption capability, consider the network association process for a device, encompassing activities like DHCP requests. Without undergoing the tutorial on decrypting 802.11, protocols other than 802.11 and EAPOL (Extensible Authentication Protocol over LAN) might remain concealed. This means that certain network activities and communication layers would be obscured, hindering a comprehensive understanding of the network dynamics.

It is important to note that monitor mode must be enabled, and Wireshark must start capturing packets before said device tries to connect. This is because Wireshark needs to capture the EAPOL messages, which are used to exchange Cryptographic Keying information, to be able to decrypt non 802.11 packets. Once the keys are known, protocols like ICMP, DHCP and many more are decrypted.

Conclusion

Activating Monitor mode on a Wi-Fi adapter offers a robust means of sniffing Wi-Fi traffic. This extends beyond the network your host is directly associated with, encompassing all airborne traffic. If knowledge of passwords for one or more networks is available, it becomes feasible to monitor the traffic as if the host was associated with those networks. As illustrated, this inclusive sniffing capability spans all layers, including the intricate 802.11 layer. The amalgamation of these features paints a comprehensive picture of all network activity, thereby establishing an invaluable framework for development and debugging purposes.

Appendix – System setup

The following is a tutorial on how to setup your system in order to utilize the monitor mode for Wi-Fi packet sniffing. Note that the procedure might be different in you case, especially if you run Linux natively.

The operating system

To begin, it’s essential to note that my host operating system is Windows 11, complemented by the WSL2 serving as the Linux runtime environment. This shows to be highly flexible, allowing me to seamlessly operate both systems concurrently.
It’s interesting to reflect on the journey, considering that, two decades ago, the idea of Microsoft shipping a Linux environment would have seemed inconceivable.

The Wi-Fi adapter

I encountered numerous challenges while attempting to configure my laptop Wi-Fi adapter for both monitor and promiscuous modes, both for Windows and WSL (Ubuntu). After grappling with the settings for some time, I opted to acquire an external Wi-Fi adapter more suited to the task. My choice fell upon the TP-Link Archer T9UH, equipped with the RTL8814AU chipset. This particular chipset has garnered positive recommendations from fellow Wi-Fi sniffing enthusiasts, making it a readily available and cost-effective option.

Despite the promising chipset, I soon found myself facing new set of challenges.

The driver

Given the notorious intricacies of working with Windows at the under-the-hood level, I opted to bypass potential challenges and focus directly on WSL. However, every chipset requires a suitable driver, and therein lay the challenge. Unfortunately, the kernel released by Microsoft for WSL2 did not include a driver compatible with my chosen TP-Link Archer T9UH, marking an unexpected hurdle.

Undeterred, I embarked on a quest to find a compatible driver. This quest led me through multiple alternatives, some of which had been superseded, while others languished in a state of disrepair due to lack of maintenance. After a persistent search, I eventually stumbled upon a driver that seemed reasonably up-to-date, prompting me to take the plunge and give it a try. https://github.com/morrownr/8814au
Git SHA f058ea8af3afd2a06b2a0a8bf8e2129bcb07d5f5

The kernel

The stock kernel for WSL2 at the time of writing is version linux-msft-wsl-5.15.133.1. The driver wouldn’t build as it is showed to be incompatible with that kernel. The driver required a kernel version 6. I’ve landed on Git tag linux-msft-wsl-6.1.21.2.

You can find the kernel build instructions here: https://learn.microsoft.com/en-us/community/content/wsl-user-msft-kernel-v6.

The software

You will also need some software to enable the monitor mode as well as do the packet decoding. As the title suggest, Wireshark is used for packet decoding. When it comes to enabling of the monitor mode this should be possible to do with some fancy commands, but I’ve used airmon-ng, which is part of the aircrack-ng package installed by sudo apt install aircrack-ng.

The Linux distribution

Despite the work I’ve done as described above I still struggled to get everything to work. There were some incompatibilities between some of the software components. Finally I’ve got that resolved by installing Kali Linux from the Microsoft Store and booting it with my kernel and driver build. Finally it all played together.

The WSL USB framework

By default, WSL2 doesn’t see any USB devices connected to the host (same as for VirtualBox). A USB device needs to be attached to WSL2. You can find easy to follow instructions here: https://github.com/dorssel/usbipd-win.

Give your Wi-Fi adapter a test ride

Once your Wi-Fi adapter is accessible from WSL2 you can load the 8814au driver:

sudo modprobe 8814au
#verify that driver was loaded
lsmod

Bring up wlan0:

sudo ifconfig wlan0 up
#verify that wlan0 is up
ifconfig

To further test the Wi-Fi adapter you could now connect to your local network with wpa_supplicant. Create a wpa_supplicant.conf file and populate it with the following:

ctrl_interface=/run/wpa_supplicant
update_config=1

network = {
        ssid="<you SSID>"
        psk="<your password>"
}

Start the wpa_supplicant and check if it connects:

sudo wpa_supplicant -c wpa_supplicant.conf -iwlan0

Stop the wpa_supplicant with Ctrl-c

You are now setup for Wi-Fi traffic sniffing.

1. Can I use Wireshark in monitor mode?
2. What is the use of monitor mode?
3. How do I enable 802.11 in Wireshark?
4. Why is Wireshark not capturing packets?
5. How much RAM does Wireshark use?
6. How do I enable promiscuous mode in Wireshark?
7. What is promiscuous mode in Wireshark?
8. How do I see packets in Wireshark?
9. What is monitor mode interface?
10. Can we use WiFi in monitor?
11. Does 802.11 N support monitor mode?

Can I use Wireshark in monitor mode?

In Wireshark 1.4 and later, when built with libpcap 1.0 or later, there may be a «Monitor mode» check box in the «Capture Options» dialog to capture in monitor mode, and the command-line option -I to dumpcap, TShark, and Wireshark may be used to capture in monitor mode.

What is the use of monitor mode?

Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel.

How do I enable 802.11 in Wireshark?

Why is Wireshark not capturing packets?

A problem you’ll likely run into is that Wireshark may not display any packets after starting a capture using your existing 802.11 client card, especially if running in Windows. The issue is that many of the 802.11 cards don’t support promiscuous mode.

How much RAM does Wireshark use?

Since Wireshark Git commit 9fb143d508442a2b41f1597c9bfc377578f33d0f (first released in 0.99. 5) Wireshark/Tshark is linked with the /LARGEADDRESSAWARE switch that enables usage of up to 3GB/4GB RAM as described above.

How do I enable promiscuous mode in Wireshark?

To turn on promiscuous mode, click on the CAPTURE OPTIONS dialog box and select it from the options. If everything goes according to plan, you’ll now see all the network traffic in your network. However, many network interfaces aren’t receptive to promiscuous mode, so don’t be alarmed if it doesn’t work for you.

What is promiscuous mode in Wireshark?

Promiscuous mode allows the interface to receive all packets that it sees whether they are addressed to the interface or not.

How do I see packets in Wireshark?

You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select Edit → Find Packet… ​ in the main menu. Wireshark will open a toolbar between the main toolbar and the packet list shown in Figure 6.11, “The “Find Packet” toolbar”.

What is monitor mode interface?

It is a mode in which the packets that every system sends to the WiFi are received by the system which is having the Monitor mode of WiFi instead of the WiFi itself. It means that all data is passed through the device which has the monitor mode of the WiFi.

Can we use WiFi in monitor?

Making a wireless monitor wireless requires that your monitor have one HDMI input adapter and a separate wireless HDMI adapter and receiver system. Luckily, this process takes no more than 10 minutes, with the majority of the time installing all of the necessary software and drivers for your wireless HDMI adapter.

Does 802.11 N support monitor mode?

One of the most knowen monitor mode wifi adapter is Alfa AWUS036NHA it’s a WiFi USB adapter that supports IEEE 802.11 b/g/N. Able to create networks with transmission speeds up to 150 Mbps in the 2.4 GHz band, which is also compatible with IEEE 802.11 b/g for connecting wireless devices at speeds up to 54 Mbps.