Episode Details

Thank you to our sponsor:

Meter: Visit meter.com/cleartosend to book a demo!

This video, a deep dive on frame analysis, covers the essentials of capturing Wi-Fi frames and analyzing them using Wireshark. These skills discussed are useful for troubleshooting and for those studying for their CWAP certification.

Capturing Wi-Fi Frames

To properly capture 802.11 frames, a Wi-Fi network interface card (NIC) must be set to monitor mode, as simply running Wireshark will only capture data at Layer 3 and above.

This video, a deep dive on frame analysis, covers the essentials of capturing Wi-Fi frames and analyzing them using Wireshark. The speakers note that the skills discussed are useful for troubleshooting and for those studying for their CWAP certification.

Capturing Wi-Fi Frames

To properly capture 802.11 frames, a Wi-Fi network interface card (NIC) must be set to monitor mode, as simply running Wireshark will only capture data at Layer 3 and above.

Capture Tools and Tips:

• macOS: Users can employ the AirTool software to put their card into monitor mode and perform a packet capture on one channel.
• Unix-based systems are generally easier to use for capture due to more monitor-mode-friendly drivers.
• Dedicated Tools: Dedicated tools like the Sidekick (which uses Unix and has multiple Wi-Fi NICs for multi-channel capture) and the WLAN Go (a lightweight tool that can be attached to a phone and supports Wi-Fi 7 frame captures) are also recommended.
• Placement: The capture device should be closer to the client (for client-side troubleshooting) or the AP (for AP-side troubleshooting).
• AP Capture: Some systems allow packet captures to be performed directly on the access points, which can track a client's MAC address across different APs and channels, or even capture traffic on the wired port.
• Best Practice: The speakers recommend capturing all traffic first and then filtering later in Wireshark to ensure nothing is missed.

Analyzing Frames with Wireshark

Analysis begins by importing the 802.11 frames into Wireshark. Key features and tips for navigating potentially overwhelming files (containing thousands or millions of frames) include:

1. Filters and Profiles

• Display Filters: Filters are essential for cutting through the noise. Wi-Fi filters typically begin with wlan..
• Right-Click Filtering: A fast way to create a filter is to right-click on a specific field in a frame and select “Apply as Filter” or “Prepare as Filter”.
• wlan.addr Filter: To see both uplink and downlink traffic for a specific device, modify a filter ba