Airtool – the Wireshark Sidekick

There’s one more piece to the puzzle to make monitor mode captures on OS X really functional – Airtool is a free download from Adrian Granados. Do yourself a favor, take a short detour to his site here and check out all of his apps. Wifi Signal and Wifi Explorer are both well worth the small cost and do a great job at optimizing your access to the wifi info hitting your machine.

But back to Airtool – free download. Airtool sits in your menu bar and gives you quick draw access to capture settings. Take a look:

Airtool Menu
Airtool can change the channel in a live capture via the Channel menu

 

 

Channel Change!
Channel change mid-capture. That’s how we roll.

Airtool can start it’s own captures and then open them in Wireshark for you when stopped. Basically, Airtool is a better interface to the OS X wireless diagnostics capture utility.

Better yet – you can have Airtool disconnect from the current WLAN for you. OS X doesn’t do this well on it’s own (option + click on the wifi icon for the option, but it will usually just reconnect).

 

You’ll also notice that you can set the capture channel width – dependent of course on your internal NIC’s capabilities.

 

The preferences menu lets you make some tweaks to the status icon, set the capture file location. With Airtool and Wireshark on OS X, you’ve got all you need to do 0-80 (MHz) in under 10 seconds!

 

 

 

Wi-Fi Channels in Wireshark

So we’ve got our easy monitor mode wireless captures in OS X (thank you built-in monitor mode!), now let’s tweak Wireshark to be a little more useful.

The radiotap header tells us some wireless specific info that might be useful to see in the main packet list, including the channel or frequency that the packet was captured on, but Wireshark doesnt show this in the packet list by default (maybe because wireless captures are for REAL experts 😎):

Radiotap Header

Let’s edit the displayed columns: Right-click on any of the column headers that you already see, like the Time or Protocol columns, and choose “Column Preferences”.

Column Prefs

Alternatively, The “Edit” menu and then “Preferences” > “Columns”.

Click the + button to add a new column, which will show up at the bottom of the table. Click the “Title” field and type in whatever you want the column header to be called (like “Frequency”!). Then click the “Type” field and set it to “Frequency/Channel”:

Add Column

Lastly, drag the new row up to fit it in where you want to see it. Here I’ve put it in between the Protocol and Length columns.

You can add and remove more columns this way – if you look you’ll also note that you can add columns for the 802.11 RSSI and TX Rate values from the radio tap header:

80211 Columns

Note that Wireshark displays the “Frequency/Channel” Column as the Frequency, but the channel is also listed in the radiotap header field in the packet details view. The channel is also available in the 802.11 Radio information:

80211 Radio info

We can also create a column based on this field. Right click on the line and select “Apply as  Column”:

Channel Apply Column

Then go back to your column preferences to see what Wireshark did for you:

custom channel column

We can use just about any field as a column with this method – just let Wireshark find the field ID for you!

Now we can filter and re-order our packets based on the new columns. That’s better!

 

ESS Easter Eggs

I noticed some tongue in cheek progress bar comments in the the ESS CAD import dialog, so I took a few screengrabs. Here are the ones that were on screen long enough to catch:

Phase 4

Phase 5

Phase 6

Phase 9

Phase 10

ESS decides to stay in the Matrix…

Phase 11

Phase 13

I wonder who Stew is.

Phase 15

Multitasking!

Phase 16

Phase 20

Phase 23

Phase 26

There are some complex calculations involved in designing RF.

Phase 30

Phase 31

Phase 34

It’s always fun to see software engineers with a sense of humour 🙂

Quick, Live Monitor Mode Wifi Captures on OS X

Unlike Windows, OS X offers the ability to put the wifi NIC into monitor mode without any special drivers, meaning we can actually capture wifi traffic in the air, even if it isn’t specifically destined for our NIC. All we need is Wireshark.

Open the capture interfaces options dialog (look for the gear icon on the toolbar), and make sure to set monitor mode to “enabled” for the Wi-Fi NIC (highlighted below, labeled as “Wi-Fi: en0”). We’ll also want the Link-layer header to be set to “802.11 plus radiotap header” (mine was already set to that option):

Wireshark · Capture Interfaces Wireshark, Today at 10.09.20 AM

Then click the “Start” button on the bottom of the dialog window to start capturing!

I find it helpful to NOT use Wireshark in full screen mode so that I can see the top menu bar at the same time as the Wireshark Start/Stop controls. When in monitor mode, the Wi-Fi icon in the menu bar changes to look like an eyeball overlayed on the typical icon (green highlight mine):

Capturing from Wi-Fi. en0 Wireshark, Today at 10.18.00 AM

That’s it! We should see beacons, probes and other frames not addressed to our NIC now.

In next posts I’ll note how to setup wireshark to show the channel/frequency and talk about using Airtool to change channels.

Side note: Credit to Tom LaBaude on Twitter for bringing this little Wireshark bug to my attention when capturing. Here’s the workaround.

 

Wi-Fu

Howdy. I am a network engineer with a wifi hobby. I mean (cue Keanu) I know Kung-fu: routing and switching, firewalls, and data centre stuff, but I know wifi is an entirely different beast, and my wireless Kung-fu (henceforth “Wi-fu”) is weak.

Wifi has a well known community on the web. In the words of Keith Parsons: “You HAVE to be on Twitter”. I’ve been a spectator in this community via Twitter for a while, and I’ve learned TONS. But I was recently fortunate to meet some people who are a big deal in wifi (including the guy who actually wrote the book that I used to pass the CWNA certification); and I was able to experience the wifi community first hand.

While it was definitely intimidating at first to be in same room as these guys (the Bruce Lee, Mr Miyagi, and Chuck Norris of wifi), the community has earned a reputation for being inclusive and these black belts were omgsupercoooool ambassadors. Whilst they somewhat mocked my great white north heritage, it was no biggie for a few of us noobs to sit at the cool kids’ table for lunch and share a few drinks after class (eh!).

Which is why Im not surprised that I’m here trying valiantly (VALIANTLY) to not type “Dear Diary…”. The wifi community is also big on contributing to said community, so I was quickly asked about my blog. Everyone in wifi has a blog, so I was a hoser because I didn’t (extrapolation mine alone and tongue in cheek :P).

So now I’m a hoser with a blog. “Net Gain” was the most clever play on wired and wireless networking I could come up with in ten minutes.

Here’s to hoping that either:

-I remain relatively anonymous and therefore continue to embarrass myself to my direct clients and colleagues.

or

-Someone learns something from this. My apprentice seems to be doing alright, but who knows if that will translate into a larger scale experiment.

Subsequent posts to be networking and wifi-centric. Probably rant-y and self-deprecating!