Quick, Live Monitor Mode Wifi Captures on OS X

Unlike Windows, OS X offers the ability to put the wifi NIC into monitor mode without any special drivers, meaning we can actually capture wifi traffic in the air, even if it isn’t specifically destined for our NIC. All we need is Wireshark.

Open the capture interfaces options dialog (look for the gear icon on the toolbar), and make sure to set monitor mode to “enabled” for the Wi-Fi NIC (highlighted below, labeled as “Wi-Fi: en0”). We’ll also want the Link-layer header to be set to “802.11 plus radiotap header” (mine was already set to that option):

Wireshark · Capture Interfaces Wireshark, Today at 10.09.20 AM

Then click the “Start” button on the bottom of the dialog window to start capturing!

I find it helpful to NOT use Wireshark in full screen mode so that I can see the top menu bar at the same time as the Wireshark Start/Stop controls. When in monitor mode, the Wi-Fi icon in the menu bar changes to look like an eyeball overlayed on the typical icon (green highlight mine):

Capturing from Wi-Fi. en0 Wireshark, Today at 10.18.00 AM

That’s it! We should see beacons, probes and other frames not addressed to our NIC now.

In next posts I’ll note how to setup wireshark to show the channel/frequency and talk about using Airtool to change channels.

Side note: Credit to Tom LaBaude on Twitter for bringing this little Wireshark bug to my attention when capturing. Here’s the workaround.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s