Unlike Windows, OS X offers the ability to put the wifi NIC into monitor mode without any special drivers, meaning we can actually capture wifi traffic in the air, even if it isn’t specifically destined for our NIC. All we need is Wireshark.
Open the capture interfaces options dialog (look for the gear icon on the toolbar), and make sure to set monitor mode to “enabled” for the Wi-Fi NIC (highlighted below, labeled as “Wi-Fi: en0”). We’ll also want the Link-layer header to be set to “802.11 plus radiotap header” (mine was already set to that option):
Then click the “Start” button on the bottom of the dialog window to start capturing!
I find it helpful to NOT use Wireshark in full screen mode so that I can see the top menu bar at the same time as the Wireshark Start/Stop controls. When in monitor mode, the Wi-Fi icon in the menu bar changes to look like an eyeball overlayed on the typical icon (green highlight mine):
That’s it! We should see beacons, probes and other frames not addressed to our NIC now.
In next posts I’ll note how to setup wireshark to show the channel/frequency and talk about using Airtool to change channels.