Wi-Fi Channels in Wireshark

So we’ve got our easy monitor mode wireless captures in OS X (thank you built-in monitor mode!), now let’s tweak Wireshark to be a little more useful.

The radiotap header tells us some wireless specific info that might be useful to see in the main packet list, including the channel or frequency that the packet was captured on, but Wireshark doesnt show this in the packet list by default (maybe because wireless captures are for REAL experts 😎):

Radiotap Header

Let’s edit the displayed columns: Right-click on any of the column headers that you already see, like the Time or Protocol columns, and choose “Column Preferences”.

Column Prefs

Alternatively, The “Edit” menu and then “Preferences” > “Columns”.

Click the + button to add a new column, which will show up at the bottom of the table. Click the “Title” field and type in whatever you want the column header to be called (like “Frequency”!). Then click the “Type” field and set it to “Frequency/Channel”:

Add Column

Lastly, drag the new row up to fit it in where you want to see it. Here I’ve put it in between the Protocol and Length columns.

You can add and remove more columns this way – if you look you’ll also note that you can add columns for the 802.11 RSSI and TX Rate values from the radio tap header:

80211 Columns

Note that Wireshark displays the “Frequency/Channel” Column as the Frequency, but the channel is also listed in the radiotap header field in the packet details view. The channel is also available in the 802.11 Radio information:

80211 Radio info

We can also create a column based on this field. Right click on the line and select “Apply as  Column”:

Channel Apply Column

Then go back to your column preferences to see what Wireshark did for you:

custom channel column

We can use just about any field as a column with this method – just let Wireshark find the field ID for you!

Now we can filter and re-order our packets based on the new columns. That’s better!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s