So we’ve got our easy monitor mode wireless captures in OS X (thank you built-in monitor mode!), now let’s tweak Wireshark to be a little more useful.
The radiotap header tells us some wireless specific info that might be useful to see in the main packet list, including the channel or frequency that the packet was captured on, but Wireshark doesnt show this in the packet list by default (maybe because wireless captures are for REAL experts 😎):
Let’s edit the displayed columns: Right-click on any of the column headers that you already see, like the Time or Protocol columns, and choose “Column Preferences”.
Alternatively, The “Edit” menu and then “Preferences” > “Columns”.
Click the + button to add a new column, which will show up at the bottom of the table. Click the “Title” field and type in whatever you want the column header to be called (like “Frequency”!). Then click the “Type” field and set it to “Frequency/Channel”:
Lastly, drag the new row up to fit it in where you want to see it. Here I’ve put it in between the Protocol and Length columns.
You can add and remove more columns this way – if you look you’ll also note that you can add columns for the 802.11 RSSI and TX Rate values from the radio tap header:
Note that Wireshark displays the “Frequency/Channel” Column as the Frequency, but the channel is also listed in the radiotap header field in the packet details view. The channel is also available in the 802.11 Radio information:
We can also create a column based on this field. Right click on the line and select “Apply as Column”:
Then go back to your column preferences to see what Wireshark did for you:
We can use just about any field as a column with this method – just let Wireshark find the field ID for you!
Now we can filter and re-order our packets based on the new columns. That’s better!