Capture those Wi-Fi Packets (the Cheap & Easy Edition)

ByTodd Smith

Even after you’ve carefully configured and optimized your Wi-Fi network, you are still bound to have some sort of issue come up that has you scratching your head. And when you reach out to your hardware vendor or a consultant for help, it’s quite likely that they’ll ask you for a wireless packet capture (pcap).

Now, many of you may have previously gathered a pcap on a wired network using a free program called Wireshark. And if so, you might think that it’s just as easy to do a wireless pcap using Wireshark, simply select the wireless interface of your laptop and start capturing. Well, if you are using a Mac, then it is that easy. But, if you are a Windows user, then no such luck. So, if you’re like me, and are in no hurry to go out and buy an overpriced MacBook, what are we to do?

Windows Wi-Fi PCAP Options

Unfortunately, nearly all of our options are expensive.

  • Omnipeek: $2000+
  • Metageek Eye P.A: $800
  • CommView: $500
  • Acrylic Wi-Fi Pro: $40

While Omnipeek truly is my favorite Wi-Fi packet analysis tool (primarily for its filtering capabilities), it’s super expensive. If you can get your employer to spring for it, then go that route; otherwise, read on.

The Frugal Guy/Gal’s Wireless Packet Analysis Tool

Now, I was already familiar with Acrylic’s free Home version of their tool, which I primarily used to see what SSID’s were broadcasting on what channels along with their signal levels. And recently, when I went to their website to see if they had an updated version, I stumbled across their Pro version, and saw the words “Monitor Mode”, along with “Capture all types of packets (ctrl, data, mgt).” Whaaat?! That certainly got my attention and I started clicking away to learn more, and it only got better. In the end, I learned this…

You Can Capture WiFi Packets in Wireshark using Acrylic Pro’s NDIS Driver

Yes, you read that right. You can capture Wi-Fi packets natively in Wireshark, once you install Acrylic’s NDIS driver and use a compatible USB dongle. You can view their list of compatible dongles here. I happened to already have a couple of Linksys AE2500’s laying around, so I was in luck. Below, I’ll guide you through the setup process so that you too can begin capturing Wi-Fi packets with Wireshark, in Windows.

  • Step 1 – Install Acrylic Wi-Fi Professional
    • I installed the paid version (4.4), so I’m not sure if the trial version would work the same
  • Step 2 – Change the Interface
    • click the top-right icon, then click “change”
  • Step 3 – Install the NDIS Driver
    • notice that it says “NDIS driver not installed”
    • click the “Install NDIS Driver” button
    • click Yes at the “installing a driver may crash your system” warning
    • click OK once the driver has successfully installed
  • Step 4 – Install Wireshark
    • you’ll want to install a legacy version (I used 2.6.14), as non-legacy versions do not have the Wireless Settings config that allows you to select a channel [VERY IMPORTANT]
    • you can find and download all the previous Wireshark versions here
  • Step 5 – Run Wireshark as Administrator
  • Step 6 – View and Double-click the Acrylic NDIS interface matching a compatible adapter
    • Select Capture, then Options to see the interfaces, then double-click the Acrylic NDIS interface
  • Step 7 – Click the Wireless Settings button
    • ensure that “capture packets in promiscuous mode” is checked
What is a mebibyte?
  • Step 8 – Select the Channel to Capture On
  • Step 9 – Start the Capture
    • click OK a couple of times, then click Start to start the capture
    • see the packets go scrolling by – YOU DID IT!
  • Step 10 – Configure Wireshark to Display Important Wi-Fi Information
    • Now that you are capturing Wi-Fi packets, adjust the coloring and columns to your liking
    • I use Metageek’s frame coloring scheme found here
    • And I configured my columns as shown below

I hope you find this as useful as I did. Being able to capture Wi-Fi packets opens you up to a whole other level of detail, which will take some time and a lot of practice to understand. But once you do, you’ll have a very valuable arrow in your quiver. Perhaps my next post will guide you through a packet capture and help you understand a few things to look out for. Stay tuned.

BTW – A few other folks have similar blog posts which you can view below: