Wireless Capture on Windows

Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the WiFi cards to capture the radio layer. All you could do was capture packets on your WiFi card from the Ethernet layer and up. That’s  unless you spent money on the now discontinued AirPCAP USB adapters. But now there is a silver lining on the horizon in the form of the npcap library.

I have to admit that capturing wireless traffic isn’t my strong suit. Dealing with radio waves is a whole different topic than picking up packets from a cable, so there’s a different set of skills required to troubleshoot WiFi issues. But at least I know that there’s a difference between being able to use “Monitor Mode” and not being able to. Of course I can capture on a WiFi card, e.g. picking up packets like this on my “Wi-Fi 2” card:

Figure 1 – “Wireless” capture without monitor mode

As you can see, the capture looks just like a normal Ethernet capture would. There’s nothing related to the radio layer, so troubleshooting the wireless connectivity is not possible this way. To get the radio layer information, you need at least three things (other than Wireshark, of course):

  1. A WiFi card that supports monitor mode.
  2. The npcap capture libraries (instead of WinPCAP).
  3. A tool to enable monitor mode

Requirement 1 – a WiFi card with monitor mode

Unfortunately, not all WiFi cards support monitor mode on Windows. There’s a matrix available that you can use to check if your card is supported: https://secwiki.org/w/Npcap/WiFi_adapters.

I use either Alfa cards or, in this case, a NetGear A6210, which I bought at a local electronics store.

Requirement 2 – the npcap libraries

Since Wireshark 3.0 came out WinPCAP is no longer the default capture library installed. Instead, the npcap libraries are used, which replace the discontinued WinPCAP libraries. If you want to know more about the differences between the two, check this comparison. If you recently installed Wireshark 3.x (or later) you should automatically have replaced WinPCAP with npcap, unless you didn’t allow the installer to do that. Important: you need to make sure “Support raw 802.11 traffic (and monitor mode) for wireless adapters” is checked:

Figure 2 – npcap Installation Options

 

Requirement 3 – A tool to enable monitor mode

Figure 3 – enabling Monitor Mode fails

If you run Wireshark, you’ll notice that you have a “Monitor Mode” checkbox in the capture interface dialog for your WiFi cards. You can open that dialog from the main menu via “Capture” -> “Options” or by pressing CTRL-K. Unfortunately, even with npcap installed correctly it doesn’t seem to work if you click it (at least in my case), because the check mark disappears again after a short moment.

I’m not sure if that’s normal, but as far as I found out Wireshark can’t modify that setting because it doesn’t have the sufficient privileges to do that. You can either run Wireshark in administrative mode – which I strongly advise against, because it could allow malicious packets to compromise your system. Check out this blog post about “Attacking Wireshark” for details.

The much better plan is to use the wlanhelper utility in an elevated command prompt, which is why I added it specifically to the list of requirements. Fortunately, this comes as part of the npcap installation and is called wlanhelper.exe. You can find it in C:\Windows\System32\Npcap\

Check which mode your WiFi card is in using the “wlanhelper.exe” tool. You should run a command line prompt as administrator and change into the directory “C:\Windows\System32\npcap”. To check the current WiFi card mode, run this command (replace “Wi-Fi 2” with the name of your network card you want to manage):

C:\Windows\System32\Npcap>wlanhelper "Wi-Fi 2" mode
managed

“Managed” is the default mode that your card should usually be in. It means that it is ready to be used for normal WiFi connectivity. To put it into monitor mode you use the following command:

C:\Windows\System32\Npcap>wlanhelper "Wi-Fi 2" mode monitor
Success

But you may also see a result like this:

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi 2" mode monitor
Error: SetWlanOperationMode::SetInterface error, error code = 5 (Access is denied)
Failure

As you can see we got an error back, which is most likely caused by the fact that the command line prompt wasn’t started as administrator – so if you get this, close your command prompt and start it again, as administrator. If you’re not sure how to do that, follow these steps:

  1. Press CTRL & ESC to open the start menu
  2. type “cmd”, which should find the “Command Prompt” icon
  3. Click “Run as Administrator” or (if you want to impress people standing behind you) press CTRL & Shift & Enter to launch the icon in administrative mode.
  4. Confirm the User Access Control prompt

Now, we we run Wireshark again, we can “turn on” monitor mode (which we already did; we’re just telling Wireshark to try it to make it realize it works now):

Figure 4 – enabling Monitor Mode works

As you can see, the “Link-layer Header” changes from “Ethernet” to “802.11 plus radio tap header”, which tells us that we’re now going to capture radio layer information as well. Now, when we start a capture on a card like that, we’ll see a different story:

Figure 5 – Capturing with Monitor Mode enabled

We get a ton of management frames, and we also see the typical “Radiotap Header” that tells us about the radio layer. Exactly what we wanted.

Changing channels

One thing that will probably bug you is that Wireshark 3.x doesn’t yet come with a WiFi toolbar, which allows to change channels in a convenient way from the GUI. Unfortunately you’ll have to change channels manually until that problem is solved, and you can do that (again) with the help of the wlanhelper utility, using the according commands:

C:\Windows\System32\Npcap>wlanhelper
WlanHelper for Npcap 0.992 ( http://npcap.org )
Usage: WlanHelper [Commands]
or: WlanHelper {Interface Name or GUID} [Options]

OPTIONS:
mode : Get interface operation mode
mode <managed|monitor|master|..> : Set interface operation mode
modes : Get all operation modes supported by the interface, comma-separated
channel : Get interface channel
channel <1-14> : Set interface channel (only works in monitor mode)
freq : Get interface frequency
freq <VALUE> : Set interface frequency (only works in monitor mode)
modu : Get interface modulation
modu <dsss|fhss|irbaseband|ofdm|hrdsss|erp|ht|vht|ihv (VALUE)|..> : Set interface modulation
modus : Get all modulations supported by the interface, comma-separated

 

Final Words

Capturing Wireless on Windows got a lot easier now, and with npcap it’s also possible to capture on more recent cards than the old WinPCAP adapters which stopped at the 802.11n technology as far as I know. One thing to keep in mind: capturing in monitor mode means that the card becomes a “receive-only” card. So don’t be surprised when you lose connectivity if you have only one WiFi card in your system. If you need to stay connected to a wireless network while capturing it you need two cards – one in managed mode, one in monitor mode.

 

 

 

 

 

Discussions — 7 Responses

  • Christopher Maynard April 15, 2019 on 4:24 pm

    What was your experience with attempting to restore the WiFi adapter back to “managed” mode once “monitor” mode capturing was done? For me, attempting to use the WlanHelper .exe tool to do this didn’t work. Instead, I had to go to the Control Panel -> Network and Sharing Center -> Change Adapter Settings -> and then Right-Click Disable the WiFi interface and Right-Click Enable it again in order to restore it back to a usable state. My adapter is the Intel(R) Dual Band Wireless-AC 8260 that comes with the Dell Precision 5510 laptop.

    Reply
    • Jasper Christopher Maynard April 15, 2019 on 4:38 pm

      For my Netgear adapter it was no problem at all. I just tested it again to be sure – the only thing that happens is that Wireshark (if still running) is unhappy for obvious reasons, but I could connect to the WiFi in managed mode without problems. It’s probably one of those things that depend on the chipset.

      Reply
  • Bas April 17, 2019 on 1:36 pm

    Hi, Nice post. I can see the frequency (channel) is not visible in wireshark. When you sniffer with multiple adapters its nice to know if they are all working correct. Any idea why the frequency is set to 0?

    Reply
    • Jasper Bas April 17, 2019 on 1:38 pm

      No, it’s something I realized, too – it should not be zero as far as I can tell; I guess it’s something that needs to be fixed in the future.

      Reply
  • Yaroslav Alenchyk April 17, 2019 on 2:24 pm

    Good job! I also could set WiFi adapter RTL8187B from Realtek (in my old laptop with WS7) in “monitor mode” by “Wlanhelper” with only one driver’s version – 6.1159.323.2009.

    Reply
    • Jasper Yaroslav Alenchyk April 17, 2019 on 2:45 pm

      Thanks, Yaroslav, that’s good to know!

      Reply
  • Yaroslav Alenchyk April 17, 2019 on 4:33 pm

    I use WiFi adapter RTL8187B from Realtek (in my old laptop with WS7) with driver’s version – 6.1159.323.2009. I use WS7 – and change the channel in adapter via “devices manager>WiFi_adapter” you can see it https://drive.google.com/open?id=1A1HM86CR_NhLrGym1_fZyJBGppQLGL-i
    And then I choose in the Wireshark’s toolbar “Wireless” > “WLAN Traffic” you can see it https://drive.google.com/open?id=18IjUXxpDhRdBJ1PQd9eeObH6hyLZhu1F

    And I can see channels (chosen and adjacent channels) https://drive.google.com/open?id=1jb8xfX8LyEk0q-r2qjZkc0xlJATvHmYZ

    But unfortunately, in the main window, these channels not show. And may add a column with RSSI info.

    Reply

Leave a Reply to Christopher Maynard Cancel reply

*