- Cisco Employee,
Wireless sniffing on the Mac works well, as Mac OS X has built in tools to capture a wireless trace. However, depending on what versions of OS X you are running, the commands may vary. This document covers OS X 10.6 through 10.8.
Mac OS X Wireless Sniffing Tools
- airportd (10.6-10.8)
- airport utility (10.6 - 10.8)
- tcpdump (10.8)
- Wi-Fi Diagnostics (10.7, 10.8)
- Wireshark (10.6 - 10.8)
If you are running OS X 10.6 (Snow Leopard) or above, then you can easily use the command line utility “airportd”. Use the following steps:
- Use the “command” + “Space bar” key combo to bring up the search diaglog box in the upper right top of the screen and type in the word “terminal”, this will search for the terminal application, select this application to run it. A terminal window will appear.
- Once you have a terminal window open, you can run the follow command to capture a Wireless sniffer trace on RF channel 11 (802.11b/g):
“sudo /usr/libexec/airportd en1 sniff 11”
Some things to note:
- You will be prompted to enter in your account password for verification.
- You cannot specify the name of the capture file or where you will place the output.
- You will lose any wireless connectivity to your network while the capture is occurring.
- If you are using an Air, the wireless adapter is en0 rather than en1
- Once you are finished with the trace, hit “Cntl-C” to stop the trace and the utility will display the name and location of the capture file. The file format is your standard wireshark PCAP file that can be read on the MAC or Windows via Wireshark.
The airport utility is is not a sniffer program; however, it can provide interesting information about the wireless LAN. Also, it has the ability to set the default wireless channel - which is crucial for sniffer programs (tcpdump, Wireshark) that are themselves unable to set the channel
Note: because the path to the airport utility is so ugly, it may be a good idea to set a symbolic link to it from a directory in the path, e.g.
# sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
set the wireless channel
# sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=48
dump out info on the SSIDs/BSSIDs seen:
# sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s
SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
Test 00:24:97:89:cb:41 -53 11 Y -- WPA(PSK/TKIP/TKIP) WPA2(PSK/AES/TKIP)
Test2 00:24:97:89:cb:40 -53 11 N -- WPA(PSK/TKIP/TKIP)
Guest 00:22:75:e6:73:df -64 6,-1 Y -- WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
detailed information on the current association:
# sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport –I
op mode: station
802.11 auth: open
link auth: wpa2-psk
Tcpdump is a command line utility shipped with OS X that can perform packet capture. (The tshark utility bundled with Wireshark is very similar.) To perform a wireless packet capture using tcpdump:
- first set the channel using the airport utility as shown above
- then perform a wireless packet capture, saving to a file. When done, type Control/C to exit.
bash-3.2# tcpdump -I -P -i en1 -w /tmp/channel-11.pcap
tcpdump: WARNING: en1: no IPv4 address assigned
tcpdump: listening on en1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes
897 packets captured
968 packets received by filter
0 packets dropped by kernel
If you are running MAC OsX 10.7 (Lion), you can use the graphical program called Wi-Fi Diagnostics. It’s located in the following folder:
Normally this folder is not easily accessible so a quick trick is to open the “Finder” and use the "Go to folder" (“Shift-Command-G”) option; this will open up a dialog box in which you can enter “/System/Library/CoreServices” and press return. There you will find the Wi-Fi Diagnostics program.
Here is a example of using the tool to monitor Wi-Fi Performance:
Here is any example of using the tool to record Wi-Fi Events:
Here is any example of how to enable the Debug logs to be taken, this will allow you to see all messages that occur at the driver and supplicant level on the MAC
Here is an example of using the tool to capture raw Wireless frames that can be heard by the MAC.
In order to capture a complete wireless trace, select “Capture Raw Frames”.
Check the box to disconnect from the network and select the channel that is being used by the client that are you sniffing. as you want to capture all data send and received on the network since we are using the sniffer to capture another wireless client’s frames
The trace will start after pushing the “Start Capturing” Button. Once you have finished the trace, push the “Stop Capturing” button and click on “Continue”, a dialog will ask to either save the report to the Finder desktop or send it via an email.
Another option on the MAC to capture a wireless trace is to use Wireshark. This is a free program that can be downloaded from http://wireshark.org. (Note: this requires that X11 be installed - for OS X 10.8, this means downloading and installing Xquartz.)
Once installed and started, select the capture option and fill out the dialog as follows:
- 1) Capture using interface “en1” which will be the wireless interface on the MAC
- 2) Select “Capture packets in monitor mode” which is needed to allow Wireshark to capture all wireless frames on the network. (If running Wireshark 1.8, doubleclick the en1 interface to bring up the necessary dialog box.)
- 3) The channel being sniffed will be the channel the MAC was associated to when Wireshark is started. While it is possible to change the channel being sniffed, you must do this via the “Airport” command on the terminal application, as described above. (For more detail, see the following URL: http://wiki.wireshark.org/CaptureSetup/WLAN)