Sniffing wireless is possible with a usual Wireshark taken on the wireless adapter. However, you will notbe able to sniff raw 802.11 frames. Rather some layer 2 frames, layer 3 frames and above and no promiscuous mode. This means you miss most of the stuff you want to see with a wireless trace. The following sections will explain you how to sniff via wireless. Most of the products are not free currently but some solutions exist. An important thing to be aware of is that when you are taking your wireless trace with a dedicated tool, you cannot use your wireless adapter for anything else. This means that you often need an extra laptop dedicated to sniffing, or you can have 2 adapters on the same laptop : one for sniffing and one for associating with the network.
Also it can sometimes be seen that wireshark will sniff all traffic on wireless adapter and on promiscuous mode but this totally depends on clients drivers. Rare are the drivers allowing this.
Important Note about LWAPP/CAPWAP packets
It is important to note that by default, you will see the content of LWAPP/CAPWAP packets as scrambled data. You just have to go (in wireshark) to Edit -> Preferences. Then you click on “Protocols”, on “LWAPP” (or CAPWAP) and enable the only checkbox present “control bit swap”.
This will enable you to view the content of the LWAPP/CAPWAP packet, i.e. the wireless frame encapsulated inside the LWAPP/CAPWAP. This is very useful to check for example if the QoS markings of the wireless frame are present and if they are kept outside of the encapsulation as well …
Wireshark 1.4 and later is needed to decrypt CAPWAP.
This obviously concern wired sniffed traffic since CAPWAP occurs between AP and WLC.
AP in sniffer mode (LWAPP/CAPWAP)
On a controller, you can change an access point mode to "sniffer". If you apply that change, it will reboot.
Once it joins back, you will be able to configure a channel to sniff for that AP and also your laptop ip address. The idea is that the AP will tunnel all the traffic to your PC.
It's encapsulated in UDP 5555. so in summary you have an ip header (from AP, to your laptop), a UDP 5555 header and inside, the wireless frame (802.11 layer 2) sniffed by the AP.
Open the trace and go to "analyze", then "decode as" and switch to UDP 5555, to decode the trace as "airopeek". The trace is in fact sent from the WLC management IP with UDP source port 5555, to the IP address of the PC (configured under the AP's settings) with UDP destination port 5000.
This is a live linux distribution. This means that you just have to boot on the CD and run the tool and you have nothing to install. This distribution is freely available.
The interesting part is that it supports the intel 3945 chipset, which is the one present in many laptops
You put the CD in the drive, reboot the PC. WifiWay proposes you to chose your timezone, keyboard type and so on… Once you get the command shell, you can boot the X-window with “startx”.
Then by clicking the small black square in the lower left part of the screen, you get a terminal screen. You can type “cd /home/wireless” and then “airoway.sh”. This starts several windows that show you the surrounding devices and access points. It also has a tool to start attacks against APs. This also sets the driver for the wifi adapter.
Then you can either start Wireshark or run “airodump” which is also in the “/home/wireless” directory. The command is :
Airodump wifi0 capture 6
This will use the adapter wifi0, write the sniffer trace to capture.cap and will scan only channel 6.