I would like to write this post specifically for beginners who are trying to understand that what is a protocol analyser or what are the options available specific to Wi-Fi troubleshooting.
- First question what is protocol analyser
- Why we need it
- What options are available to capture WLAN traffic
- How we can use it for our benefit such as troubleshooting or to test whether your network is performing as it has been configure
what is protocol analyser:
Protocol analysers are the tools software or hardware capable of connecting to a Wired or Wireless network in order to intercept packets or frames. They help monitor and analyse the network and may even construct visual map of the network as well. They can generate alarms such as when specific type of packets present in the network or increased error levels in packets delivery.
Why we need it:
The protocol analyser is often used to troubleshoot and monitor network performance by providing graphic display of network current state. Color-coded graphs illustrate the network traffic, the number of collisions, number of bad frames and so on. Network managers can customize a protocol analysers monitoring functions so that it display alarms for number of conditions such as number of retries exceed a certain threshold.
Protocol analyser capture process:
Lets look at Wireshark scenario that how its going to capture the traffic. In Wireshark environment its picking up traffic off a network. This traffic is going to go through one of link layer drivers. Wincap if you have a windows host, Airpcap if you have airpcap connected to your system or libpcap in Linux environment. Its very interesting to know that Wireshark itself is not able to capture the traffic its just a analysing tools where we see graphical representation of all the captured traffic. In order to capture the traffic Wireshark calls another function call as dumpcap.exe and this point where capture filters can be applied. Capture engine receives the packets from dumpcap and converts into human readable format.
Understanding wireless card modes:
It is very important to understand that what are different operating modes for a wireless card.
- Managed mode: Wireless card and drivers rely on access point to provide wireless connectivity
- Ad-hoc mode: ad-hoc mode allows 2 stations to connect to each other wirelessly without access point availablity
- Master mode: Where wireless card provides a service of an access point with the help of appropriate drivers
- Monitor mode: In monitor mode wireless card stop transmitting data and sniffs wireless traffic
- Promiscuous mode: In promiscuous mode wireless card sniff all wireless traffic and not only destine to itself
Now here is the best part you can forget everything I said above and main thing you need to understand. In wired network we can just place protocol analyser such as Wireshark in the network and start to capture traffic. But in wireless that’s not the case. You can not just capture traffic and the reason for that is our wireless card operating mode discussed above.
By default all operating system wireless cards work in managed mode which means they can only connect to an AP and have wireless connection. In this mode you can not sniff as we do in monitor mode. Operating system such as Windows does not allow to change wireless card mode from managed mode to monitor mode.
However Mac OS and Linux allows monitor mode.
Easiest option is to capture via Mac OS and Linux can be difficult to configure but if you are comfortable with Linux such Linux Kali then that might be a good option for you. Note with Linux every wireless card may not give you option for monitor mode. You might have to search for your chipset and check if it gives you drivers to change operating mode to monitor mode.
Few of the options:
I have added few of the options available in the market. There are more but I have added few which I like.
| Analyser | Cost | Supported OS | Website | Scale |
| Wireshark | Free | Linux (with supported adapter) or Mac OS
|
https://www.wireshark.org/ | Basic |
|
|
£ 39.95 Perpetual
Probably cheapest option available |
Windows supported with compatible adapter
|
https://www.acrylicwifi.com/ | |
| Eye P.A. by Metageek | $799.00 | Windows/MAC
supported with compatible adapter |
https://www.metageek.com/products/eye-pa/ | Enterprise |
| Commview for WiFi | £ 1343.00 | Windows supported with compatible adapter | https://www.tamos.com/ | Enterprise |
| Omnipeek | N/A
Contact reseller |
Windows supported with compatible adapters | https://www.savvius.com/product/omnipeek/ | Enterprise |
| Airmagnet WiFi analyser pro | Netscout | Windows/Macbook | https://enterprise.netscout.com/enterprise-network/wireless-network/AirMagnet-WiFi-Analyzer | Enterprise |