2️⃣ Airtool 2
Last updated
Was this helpful?
Last updated
Was this helpful?
Airtool can use two sources for capturing frames over the air:
the internal wireless NIC of the Mac
a remote sensor capture device such as the WLAN Pi
Airtool 2 also makes it possible to perform affordable, multi-channel captures using multiple remote sensors and Wi-Fi adapters. In our lab, we'll be using Airtool with the WLAN Pi M4 as its remote sensor:
Verify Airtool is running in your menu bar (Wi-Fi icon with a wrench spanner)
Configure Airtool 2 Preferences
Select : Airtool dropdown > Preferences
Ensure that "Launch capture in:" has Wireshark selected:
Under the hood, Airtool is able to perform remote captures by using SSH to connect from your Mac to the remote capture device (i.e. the WLAN Pi).
When Airtool 2 connects to the device using SSH, it remotely executes a series of commands to capture Wi-Fi traffic. The commands perform the following actions:
drop the device's Wi-Fi adapter (e.g. wlan0) into monitor mode
set the desired channel and channel width
Airtool uses the WLAN Pi's wireless adapter (wlan0) to capture frames over the air. The frames are returned from the WLAN Pi to your Mac over an IP connection to the Ethernet port of the WLAN Pi.
All Airtool 2 features (automatic frame slicing, capture size limits, file rotation, live captures, etc.) are available when capturing using a remote sensor in the same way as when capturing using the built-in Wi-Fi adapter.
To capture with a remote sensor, go to Preferences > Sensors and add a new sensor. You will need the hostname or IP address of the sensor. If the sensor is not configured to use the standard SSH port (TCP port 22), then you need to specify the correct port number in the Port field.
To start a capture using a remote sensor, choose the sensor from the Airtool 2 menu. A pop-up similar to the screenshot shown below will appear so that details such as capture interface, channel and channel width can be selected.
Before the capture starts, you will be prompted to enter the name of the wireless interface you wish to capture on remotely (e.g., wlan0) and to select the channel and the channel width.
The remote wireless interface may not support some channels and channel widths. If the selected channel and channel width combination is not supported, the capture will fail, and you may choose to change the capture options and try again.
The first time you capture from the remote sensor, you will be prompted to authenticate using the remote device's SSH username and password. You can choose to have Airtool 2 remember the credentials, so you don't have to enter them every time you do a capture. Airtool 2 will store the credentials securely in your Mac's keychain.
To manage the sensors, go to Preferences > Sensors. You can add, edit or delete existing sensors, mark sensors as favourite, and change the sensors' order by dragging the entries in the list.
The bonus content provided below does not form part of this lab. It is provided for your later reference.
You can also use Airtool 2 to capture Wi-Fi traffic on multiple channels simultaneously by using multiple remote sensors or a single remote sensor with multiple Wi-Fi modules. Airtool 2 generates a single capture file by merging the frames captured on each sensor based on their timestamps.
To ensure the correct merging of Wi-Fi frames from each sensor, Airtool 2 requires all sensors to synchronize their time using NTP.
You can also capture Wi-Fi traffic on multiple channels simultaneously using the same remote sensor if the remote sensor supports more than one Wi-Fi adapter. For example, if you have three remote sensors, and each sensor supports two Wi-Fi adapters, you can capture Wi-Fi traffic on six different channels simultaneously.
Prepare for a multi-source capture
You must first go to Preferences > Sensors and add any remote sensors you would like to use for multi-source captures. You only need to add a remote sensor the first time you use it. After that, the remote sensor will always be available for multi-source captures.
Also, make sure you plug in at least one compatible Wi-Fi adapter per remote sensor and know the interface name assigned to it (e.g., wlan0) as you will need it when configuring the remote sensor for capturing.
Start a multi-source capture
Choose Multi-Source Capture from the Airtool 2 menu.
Click the "+" button to add an entry for each remote sensor you want to use for capturing.
For each entry, configure which sensor, interface name, channel, and channel width you want to use.
Click "Start Capture."
Airtool 2 won't allow you to start the capture if it detects an invalid configuration. For example, you cannot use the same sensor and interface name combination twice.
To reduce the amount of data sent back from a remote sensor, you can choose to limit each captured frame's size by enabling the "Limit each frame to" option and entering the desired frame size in bytes.
More details:
run to capture and send the Wi-Fi frames back over to Airtool 2 via the SSH connection.
Airtool 2 discovers -based remote sensors deployed in your local area network automatically, so don't be surprised if you WLAN Pi is already in the list
More details:
Now that you've completed the setup of Airtool, move on the to take a closer look at some real-world Wi-Fi frames.
Airtool 2 uses the . This format allows Airtool 2 to annotate each frame with the sensor and interface name used to capture the frame. You can use this information to filter frames by sensor and interface name in .
Advanced Airtool 2 features, such as automatic frame slicing and live captures using , are also available for multi-source captures.
Airtool 2 discovers -based remote sensors deployed in your local area network automatically.
