The WLAN Pi Pro includes two (2) Wi-Fi modules capable of capturing Wi-Fi traffic. Not only are they capable (support monitor mode) but they are both 2 SS, 802.11ax, 6GHz capable Wi-Fi modules. This provides great flexibility in capturing just about any Wi-Fi frames you might need to analyze for troubleshooting, testing, or validation.

macOS method

• AirTool2 - Paid tool, but includes 3-day free trial

• Wireshark

Windows method

• Wireshark + sshdump plugin

• Python

• wlan-extcap

iOS bonus method

• iPhone or iPad

• Testflight App

• Airtool Pi App (not yet available on App store)

Choose your path:

• Windows

• macOS

• iOS

You operate on Windows, fantastic, first you need to install Python, add a couple of files to the installation to enable capture via SSH, then you'll need to re-install Wireshark.

Step 1 - Python Already installed?

1. Verify if you already have Python is installed or not

2. Open Command Prompt, execute command\

   Copy

   python --version

3. If Python is not installed, you will see an error You can install it from the Windows app store or by manual download and install using the link below

Download PythonPython.org

Step 2 - Manually install Python

After restarting Command Prompt Verify python has been successfully installed with command

python --version

If successful you should output similar to the following

C:\>python --version
Python 3.10.2

Step 1 - Download & Install

Wireshark · Download

From the 'Choose Components' screen Expand Tools Select 'Ssh dump & Ciscodump' checkbox

Step 2 - wlan-extcap

1. Download wlandump.zip and extract the contents onto your desktop

2. Move both wlandump files into folder C:\Program Files\Wireshark\extcap

Step 3 - Wireshark

1. Open Wireshark

2. You should see 'Wi-Fi remote capture' in the list of available interfaces

Step 4 - Remote Wi-Fi Capture

The wifidump capture interface allows you to perform remote Wi-Fi packet captures on a specified channel and channel width using a Linux device with a compatible Wi-Fi adapter (one that can be put into monitor mode).

Click the gear icon next to "Wi-Fi remote capture" to display the interface options, then choose the interface name, channel, and channel width you want to capture on​

Go to the Server tab and enter the remote SSH server address With an OTG connection to the WLAN Pi 169.254.42.1

Go to the Authentication tab and enter the username and password​

Click the Start button to begin capturing frames​

You run a mac, fantastic, first install Wireshark and then Airtool 2

Install Wireshark

Download and install the latest and greatest version of Wireshark

Wireshark · Download

Airtool can perform 'local' and remote Wi-Fi packet captures using a capable Linux box with a compatible Wi-Fi adapter such as... the WLAN Pi. Airtool 2 makes it possible to perform affordable, multi-channel captures using multiple remote sensors and Wi-Fi adapters.

Download and install Airtool 2

Airtool 2 - Capture Wireless Traffic Using Your MacIntuitibits

Launch Airtool

1. Verify Airtool is running in your menu bar (Wi-Fi icon with a wrench spanner

2. Configure Airtool 2 Preferences

Airtool dropdown > Preferences

Capture using a remote sensor

Remote captures are achieved using SSH to connect to the remote device. When Airtool 2 connects to the device using SSH, it remotely executes a series of commands to capture Wi-Fi traffic. These commands drop the device's Wi-Fi adapter (e.g., wlan0) into monitor mode, set the desired channel and channel width, and then runs tcpdump to capture and send the Wi-Fi frames back over to Airtool 2 via the SSH connection.

Because Airtool 2 will use the remote device's main Wi-Fi adapter for capturing, Airtool 2 needs to connect to the device using a wired connection or a secondary Wi-Fi adapter.

If you were to do this using a secondary Wi-Fi adapter, ensure the channel you will be capturing is not the same as the Wi-Fi adapter being used for device access.

All Airtool 2 features (automatic frame slicing, capture size limits, file rotation, live captures, etc.) are available when capturing using a remote sensor in the same way as when capturing using the built-in Wi-Fi adapter.

Using a sensor

To use a remote sensor, go to Preferences > Sensors and add a new sensor. You will need the hostname or IP address of the sensor. If the sensor is not configured to use the standard SSH port (TCP port 22), then you need to specify the correct port number in the Port field. Then, choose the sensor from the Airtool 2 menu to start the remote capture.

Before the capture starts, you will be prompted to enter the name of the wireless interface you wish to capture on remotely (e.g., wlan0) and to select the channel and the channel width.

The first time you capture from the remote sensor, you will be prompted to authenticate using the remote device's SSH username and password. You can choose to have Airtool 2 remember the credentials, so you don't have to enter them every time you do a capture. Airtool 2 will store the credentials securely in your Mac's keychain.

Managing sensors

To manage the sensors, go to Preferences > Sensors. You can add, edit or delete existing sensors, mark sensors as favourite, and change the sensors' order by dragging the entries in the list.

More details: https://www.intuitibits.com/help/airtool2/#/topic-capture-remote_capture

Capture on multiple channels and remote sensors

You can also use Airtool 2 to capture Wi-Fi traffic on multiple channels simultaneously by using multiple remote sensors or a single remote sensor with multiple Wi-Fi modules. Airtool 2 generates a single capture file by merging the frames captured on each sensor based on their timestamps.

To ensure the correct merging of Wi-Fi frames from each sensor, Airtool 2 requires all sensors to synchronize their time using NTP.

Airtool 2 uses the PCAP Next Generation (pcapng) Capture File Format. This format allows Airtool 2 to annotate each frame with the sensor and interface name used to capture the frame. You can use this information to filter frames by sensor and interface name in Wireshark.

You can also capture Wi-Fi traffic on multiple channels simultaneously using the same remote sensor if the remote sensor supports more than one Wi-Fi adapter. For example, if you have three remote sensors, and each sensor supports two Wi-Fi adapters, you can capture Wi-Fi traffic on six different channels simultaneously.

Advanced Airtool 2 features, such as automatic frame slicing and live captures using Wireshark, are also available for multi-source captures.

Prepare for a multi-source capture

You must first go to Preferences > Sensors and add any remote sensors you would like to use for multi-source captures. You only need to add a remote sensor the first time you use it. After that, the remote sensor will always be available for multi-source captures.

Airtool 2 discovers WLAN Pi-based remote sensors deployed in your local area network automatically.

Also, make sure you plug in at least one compatible Wi-Fi adapter per remote sensor and know the interface name assigned to it (e.g., wlan0) as you will need it when configuring the remote sensor for capturing.

Start a multi-source capture

1. Choose Multi-Source Capture from the Airtool 2 menu.

2. Click the "+" button to add an entry for each remote sensor you want to use for capturing.

3. For each entry, configure which sensor, interface name, channel, and channel width you want to use.

4. Click "Start Capture."

Airtool 2 won't allow you to start the capture if it detects an invalid configuration. For example, you cannot use the same sensor and interface name combination twice.

To reduce the amount of data sent back from a remote sensor, you can choose to limit each captured frame's size by enabling the "Limit each frame to" option and entering the desired frame size in bytes.

More details:

If you have access to an iPhone running a recent iOS

Airtool Pi - IntuitibitsIntuitibits

1. Install Airtool Pi from the App Store https://apps.apple.com/us/app/airtool-pi/id1586351368

2. Airtool Pi can communicate with your WLAN Pi over: - Bluetooth - WiFi - iOS OTG

3. Click the plus in the corner

4. Give the sensor a name

5. Enter the link-local address wlanpi-xxx.local or ip address into the hostname field

6. port can remain 22

7. Enter your WLAN Pi username and password

8. From here initiating a capture is pretty self explanatory

1. Lets see if we can sniff some traffic on a 2.4 or 5 GHz channel

2. Take a look at a beacon frame

3. Find your own device

4. Do you see any association requests?

macOS

Wireshark fires up automatically

in order to start a new capture, you need to manually stop the current capture

Windows

Start a capture

If you see the following error, look at the end of the error message, 'Can't find a valid authentication'

But, I thought I just set it up right?

Unfortunately Wireshark is forgetful and can't remember your password between captures, each time you start a new capture you'll need to renter your password.

We can work around this by configuring passwordless SSH access, but that is beyond the scope of this lab. See this blog post for details if you are keen to set this up.

Use SSH key stored on GitHub instead of an SSH password to access your WLAN Pi - Jiri BrejchaJiri Brejcha | Wi-Fi Technical Solutions Architect

To start a new capture you need to manually 'close' the current capture

File > Close

Now you can access the landing page, configure the password and start a new capture

Let's analyze a 6 GHz beacon

perform a capture on channel 60

Wireshark loads

stop capture

find a beacon

expand VHT

If you want your Wireshark colour profile to match MetaGeek Eye P.A. see this MetaGeek blog article

Wireshark Configuration ProfileMetaGeek Support

802.11 Wireshark Filters

Follow the instructions in the blog post to generate your SSH keys and add your public key to your github account.

To add your public keys to your WLAN Pi simply use the command wlanpi-gh-ssh-key <gh_username>

wlanpi-gh-ssh-key <gh_username>

Use SSH key stored on GitHub instead of an SSH password to access your WLAN Pi - Jiri BrejchaJiri Brejcha | Wi-Fi Technical Solutions Architect