πmacOS Capture Lab
Let's see if we can sniff some Wi-Fi traffic on 2.4, 5 GHz, and 6 GHz!
Now that we've set up our Mac to allow us to capture and decode Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.
We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.
The lab will look at the following areas:
Customizing the Wireshark UI to provide better decoding for Wi-Fi frames
How to start and stop a capture, and how to start a new capture.
Capturing on 2.4 GHz:
Beacon frames
Capturing on 5 GHz:
Reduced Neighbour Reports
Capturing on 6 GHz:
Fast Initial Link Setup (FILS) frames
What You'll Need For This Lab
Items needed for this lab:
A Mac with Airtool 2 installed as per the previous setup instructions. The Mac should be associated to one of the lab APs for connectivity to the WLAN Pi M4
A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.
Customizing the Wireshark UI (Optional, but recommended)
The default colouration of Wireshark frame decodes is a fairly bland black and white presentation, which makes picking out the different frames types and getting a sense of the traffic flows seen quite tricky.
Metageek provide an excellent customisation file that colourizes different Wi-Fi frames types and makes interpreting hundreds of frames in a capture file far more manageable. Once installed, it allows you to switch to new "Metageek" profile within Wireshark to see the new options that the file provides.
The following Metageek page provides access to the customisation file, together with installation instructions. It is strongly recommended that you install this profile if time allows:
Starting a Capture
Watch out for Airtool capturing on the the internal adaptor of your Mac.
This is the default behaviour if the WLAN Pi is not present
To start a capture using the WLAN Pi, select your WLAN Pi from the Airtool menu (your WLAN Pi may be under the "Remote Capture" menu if you did not select it as a favourite during setup):
A pop-up for the probe appears allowing selection of the WLAN Pi's capture interface, band, channel and channel width:
The first time you use the sensor, you will also be prompted to enter the login credentials for the WLAN Pi:
Wireshark will now open and display the frames being captured by the WLAN Pi
Stopping a Capture
To stop the capture, hit the red square button on the top bar of Wireshark:
Starting a Subsequent Capture
To start a new capture you need to quit Wireshark completely. You can then select the sensor again to start a new capture
When you are done capturing, you need to quit Wireshark, before you can start a new capture, otherwise you will find the remote sensor 'greyed out'
Lab Exercises
2.4 GHz Capture
Let's start with a simple capture on the 2.4 GHz band. Use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.
Use Airtool to start a capture as shown below (adjust for the channel being used by the lab AP):
Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?
To filter the Wireshark display to show just beacon frames, enter the following display filter:
Check out the frame detail of several of the beacon frames. Can you find:
The beacon's SSID name?
The AP's country code?
The channel utilization in the QBSS load element?
5 GHz Capture
Repeat the capture process of the previous example, but this time capture frames from a 5 GHz channel. Again, ese the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.
Use Airtool again as follows (corrected for your local AP channel):
While the capture is running, use your phone to try to associate to the lab SSID (don't worry about having the correct PSK to join the network). This will initiate probe requests from your client device and probe responses from the AP.
Stop the capture and apply the display filter shown below:
If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.
Scroll through the tags and identify the "Reduced Neighbor Report" tag. Open in up an take a look at the fields available. This is the tag that identifies the 6 GHz channels that the AP is also operating on. Can you see which 6 GHz channel the lab AP is operating on?
6 GHz Capture
Finally, let's capture frames on the 6 GHz band.
The MediaTek NIC supports max 80 MHz channel width
We'll initiate the capture as in the previous 2 examples. Again, ese the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.
Fire up a capture as follows (corrected for your local AP channel):
Leave the capture running for a few seconds and then stop it to review the frames collected. Notice that there are a large number of "Action" frames. There is an action frame at least every 20 ms.
Let's take a closer look at these to find out what's going on here. Apply the following display filter:
The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world. you can read more about them here: https://www.extremenetworks.com/extreme-networks-blog/the-road-to-ap-discovery-in-6-ghz/
Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:
Snap open the "HE Capabilities" tagged parameter. Snap open the HE PHY Capabilities Information section and check out the capabilities data. Does your AP support 160 MHz channels on 6 GHz?
You're all done! Well done on completing this frame capture lab.
Last updated
