Airtool 2 is an inexpensive packet capture tool for macOS. It is available with a 3-day free trial for those who may not own a copy.
Airtool 2 can use two sources for capturing frames over the air:
the internal wireless NIC of the Mac
a remote sensor capture device such as the WLAN Pi
Airtool 2 also makes it possible to perform affordable, multichannel captures using multiple remote sensors and Wi-Fi adapters. In our lab, we'll be using Airtool 2 with the WLAN Pi M4 as its remote sensor:
Verify Airtool 2 is running in your menu bar (Wi-Fi icon with a wrench spanner)
Click on the Airtool 2 icon and choose Preferences:\
Ensure that "Launch capture in:" option has Wireshark selected:
Airtool 2 can perform remote captures by using SSH to connect from your Mac to the remote capture device (i.e., the WLAN Pi).
When Airtool 2 connects to the device using SSH, it remotely executes a series of commands to capture Wi-Fi traffic. The commands perform the following actions:
drop the device's Wi-Fi adapter (e.g. wlan0
) into monitor mode
set the desired channel and channel width
Airtool 2 uses the WLAN Pi's wireless adapter (wlan0) to capture frames over the air. The frames are returned from the WLAN Pi to your Mac over an IP connection to the Ethernet port of the WLAN Pi.
Note: It's also possible to add a second wireless adapter to connect to the WLAN Pi if an Ethernet connection is unavailable. This would require a USB wireless adapter plugged into the WLAN Pi M4. If using this option, remember that the connection for the second wireless interface must not be the same as the capture channel. We will not be using this method in our lab work.
All Airtool 2 features (automatic frame slicing, capture size limits, file rotation, live captures, etc.) are available using a remote sensor in the same way as when capturing using the built-in Wi-Fi adapter.
To capture with a remote sensor, go to Preferences > Sensors and add a new sensor. You will need the hostname or IP address of the sensor. If the sensor is not configured to use the standard SSH port (TCP port 22), then you need to specify the correct port number in the Port field.
To start a capture using a remote sensor, choose the sensor from the Airtool 2 menu. A pop-up similar to the screenshot below will appear so details like capture interface, channel, and channel width can be selected.
Before the capture starts, you will be prompted to enter to select the channel and the channel width. The wireless interface will be automatically selected (usually wlan0), unless you enter a specific interface name (e.g., wlan1).
The remote wireless interface may not support some channels and channel widths. If the selected channel and channel width combination is not supported, the capture will fail, and you may choose to change the capture options and try again.
The first time you capture from the remote sensor, you will be prompted to authenticate using the remote device's SSH username and password. You can choose to have Airtool 2 remember the credentials, so you don't have to enter them every time you do a capture. Airtool 2 will store the credentials securely in your Mac's keychain.
To manage the sensors, go to Preferences > Sensors
. You can add, edit or delete existing sensors, mark sensors as favourite, and change the sensors' order by dragging the entries in the list.
If you mark the sensor as favourite, Airtool 2 will list the sensor in the main menu for quicker access.
To capture wireless frames on macOS via the WLAN Pi, you'll need to install two components onto your Mac:
Once these steps have been completed, you'll be able to capture wireless frames using Airtool 2 via the WLAN Pi, and use Wireshark to display and decode the frames.
run to capture and send the Wi-Fi frames back over to Airtool 2 via the SSH connection.
Airtool 2 discovers -based remote sensors deployed in your local area network automatically, so don't be surprised if you WLAN Pi is already in the list
More details can be found in .
Now that you've completed the setup of Airtool 2, move onto to the to take a closer look at some real-world Wi-Fi frames.
For this lab, you will need Wireshark 4.0.3 or higher. The latest as of today is 4.2.3. Wireshark 4 includes a plugin called Wifidump which allows us to perform a frame capture using the WLAN Pi as an external sensor:
Even if you already have Wireshark 4 installed, we need to reinstall it with a critical (non-default) checkbox that enables the Wifidump plugin. Do NOT bypass this step unless you are 100% sure that you have previously installed Wireshark with the option "Sshdump, Ciscodump & Wifidump" selected.
Initiate the Wireshark installation by double-clicking on the download Wireshark-4.xx-x64.exe
file. Then, accept the installer wizard dialogues until you reach the Choose Components screen:
Expand the External capture tools (extcap) option (you may have to scroll down in the Select component to install box)
Select the Sshdump, Ciscodump, and Wifidump checkbox:
Hit Next and go through the prompts to complete the installation. Remaining defaults are OK.
Open Wireshark.
You should see 'Wi-Fi remote capture' in the list of available interfaces (you may have to scroll down):
The "Wi-Fi remote capture" interface allows you to perform remote Wi-Fi packet captures on a specified channel and channel width using a Linux device with a compatible Wi-Fi adapter (i.e., one that can be put into monitor mode).
Click the gear icon next to "Wi-Fi remote capture" to display the interface options. On the Server tab, enter the remote SSH server address (i.e., your WLAN Pi wired IP address) and remote server port "22". Check the IP address of the eth0 interface of your WLAN Pi using the Front Panel Menu System (the IP address required is shown on the top-level page of FPMS):
You need to specify the IPv4 address x.x.x.x rather than using wlanpi-xxx.local
Go to the Authentication tab and enter the username and password you use to access your WLAN Pi.
The password is not saved between sessions. This means that if you close Wireshark, when you re-open the application you will need to re-enter your password to capture from the WLAN Pi.
This hassle can be avoided by configuring passwordless SSH authentication to the WLAN Pi.
Go to the Capture tab and enter the channel, and channel width you want to capture on. If using an interface other than 'wlan0', then enter its name in the Remote interface field:
Note that all 802.11 channels are listed, however, the Wi-Fi adapter on the WLAN Pi device may only support a subset of them. If you choose a channel that is not supported by the Wi-Fi adapter or a channel width that doesn't apply to the selected channel, the capture will fail.
Finally, logging may be set up on the Debug panel of the capture wizard:
Click the Start button to begin capturing frames.
Check out the Wireshark resources and then move on to the Windows frame capture lab to take a closer look at some captured frames.