1 of 15

3. Lab: Wi-Fi Frame Capture

Let's sniff some Wi-Fi frames!

The WLAN Pi provides multiple methods of capturing Wi-Fi frames into packet capture apps, using the WLAN Pi as a capture device. This provides a compelling option for network troubleshooting, testing, or validation.

The wireless adapter within the WLAN Pi uses drivers that allow it to be placed into Monitor mode to listen for all frames over the air. It supports all 3 Wi-Fi bands, capturing frames on the 2.4 GHz, 5 GHz, and 6 GHz bands. The adapter supports two spatial streams (SS) and may only capture transmissions using 1 SS or 2 SS. It supports Wi-Fi standards up to and including Wi-Fi 6E.

The capture process is summarized in the diagram below:

The diagram shows a capture laptop using the WLAN Pi to capture frames over the air. Here are the highlights of the process:

The capture laptop runs an application such as Wireshark to decode frames received from the WLAN Pi.
The WLAN Pi is placed in a location where frames need to be sniffed. Note that this may be an area that is physically local or remote from the capture laptop. Remote connections may be supported via VPN techniques for remote device access.
When the capture laptop initiates a frame capture, the capture application initiates an SSH session to place the WLAN Pi wireless adapter into Monitor mode, set it on the channel to sniff, and stream the capture frames back to the laptop.

Frame capture is supported on Windows, macOS, and iOS. Note that some options are free, and some aren't.

Windows method

Wireshark + Wifidump Extcap Plugin (free)

macOS method

Wireshark (free)
Airtool 2 (paid, includes a 3-day free trial)

iOS bonus method

Airtool Pi (paid)

Setup Instructions

Choose your path:

Windows Setup

For this lab, you will need Wireshark 4.0.3 or higher. The latest as of today is 4.2.3. Wireshark 4 includes a plugin called Wifidump which allows us to perform a frame capture using the WLAN Pi as an external sensor:

Even if you already have Wireshark 4 installed, we need to reinstall it with a critical (non-default) checkbox that enables the Wifidump plugin. Do NOT bypass this step unless you are 100% sure that you have previously installed Wireshark with the option "Sshdump, Ciscodump & Wifidump" selected.

Step 1 - Download and install Wireshark 4.x

Initiate the Wireshark installation by double-clicking on the download Wireshark-4.xx-x64.exe file. Then, accept the installer wizard dialogues until you reach the Choose Components screen:

Expand the External capture tools (extcap) option (you may have to scroll down in the Select component to install box)

Select the Sshdump, Ciscodump, and Wifidump checkbox:

Hit Next and go through the prompts to complete the installation. Remaining defaults are OK.

Step 2 - Launch Wireshark and verify the installation of the Wifidump plugin

Open Wireshark.
You should see 'Wi-Fi remote capture' in the list of available interfaces (you may have to scroll down):

Step 3 - Perform remote Wi-Fi capture

The "Wi-Fi remote capture" interface allows you to perform remote Wi-Fi packet captures on a specified channel and channel width using a Linux device with a compatible Wi-Fi adapter (i.e., one that can be put into monitor mode).

Click the gear icon next to "Wi-Fi remote capture" to display the interface options. On the Server tab, enter the remote SSH server address (i.e., your WLAN Pi wired IP address) and remote server port "22". Check the IP address of the eth0 interface of your WLAN Pi using the Front Panel Menu System (the IP address required is shown on the top-level page of FPMS):

You need to specify the IPv4 address x.x.x.x rather than using wlanpi-xxx.local

Go to the Authentication tab and enter the username and password you use to access your WLAN Pi.

The password is not saved between sessions. This means that if you close Wireshark, when you re-open the application you will need to re-enter your password to capture from the WLAN Pi.

This hassle can be avoided by configuring passwordless SSH authentication to the WLAN Pi.

Go to the Capture tab and enter the channel, and channel width you want to capture on. If using an interface other than 'wlan0', then enter its name in the Remote interface field:

Note that all 802.11 channels are listed, however, the Wi-Fi adapter on the WLAN Pi device may only support a subset of them. If you choose a channel that is not supported by the Wi-Fi adapter or a channel width that doesn't apply to the selected channel, the capture will fail.

Finally, logging may be set up on the Debug panel of the capture wizard:

Click the Start button to begin capturing frames.

Check out the Wireshark resources and then move on to the Windows frame capture lab to take a closer look at some captured frames.

macOS Setup

To capture wireless frames on macOS via the WLAN Pi, you'll need to install two components onto your Mac:

Once these steps have been completed, you'll be able to capture wireless frames using Airtool 2 via the WLAN Pi, and use Wireshark to display and decode the frames.

1️⃣ Wireshark (macOS)

Install Wireshark

Download and install the latest and greatest version of Wireshark. Even if you already have Wireshark installed, please grab the latest version to ensure you can decode Wi-Fi 6E frames correctly.

2️⃣ Airtool 2

Airtool 2 is an inexpensive packet capture tool for macOS. It is available with a 3-day free trial for those who may not own a copy.

Airtool 2 can use two sources for capturing frames over the air:

the internal wireless NIC of the Mac
a remote sensor capture device such as the WLAN Pi

Airtool 2 also makes it possible to perform affordable, multichannel captures using multiple remote sensors and Wi-Fi adapters. In our lab, we'll be using Airtool 2 with the WLAN Pi M4 as its remote sensor:

Download and install Airtool 2

Launch Airtool 2

Verify Airtool 2 is running in your menu bar (Wi-Fi icon with a wrench spanner)
Click on the Airtool 2 icon and choose Preferences:\
Ensure that "Launch capture in:" option has Wireshark selected:

Frame capture using a remote sensor (WLAN Pi)

Airtool 2 can perform remote captures by using SSH to connect from your Mac to the remote capture device (i.e., the WLAN Pi).

When Airtool 2 connects to the device using SSH, it remotely executes a series of commands to capture Wi-Fi traffic. The commands perform the following actions:

drop the device's Wi-Fi adapter (e.g. wlan0) into monitor mode
set the desired channel and channel width

Airtool 2 uses the WLAN Pi's wireless adapter (wlan0) to capture frames over the air. The frames are returned from the WLAN Pi to your Mac over an IP connection to the Ethernet port of the WLAN Pi.

Note: It's also possible to add a second wireless adapter to connect to the WLAN Pi if an Ethernet connection is unavailable. This would require a USB wireless adapter plugged into the WLAN Pi M4. If using this option, remember that the connection for the second wireless interface must not be the same as the capture channel. We will not be using this method in our lab work.

All Airtool 2 features (automatic frame slicing, capture size limits, file rotation, live captures, etc.) are available using a remote sensor in the same way as when capturing using the built-in Wi-Fi adapter.

Capturing with a sensor

To capture with a remote sensor, go to Preferences > Sensors and add a new sensor. You will need the hostname or IP address of the sensor. If the sensor is not configured to use the standard SSH port (TCP port 22), then you need to specify the correct port number in the Port field.

To start a capture using a remote sensor, choose the sensor from the Airtool 2 menu. A pop-up similar to the screenshot below will appear so details like capture interface, channel, and channel width can be selected.

Before the capture starts, you will be prompted to enter to select the channel and the channel width. The wireless interface will be automatically selected (usually wlan0), unless you enter a specific interface name (e.g., wlan1).

The remote wireless interface may not support some channels and channel widths. If the selected channel and channel width combination is not supported, the capture will fail, and you may choose to change the capture options and try again.

The first time you capture from the remote sensor, you will be prompted to authenticate using the remote device's SSH username and password. You can choose to have Airtool 2 remember the credentials, so you don't have to enter them every time you do a capture. Airtool 2 will store the credentials securely in your Mac's keychain.

Managing sensors

To manage the sensors, go to Preferences > Sensors. You can add, edit or delete existing sensors, mark sensors as favourite, and change the sensors' order by dragging the entries in the list.

If you mark the sensor as favourite, Airtool 2 will list the sensor in the main menu for quicker access.

Wireshark Resources

Download and import these super awesome 802.11 Wireshark profiles shared to the community by Eddie, Rasika, and Keith.

Import zip file (still zipped) into Wireshark by right clicking on the profile menu in the bottom right corner of Wireshark.

From the context menu: Import > From Zip File... > Select the downloaded zip file

802.11 Wireshark Profiles.zip should import 5 profiles:

Additionally, here is a collection is useful 802.11 Wireshark display filters from Wireless LAN Professionals:

Capture Labs

Wireshark Lab

Now that our Windows device is set up to allow us to capture and decode Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.

We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz, and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.

The lab will look at the following areas:

Customizing the Wireshark UI to provide better decoding for Wi-Fi frames.
How to start and stop a capture, and how to start a new capture.
Capturing on 2.4 GHz:
- Beacon frames
Capturing on 5 GHz:
- Reduced Neighbor Reports
Capturing on 6 GHz:
- Fast Initial Link Setup (FILS) frames

What You'll Need For This Lab

A Windows laptop with Wireshark 4.0.2 or higher installed as per the previous setup instructions. The Windows laptop should be associated to one of the lab APs so that it can contact the WLAN Pi.
A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.

Customizing the Wireshark UI (Optional, but recommended)

The default coloration of Wireshark frame decodes is a fairly bland black-and-white presentation, which makes picking out the different frame types and getting a sense of the traffic flows quite tricky.

MetaGeek provides an excellent customization file that colorizes different Wi-Fi frame types and makes interpreting hundreds of frames in a capture file far more manageable. Once installed, it allows you to switch to a new "MetaGeek" profile within Wireshark to see the new options that the file provides.

The following MetaGeek page provides access to the customization file and installation instructions. It is strongly recommended that you install this profile if time allows:

Starting & Stopping Captures

Starting a Capture

The procedure for starting a capture was covered back in the setup section of this packet capture guide. Let's summarize it below:

Open Wireshark and select 'Wi-Fi remote capture' in the list of available interfaces. This launches the Wi-Fi remote capture UI:

Complete the fields in the 'Capture', Server and Authentication sections of the remote capture UI:
- Capture:
  - Remote Wi-Fi Interface name: 'auto' or 'wlan0' on the WLAN Pi M4
  - Remote Wi-Fi Channel: the channel on which frames are to be captured by the WLAN Pi M4
  - Remote Wi-Fi channel width: channel width used by the AP transmitting frames to be captured (20, 40, or 80 MHz)
  - Server:
    Remote SSH server address: IP address of the WLAN Pi M4
    Remote SSH Server port: port used for SSH communication to the WLAN Pi (this will generally be port 22)
  - Authentication:
    Remote SSH server username: username of the account used to access the WLAN Pi M4 (usually 'wlanpi')
    Remote SSH server password: password of the account used to access the WLAN Pi M4
    Path to SSH private key: (not used in this lab) filename of private key (if used) on WLAN Pi M4. This is used in place of the previous username/password field values.
- Hit the 'Start' button to start the capture. After a few seconds, the captured frames will be displayed in the Wireshark UI. The capture process will continue until manually stopped.

If you relaunch Wireshark and decide to start a subsequent capture, you may see the following error.

Unfortunately, Wireshark does not remember your password between sessions. Every time you launch Wireshark, you will need to re-enter your password before starting a new capture.

We can work around this limitation by configuring password-less SSH access. Covered in an upcoming bonus lab.

Stopping a Capture

To stop a capture, hit the red square button on the top bar of Wireshark:

Lab Exercises

2.4 GHz Capture

Let's start with a simple capture on the 2.4 GHz band. Use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use the remote capture utility to start a capture on the 2.4 GHz band as shown below (adjust for the channel being used by the lab AP):

Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?

To filter the Wireshark display to show just beacon frames, enter the following display filter:

wlan.fc.type_subtype == 0x8

Take a look at the frame detail of several of the beacon frames. Can you find:

The beacon's SSID name?
The AP's country code?
The channel utilization in the QBSS load element?

5 GHz Capture

Repeat the capture process of the previous example, but this time capture frames from a 5 GHz channel. Again, use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use the remote capture utility again as follows (corrected for your local AP channel):

While the capture is running, use your phone to try to associate to the lab SSID (don't worry about having the correct PSK to join the network). This will initiate probe requests from your client device and probe responses from the AP.

Stop the capture and apply the display filter shown below:

wlan.fc.type_subtype == 0x5

If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.

Scroll through the tags and identify the "Reduced Neighbor Report" tag. Expand this and take a look at the fields available. This is the tag that identifies the 6 GHz channels that the AP is also operating on. Can you see which 6 GHz channel the lab AP is operating on?

6 GHz Capture

Finally, let's capture frames on the 6 GHz band.

MT7922 vs MT7921K

At launch the WLAN Pi M4 was assembled with a MediaTek MT7921K as the Wi-Fi NIC, this module supported Wi-Fi 6E but only up to a channel width of 80 MHz.

As of 2022, most WLAN Pi M4 units have been assembled with a MediaTek M7922 as the Wi-Fi NIC, this module supports channel widths up to 160 MHz.

How do I know which module I have?

Open up a terminal session, enter the command

wlanpi-model

The output should clearly indicate which M.2 Wi-Fi adapter you have

wlanpi@wlanpi-500:~ $ wlanpi-model
Main board:           Mcuzone
M.2 Wi-Fi adapter:    MEDIATEK Corp. MT7921K (RZ608) Wi-Fi 6E 80MHz

wlanpi@wlanpi-500:~ $ wlanpi-model
Main board:           Mcuzone
M.2 Wi-Fi adapter:    MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter

The driver indicated by FPMS will showmt7921eregardless of your installed MT7921K or MT7922 hardware. The driver is for either.

FPMS > Network > WLAN Interfaces > Driver

We'll initiate the capture as in the previous 2 examples. Use the channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Fire up a capture as follows (correct the channel for your local AP channel):

Leave the capture running for a few seconds and then stop it to review the frames collected. Notice that there are numerous "Action" frames. There is an action frame at least every 20 ms. Let's take a closer look at these to find out what's going on here.

Apply the following display filter:

wlan.fixed.publicact == 0x22

The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world. You can read more about them here:

Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:

wlan.fc.type_subtype == 0x8

Expand the "HE Capabilities" tagged parameter. Expand the HE PHY Capabilities Information section and checkout the capabilities information. Does your AP support 160 MHz channels on 6 GHz?

You're all done! Well done on completing this frame capture lab.

Airtool Lab

Let's see if we can sniff some Wi-Fi traffic on 2.4, 5 GHz, and 6 GHz!

Now that we've set up our Mac to allow us to capture and decode Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.

We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz, and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.

The lab will look at the following areas:

Customizing the Wireshark UI to provide better decoding for Wi-Fi frames
How to start and stop a capture, how to start a new capture
Capturing on 2.4 GHz:
- Beacon frames
Capturing on 5 GHz:
- Reduced Neighbor Reports
Capturing on 6 GHz:
- Fast Initial Link Setup (FILS) frames

What You'll Need For This Lab

A Mac with Airtool 2 installed as per the previous setup instructions. The Mac should be associated to one of the lab APs for connectivity to the WLAN Pi M4.
A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.

Customizing the Wireshark UI (Optional, but recommended)

The following MetaGeek page provides access to the customization file and installation instructions. It is strongly recommended that you install this profile if time allows:

Starting a Capture

To start a capture using the WLAN Pi, select your WLAN Pi from the Airtool 2 menu (your WLAN Pi may be under the "Remote Capture" menu if you did not select it as a favorite during setup):

A pop-up for the probe appears, allowing the selection of the WLAN Pi's capture interface, band, channel, and channel width:

The first time you use the sensor, you will also be prompted to enter the login credentials for the WLAN Pi:

Wireshark will now open and display the frames being captured by the WLAN Pi.

Stopping a Capture

To stop the capture, hit the red square button on the top bar of Wireshark:

Starting a Subsequent Capture

To start a new capture, you need to quit Wireshark completely. You can then select the sensor again to start a new capture.

When you are done capturing, you need to quit Wireshark before starting a new capture. Otherwise, you will find the remote sensor 'greyed out.'

Lab Exercises

2.4 GHz Capture

Let's start with a simple capture on the 2.4 GHz band. Use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use Airtool to start a capture as shown below (adjust for the channel being used by the lab AP):

Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?

To filter the Wireshark display to show just beacon frames, enter the following display filter:

wlan.fc.type_subtype == 0x8

Take a look at the frame detail of several of the beacon frames. Can you find:

The beacon's SSID name?
The AP's country code?
The channel utilization in the QBSS load element?

5 GHz Capture

Use Airtool 2 again as follows (corrected for your local AP channel):

Stop the capture and apply the display filter shown below:

wlan.fc.type_subtype == 0x5

If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.

Scroll through the tags and identify the "Reduced Neighbor Report" tag. Expand and take a look at the available fields. This is the tag that identifies the 6 GHz channels that the AP is also operating on. Can you see which 6 GHz channel the lab AP is operating on?

6 GHz Capture

Finally, let's capture frames on the 6 GHz band.

We'll initiate the capture as in the previous two examples. Again, use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Fire up a capture as follows (corrected for your local AP channel):

Leave the capture running for a few seconds and then stop it to review the frames collected.

If we're capturing on a channel where this is an AP operating as 6-GHz only from Aruba, we should we numerous "Action" frames. There is an action frame at least every 20 ms. Let's take a closer look at these to find out what's going on here.

Apply the following display filter:

wlan.fixed.publicact == 0x22

An Aruba AP only broadcasts FILS when it is operating as 6-GHz only. If there is any VAP operating in 2.4 GHz or 5 GHz on an adjacent radio, FILS is disabled automatically. If you do not see these action frames, you'll need to ask the instructor which channel to scan on to discover the AP which is operating as 6-GHz only.

The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world.

You can read more about them here:

Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:

Expand the "HE Capabilities" tagged parameter. Expand the HE PHY Capabilities Information section and take a look at the capabilities information. Does your AP support 160 MHz channels on 6 GHz?

You're all done! Well done on completing this frame capture lab.

Bonus Content: Capture on multiple channels and remote sensors

You can also use Airtool 2 to capture Wi-Fi traffic on multiple channels simultaneously by using multiple remote sensors or a single remote sensor with multiple Wi-Fi modules. Airtool 2 generates a single capture file by merging the frames captured on each sensor based on their timestamps.

To ensure the correct merging of Wi-Fi frames from each sensor, Airtool 2 requires all sensors to synchronize their time using NTP.

Airtool 2 uses the PCAP Next Generation (pcapng) Capture File Format. This format allows Airtool 2 to annotate each frame with the sensor and interface name used to capture the frame. You can use this information to filter frames by sensor and interface name in Wireshark.

You can also capture Wi-Fi traffic on multiple channels simultaneously using the same remote sensor if the remote sensor supports more than one Wi-Fi adapter. For example, if you have three remote sensors, and each sensor supports two Wi-Fi adapters, you can capture Wi-Fi traffic on six different channels simultaneously.

Advanced Airtool 2 features, such as automatic frame slicing and live captures using Wireshark, are also available for multi-source captures.

Prepare for a multi-source capture

You must first go to Preferences > Sensors and add any remote sensors you would like to use for multi-source captures. You only need to add a remote sensor the first time you use it. Subsequently, the remote sensor will always be available for multi-source captures.

Airtool 2 discovers WLAN Pi-based remote sensors deployed in your local area network automatically.

Ensure you plug in at least one compatible Wi-Fi adapter per remote sensor and know the interface name assigned to it (e.g., wlan0) as you will need it when configuring the remote sensor for capturing.

Start a multi-source capture

Choose Multi-Source Capture from the Airtool 2 menu.
Click the "+" button to add an entry for each remote sensor you want to use for capturing.
For each entry, configure which sensor, interface name, channel, and channel width you would like to use.
Click "Start Capture."

Airtool 2 won't allow you to start the capture if it detects an invalid configuration. For example, you cannot use the same sensor and interface name combination twice.

To reduce the amount of data sent back from a remote sensor, you may wish to limit each captured frame's size by enabling the "Limit each frame to" option and entering the desired frame size in bytes.

More details can be found here.

Bonus: Capture Different 6 GHz Frames

As you've learned, there are a few different Wi-Fi 6E APs in this room.

There is an tri-radio tri-band Aruba AP-635 on channel 85 broadcasting 8 SSIDs.

Let's capture on channel 85 to see how these 8 SSIDs are split up.

Do you think these are all in one MBSSID frame? Or perhaps are they in multiple MBSSID frames?

7️⃣ Bonus Capture Wi-Fi 7 Management Frames

There are two different Wi-Fi 7 APs in this room.

1. UniFi U7 Pro

This AP is broadcasting on multiple channels including 6 GHz.

2. TP-Link Archer BE550 v1.0

This AP is broadcasting on multiple channels including 6 GHz.

Take captures of both and compare and contrast the information elements to determine which supports MLO.

The answer is currently only the TP-Link Archer BE550. It is the only AP broadcasting the Multi-Link Element (MLE). This information element indicates support for Multi-Link Operation. \

The UniFi U7 will get MLO support in an upcoming firmware release.

Wireshark Lab

Now that our Windows device is set up to allow us to capture and decode Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.

We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz, and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.

The lab will look at the following areas:

Customizing the Wireshark UI to provide better decoding for Wi-Fi frames.
How to start and stop a capture, and how to start a new capture.
Capturing on 2.4 GHz:
- Beacon frames
Capturing on 5 GHz:
- Reduced Neighbor Reports
Capturing on 6 GHz:
- Fast Initial Link Setup (FILS) frames

What You'll Need For This Lab

A Windows laptop with Wireshark 4.0.2 or higher installed as per the previous setup instructions. The Windows laptop should be associated to one of the lab APs so that it can contact the WLAN Pi.
A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.

Customizing the Wireshark UI (Optional, but recommended)

The following MetaGeek page provides access to the customization file and installation instructions. It is strongly recommended that you install this profile if time allows:

Starting & Stopping Captures

Starting a Capture

The procedure for starting a capture was covered back in the setup section of this packet capture guide. Let's summarize it below:

Open Wireshark and select 'Wi-Fi remote capture' in the list of available interfaces. This launches the Wi-Fi remote capture UI:

Complete the fields in the 'Capture', Server and Authentication sections of the remote capture UI:
- Capture:
  - Remote Wi-Fi Interface name: 'auto' or 'wlan0' on the WLAN Pi M4
  - Remote Wi-Fi Channel: the channel on which frames are to be captured by the WLAN Pi M4
  - Remote Wi-Fi channel width: channel width used by the AP transmitting frames to be captured (20, 40, or 80 MHz)
  - Server:
    Remote SSH server address: IP address of the WLAN Pi M4
    Remote SSH Server port: port used for SSH communication to the WLAN Pi (this will generally be port 22)
  - Authentication:
    Remote SSH server username: username of the account used to access the WLAN Pi M4 (usually 'wlanpi')
    Remote SSH server password: password of the account used to access the WLAN Pi M4
    Path to SSH private key: (not used in this lab) filename of private key (if used) on WLAN Pi M4. This is used in place of the previous username/password field values.
- Hit the 'Start' button to start the capture. After a few seconds, the captured frames will be displayed in the Wireshark UI. The capture process will continue until manually stopped.

If you relaunch Wireshark and decide to start a subsequent capture, you may see the following error.

Unfortunately, Wireshark does not remember your password between sessions. Every time you launch Wireshark, you will need to re-enter your password before starting a new capture.

We can work around this limitation by configuring password-less SSH access. Covered in an upcoming bonus lab.

Stopping a Capture

To stop a capture, hit the red square button on the top bar of Wireshark:

Lab Exercises

2.4 GHz Capture

Let's start with a simple capture on the 2.4 GHz band. Use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use the remote capture utility to start a capture on the 2.4 GHz band as shown below (adjust for the channel being used by the lab AP):

Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?

To filter the Wireshark display to show just beacon frames, enter the following display filter:

wlan.fc.type_subtype == 0x8

Take a look at the frame detail of several of the beacon frames. Can you find:

The beacon's SSID name?
The AP's country code?
The channel utilization in the QBSS load element?

5 GHz Capture

Use the remote capture utility again as follows (corrected for your local AP channel):

Stop the capture and apply the display filter shown below:

wlan.fc.type_subtype == 0x5

If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.

6 GHz Capture

Finally, let's capture frames on the 6 GHz band.

MT7922 vs MT7921K

At launch the WLAN Pi M4 was assembled with a MediaTek MT7921K as the Wi-Fi NIC, this module supported Wi-Fi 6E but only up to a channel width of 80 MHz.

As of 2022, most WLAN Pi M4 units have been assembled with a MediaTek M7922 as the Wi-Fi NIC, this module supports channel widths up to 160 MHz.

How do I know which module I have?

Open up a terminal session, enter the command

wlanpi-model

The output should clearly indicate which M.2 Wi-Fi adapter you have

wlanpi@wlanpi-500:~ $ wlanpi-model
Main board:           Mcuzone
M.2 Wi-Fi adapter:    MEDIATEK Corp. MT7921K (RZ608) Wi-Fi 6E 80MHz

wlanpi@wlanpi-500:~ $ wlanpi-model
Main board:           Mcuzone
M.2 Wi-Fi adapter:    MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter

The driver indicated by FPMS will showmt7921eregardless of your installed MT7921K or MT7922 hardware. The driver is for either.

FPMS > Network > WLAN Interfaces > Driver

We'll initiate the capture as in the previous 2 examples. Use the channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Fire up a capture as follows (correct the channel for your local AP channel):

Apply the following display filter:

wlan.fixed.publicact == 0x22

The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world. You can read more about them here:

Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:

wlan.fc.type_subtype == 0x8

Expand the "HE Capabilities" tagged parameter. Expand the HE PHY Capabilities Information section and checkout the capabilities information. Does your AP support 160 MHz channels on 6 GHz?

You're all done! Well done on completing this frame capture lab.

Airtool Lab

Let's see if we can sniff some Wi-Fi traffic on 2.4, 5 GHz, and 6 GHz!

Now that we've set up our Mac to allow us to capture and decode Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.

We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz, and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.

The lab will look at the following areas:

Customizing the Wireshark UI to provide better decoding for Wi-Fi frames
How to start and stop a capture, how to start a new capture
Capturing on 2.4 GHz:
- Beacon frames
Capturing on 5 GHz:
- Reduced Neighbor Reports
Capturing on 6 GHz:
- Fast Initial Link Setup (FILS) frames

What You'll Need For This Lab

A Mac with Airtool 2 installed as per the previous setup instructions. The Mac should be associated to one of the lab APs for connectivity to the WLAN Pi M4.
A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.

Customizing the Wireshark UI (Optional, but recommended)

The following MetaGeek page provides access to the customization file and installation instructions. It is strongly recommended that you install this profile if time allows:

Starting a Capture

To start a capture using the WLAN Pi, select your WLAN Pi from the Airtool 2 menu (your WLAN Pi may be under the "Remote Capture" menu if you did not select it as a favorite during setup):

A pop-up for the probe appears, allowing the selection of the WLAN Pi's capture interface, band, channel, and channel width:

The first time you use the sensor, you will also be prompted to enter the login credentials for the WLAN Pi:

Wireshark will now open and display the frames being captured by the WLAN Pi.

Stopping a Capture

To stop the capture, hit the red square button on the top bar of Wireshark:

Starting a Subsequent Capture

To start a new capture, you need to quit Wireshark completely. You can then select the sensor again to start a new capture.

When you are done capturing, you need to quit Wireshark before starting a new capture. Otherwise, you will find the remote sensor 'greyed out.'

Lab Exercises

2.4 GHz Capture

Let's start with a simple capture on the 2.4 GHz band. Use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use Airtool to start a capture as shown below (adjust for the channel being used by the lab AP):

Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?

To filter the Wireshark display to show just beacon frames, enter the following display filter:

wlan.fc.type_subtype == 0x8

Take a look at the frame detail of several of the beacon frames. Can you find:

The beacon's SSID name?
The AP's country code?
The channel utilization in the QBSS load element?

5 GHz Capture

Use Airtool 2 again as follows (corrected for your local AP channel):

Stop the capture and apply the display filter shown below:

wlan.fc.type_subtype == 0x5

If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.

6 GHz Capture

Finally, let's capture frames on the 6 GHz band.

We'll initiate the capture as in the previous two examples. Again, use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Fire up a capture as follows (corrected for your local AP channel):

Leave the capture running for a few seconds and then stop it to review the frames collected.

Apply the following display filter:

wlan.fixed.publicact == 0x22

The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world.

You can read more about them here:

Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:

Expand the "HE Capabilities" tagged parameter. Expand the HE PHY Capabilities Information section and take a look at the capabilities information. Does your AP support 160 MHz channels on 6 GHz?

You're all done! Well done on completing this frame capture lab.

Bonus Content: Capture on multiple channels and remote sensors

To ensure the correct merging of Wi-Fi frames from each sensor, Airtool 2 requires all sensors to synchronize their time using NTP.

Advanced Airtool 2 features, such as automatic frame slicing and live captures using Wireshark, are also available for multi-source captures.

Prepare for a multi-source capture

Airtool 2 discovers WLAN Pi-based remote sensors deployed in your local area network automatically.

Start a multi-source capture

Choose Multi-Source Capture from the Airtool 2 menu.
Click the "+" button to add an entry for each remote sensor you want to use for capturing.
For each entry, configure which sensor, interface name, channel, and channel width you would like to use.
Click "Start Capture."

Airtool 2 won't allow you to start the capture if it detects an invalid configuration. For example, you cannot use the same sensor and interface name combination twice.

More details can be found here.