WLAN Management Packet Captures - Windows 10

I have managed to finally get a USB wireless adapter working in monitor mode on Windows 10 which means I can finally go through a few in depth wireless packet captures. This will be a quick post on how I managed to get it all going and a bit of background information as to why this was needed when it comes to wireless.

First WLAN management frames, Association, Authentication, Probes, and Beacons to name a few all have their frame control field set to 0. You unfortunately can't capture these packets using most generic adapters as most are missing one main function; the ability to flip into monitor mode. If you opened up Wireshark or Omnipeek and try to run a quick capture, you will find it will contain all the generic traffic you have probably seen before but no management frames which is intentional part of the wireless standard.

To capture management frames you will need to get a standalone wireless adapter that is capable of monitor mode. I went through and did a bit of research on adapters that were viable and came across the NetGear A6210 USB adapter that is capable of 11ac which is perfect for what I need. If you want you can get a cheaper adapter only capable of 11n but this may cause issues when trying to decode 11ac packets. 

The adapter arrived a few days ago and I have been playing around with different setups. First I tried running it through a Kali Linux VM but had issues with the VM registering the antenna as an ethernet interface so I moved to Windows 10 which I read can be a bit tricky due to the limitations with the OS. 

I tried getting the adapter going on Wireshark but I had issues with not being able to change the Link-Layer header from Ethernet over to 802.11. Thankfully I did manage to find a program lurking in a few forums that people had recommended which is Microsoft Network Monitor (link below) which is quite an old bit of kit Microsoft has recently put into its archives. 

The installation is a generic click next to install with no specific configurations needed and should boot up fine on Windows 10. After the program has loaded you will be presented with the home page where you will want to click "New Capture" in the top left corner. 

 

 

You will then see a Capture Settings button again on the top bar, which will show you all available adapters on your device. For my example I will be selecting Wi-Fi 3 which is my NetGear adapter. 

 


 

You might have to change the mode of the interface over to monitor manually. This can be done by selecting the interface as seen above and clicking the properties button. This will show you the options page and you then have to click the tick box "Switch to monitor mode" and click Apply.

 


After you can click close and hit F5 which will start capture, this (with any luck) will start capturing data and you'll be good to go.

I don’t hugely mind the interface but find Wireshark to be a bit nicer when it comes to frame structure and also the filters so if you want to save a capture it can be opened in any of the other protocol analysers just fine.


 

References: 

NetGear Adapter: 
https://www.amazon.co.uk/gp/product/B00OT586RQ/ref=ppx_yo_dt_b_asin_title_o01_s00?ie=UTF8&psc=1

Microsoft Network Monitor
https://www.microsoft.com/en-gb/download/details.aspx?id=4865

Comments

Post a Comment

Popular posts from this blog

Wireless Modulation - BPSK, QPSK and QAM

Image
Modulation is one of the key components relating to how your network traffic is translated into a format that is traversable over  any network infrastructure either wired or (and the topic of this post) wireless connections.  Modulation sits at the lowest level of the OSI model, the Physical Layer (Layer 1).  Think of modulation in a real world example, as a translator. Preparing the data received from the higher layers of the OSI model into a more accessible and easily transmitted format across the network and more specifically relating to Wi-Fi, across the antennas transmitters/receiver hardware.   Wi-Fi modulation has seen many changes across its evolution from it's first initial standard in 1997 and is still changing even now with the currently in development standard Wi-Fi 7 (11be) which we will also cover in terms of it's changes to modulation.   There is three main ways that modulation takes place in Wi-Fi, and they're as follows, Binary Pha...
Read more

Wi-Fi 6E (6Ghz) Design Considerations

Image
Wi-Fi 6E capable networks are few and far between from what I've seen in the wireless world. We have seen a huge uplift of devices capable of accessing this previously unused spectrum. However I've found that wireless networks are still playing catch up when it comes to deploying a 6Ghz capable network.  So to educate a few people and to refresh my own knowledge, this blog post will cover off a bit of background information when it comes to the new 6Ghz spectrum. I'll go over the EU, UK and US standpoints and their differences, client connectivity and overall the challenges that you may come across when designing a 6Ghz capable network (most likely) alongside your existing 2.4Ghz and 5Ghz networks.  The certification was ratified by the Wi-Fi Alliance in 2021, not long after the Wi-Fi 6 standard itself was approved by the IEEE back in 2020. 6E (as I will call it going forward), as previously mentioned allows the use of the 6Ghz spectrum previously unused within the Wi-Fi sp...
Read more

802.11 Frame Types - Management Frames

Image
802.11 Management Frames are used primarily as the name might suggest, to manage the wireless medium. The type of value regardless of which management subtype you see (covering this shortly) will always be shown as Type 00 as highlighted in the image below. This helps identify to the wireless device that the packet is a management frame; the same function happens for the control "01" and data frames "10".  Management frames come in different shapes and sizes but some of the most important are as follows: Beacon: Beacon frames are transmitted by the Access Point to announce the existence of a Basic Service Set. This will contain information about the BSS such as the SSID, supported data rates, country and (due to most APs being 11n and 11ac capable) 11n and 11ac capabilities and information. It's worth noting beacons are transmitted at set intervals, this can be configured to either increase or decrease the time frame in between ...
Read more