Capturing WLAN Packets using WireShark

If you are studying for CCNP Wireless or CWNP Certification, an essential part of the study process is actually getting to lab it all out so as to understand the concepts. I noticed that my Wireshark output lacked the 802.11 management or control packets while trying to capture Open System Authentication process. This blog will explain how to set up Wireshark for WLAN Capturing so that you do not miss the vital packet exchanges.

So far, I have just installed and opened Wireshark. I have done nothing more. Select your WiFi interface that we will use to capture traffic.


As you can see, the Capture starts from DHCP request process.2015_06_20_12_13_44_Capturing_from_Wi_Fi_Wireshark_1.12.5_v1.12.5_0_g5819e5b_from_master_1.12_

Where are the 802.11 Auth frames? Well, when capturing with Wireshark (or other tools using libpcap/WinPcap) there are two ways in which 802.11 can be supplied by the system and stored in a capture file:

  • “real” 802.11: the hardware/driver provides the actual protocol data that travels over the air, complete with 802.11 headers.
  • “fake” Ethernet:  the hardware/driver translates the 802.11 headers into Ethernet headers so that the whole packet looks like a normal Ethernet packet.

We seem to be using Option 2. We see user data packets with fake Ethernet headers. We do not see 802.11-specific management and control frames as they are discarded because there’s no equivalent to them in Ethernet


To capture the real 802.11 packets and radio layer information, then we have to capture in “monitor mode”. We need to disable the translation/filtering and see what’s “really” going on inside your WLAN. Then I read: Note that Monitor mode is not supported by WinPcap, and thus not by Wireshark or TShark, on Windows. It is supported, for at least some interfaces, on some versions of Linux, FreeBSD, NetBSD, OpenBSD, DragonFly BSD, and Mac OS X. Bummer!! Coffee Break. Will be back once I install Ubuntu 🙂

Getting Wireshark to work on Ubuntu

AM BACK with an Ubuntu desktop and ready to Install Wireshark. I must admit that Linux administration is not one of my strengths, but with google, nothing is impossible :).

To install wireshark, simply run the following command:

sudo apt-get install wireshark

Screenshot from 2015-06-20 23:47:21

After Installation, I opened the application and noticed the error “No interface can be used for capturing in this system with the current configuration.”

Screenshot from 2015-06-20 23:49:58

To fix this, simply run the following commands:

  1. Create the wireshark group.
  2. Add your username to the wireshark group
  3. Change the group  ownership of file dumpcap to wireshark
  4. Change the mode of the file dumpcap to allow execution by the group wireshark
  5. Grant capabilities with setcap

Screenshot from 2015-06-20 23:52:41

Verify the change

Screenshot from 2015-06-21 00:22:02

Screenshot from 2015-06-21 00:51:45

Now we are able to capture packets but I still see that Monitor Mode is disabled for WLAN Interface.

Screenshot from 2015-06-21 00:29:10

Enable Monitor mode for the wlan interface by double-clicking on it and checking the capture packets in monitor mode box.

Screenshot from 2015-06-21 00:37:56

Verify that Monitor Mode is now set to enabled.

Screenshot from 2015-06-21 01:01:15

When you start a capture file, you should be able to see 802.11 protocol packets.

Screenshot from 2015-06-21 00:39:05

Now that everything is set, let’s get started with the Wireless labs :).



  1. Wi-Fi (WLAN, IEEE 802.11)
  2. CaptureSetup/WLAN

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s