What’s the Deal with WLAN Adapters and Captures?
Jim Thor – WildPackets Professional Services
A lot of people seem to have the same questions about Wireless captures, so I thought it would be a good idea to focus on those questions this month.
What is special about Wireless captures? Wireless captures are special because most of the packets you want to capture aren’t the packets with application data in them. Most often the packets you’re interested in are the Management and Control packets. These packets are there to do exactly what their name implies – manage and control the WLAN. What’s special to note about these packets is they are always dealt with by the radio hardware; they are never passed up the stack like data packets.
Can I capture packets and connect to a WLAN with only one WLAN adapter? No, not at the same time. Because wireless technology is half-duplex, you can only listen or talk at any one point in time. Therefore, if you are constantly listening during capture, you cannot send a packet on that adapter. You will need a second adapter to connect to an active network.
Can I use any WLAN adapter to do captures? No. Unfortunately card manufacturers do not include the capabilities to put a WLAN adapter into RF Monitor mode (similar to Promiscuous mode for Wired adapters) in their drivers. To put an adapter in RF Monitor mode, you need to use the drivers provided by WildPackets®
What adapter should I buy? This isn’t so much a question of what adapter as it’s a question of what chipset the adapter is based on and what its sensitivity (more sensitive adapters can capture weaker signals) is. The main chipsets that WildPackets provides support for are from Atheros and Ralink.
- For the Atheros chipset, WildPackets supports the PCI and Cardbus adapters.
- For the Ralink chipset, WildPackets supports both PCI and Cardbus, as well as USB.
It’s important to note and be aware of that all WLAN adapters are different. Every adapter can get different results – even the same adapter model from the same manufacturer. No two adapters are identical.
Why doesn't WildPackets support all WLAN adapters? Unfortunately, drivers for WLAN adapters are legally protected and encrypted by their owners; they cannot be modified without the consent of the manufacturer. WildPackets works with all card manufacturers that will either allow us to modify their drivers or are themselves willing to modify their drivers for use with the OmniPeek Product Family.
Can I capture WLAN traffic without a supported adapter? Yes, you can; however, you will not see the Management or Control packets, nor the 802.11 headers on the data packets. You can capture the data packets, but they will look like they were captured off an Ethernet segment as all 802.11 headers would have been stripped off by the NIC before passing the packets up the stack.
Where can I find the WildPackets drivers for my adapter? Drivers are available free of charge to all WildPackets customers with current maintenance. To download the drivers for your particular adapter, login to your MyPeek account at https://mypeek.wildpackets.com/login.php. While you’re on MyPeek, check out all the great plug-ins available for your OmniPeek products!
Do I have the right driver? Is it installed properly? When you select an adapter in the Capture Options dialog box, you will see a section at the bottom of that window which says “WildPackets API”. (I’ve circled this section for you in the screenshot below.) If it says ‘Yes,’ then you’re good to go. If it says ‘No,’ then you won’t be able to capture the Management and Control packets and you won’t see the 802.11 headers on the data packets.