Capturing WLAN Frames using Linux

These steps walk you through setting up a monitor mode interface on your Debian Linux system and briefly illustrates how to capture packets and filter what is displayed using Wireshark.

These steps assume you have logged in as a non-root user.
If you have logged in as root, you can omit the ‘sudo’ portion of each command.

Log in to Kali/Linux.

From a terminal, confirm USB adapter is connected to Linux VM.
sudo iw dev

Disable NetworkManager
sudo systemctl stop NetworkManager

Place wlan interface into monitor mode.
sudo airmon-ng check kill
sudo airmon-ng start wlan0

Note: If that produces an error, do this instead:
sudo airmon-ng check kill
sudo ip link set dev wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set dev wlan0 up

Confirm interface is in monitor mode.
sudo iw dev

From a web browser, connect to web admin adminterface of access point.
Username: itdojo
Password: itdojo44

  • On Wireless –> Basic Settings tab:
  • For Wireless Physical Interface wl0 [2.4 GHz]
  • Wireless Mode: AP
  • Wireless Network Mode: Mixed
  • Wireless SSID: <Set to something unique for your environment>
  • Wireless Channel: Manually set to 1, 6 or 11
  • Channel width: 20 MHz
  • Leave radio buttons set to defaults.

You may need to reload web interface after applying settings.
For Wireless Physical Interface wl1 [5 GHz]:

  • Wireless Mode: AP
  • Wireless Network Mode: Mixed
  • Wireless SSID: <Set to something unique for your environment>
  • Wireless Channel: Manually set to 1, 6 or 11
  • Channel width: 20 MHz
  • Leave radio buttons set to defaults.

Click Save.
Click Apply Settings.
Note: After settings are applied, you may need to refresh the web interface.

On the Wireless –> Wireless Security tab, set the security of both interfaces (wl0 & wl1) to be WPA2-Personal, with AES encryption. Set the passphrase to something you can remember.

Click Save.
Click Apply Settings.
Note: After settings are applied, you may need to refresh the web interface.

From a terminal on your VM, start airodump-ng to confirm you see both of your new SSIDs being advertised.
sudo airodump-ng wlan0

If, after a few seconds, you do not see your 5GHz SSID in the output, stop airodump-ng and restart as follows:
sudo airodump-ng -b ag wlan0

Once you have confirmed your SSIDs, you can stop airodump-ng.

From a terminal, launch Wireshark.
sudo wireshark &

To add channel as a column:
In the Packet List window, select any captured frame.
In the Packet Details, expand 802.11 radio information then right-click on Channel and choose Apply as Column.
You should now see Channel as one of the columns in the Packet List window.
Note: You can add any packet variable as a column doing this.

With Wireshark still running, return to a terminal and manually set the channel to the channel your 2.4 GHz AP is currently on.
sudo iw dev wlan0 set channel 6 (or whatever channel is correct for you)

Note: In Wireshark, if the Packet List is not scrolling, you can enable scrolling by clicking on the Automatically Scroll button in the button bar (butto with multiple vertical lines and an arrow pointing down in the bottom right-hand corner of a the button). You can enable/disable automatic scrolling as you desire with this button.

In the Packet List window, confirm that packets are being captured on the channel you specified.

Leave the capture running and set the channel to your 5GHz channel set earlier.

In the Packet List window, confirm that packets are being captured on the channel you specified.

In the Packet List window, locate and select any Beacon frame (from any SSID).

In the Packet Details windows, expand IEEE 802.11 Beacon Frame section.
Right click on the line that reads, “Type/Subtype: Beacon Frame: (0x8000)” and choose Apply As Filter –> Selected.

Your Packet List window should now only show Beacon Frames.

In the Packet Details list, select the Transmitter Address line, right-click and select Apply as Filter –> …And Selected

On the capture filter line above the Packet List windows, edit the filter by changing ‘wlan.ta‘ to ‘wlan.addr‘ and press Enter.

Your Packet List window should now only show Beacon frames from your SSID.

When you are ready to view all captured packets again, clear your capture filter.