Candela Technologies Logo
Network Testing and Emulation Solutions

Using Wireshark to Sniff WiFi Monitors

Goal: Sniff wireless traffic from a LANforge radio using Wireshark and a WiFi Monitor port.

The best way to sniff wireless packets via Wireshark in LANforge is from a monitor port that is on its own radio (no other AP, STAs, etc.). This example will walk through the monitor port creation, sniffing the monitor port, as well as Wireshark filter recommendations.

This example uses a LANforge CT523 system but the procedure should work on a CT522, CT525, or similar system.

  1. Create a monitor port.
    1. In the Port Mgr tab, select a wiphy device that you wish to sniff with (this example will use wiphy1, an ath10k radio).
    2. If the wiphy device is down, click the up arrow to enable it. screenshot
    3. Click Modify. screenshot
      1. Select the channel you wish to sniff. Channel 36 will be used for this test.
      2. Click OK.
    4. Back in the Port Mgr tab, with the wiphy device still selected, click Create. screenshot
      1. Select the WiFi Monitor option at the top.
      2. Set the Quantity to 1.
      3. Set the STA ID to 0.
      4. Click Apply and close the Create Port window.
    5. In the Port Mgr tab again, modify moni0. screenshot
      1. You can disable HT40 and HT80 here if needed.
      2. Click OK to close the window.
  2. For this current setup, traffic will be generated with a layer 3 UDP connection between two stations.
  3. For more information see Generating Traffic for WLAN Testing

  4. Use Wireshark to sniff moni0.
    1. If you are running the LANforge GUI from a Windows machine without x server installed, you will need to connect remotely to the LANforge system via rdesktop or vnc.
      1. To connect via rdesktop, type the following command into a console (replace LANforge-IP with the IP of your LANforge system):
        rdesktop LANforge-IP screenshot
        1. The login info is username/password lanforge/lanforge
      2. To connect via vnc, type the following command into a console (replace LANforge-IP with the IP of your LANforge system. Don't forget to add the ':1' after the IP):
        vncviewer [LANforge-IP]:1
        The password is lanforge. screenshot
      3. Once you have accessed the LANforge system via rdesktop or vnc, open the LANforge GUI with the desktop icon shown below. screenshot
    2. Select moni0 in the Port Mgr tab.
    3. Click the Sniff Packets button. Wireshark will now open and automatically start scanning for packets. If you get a window that warns about running as user root, click OK. screenshot
      1. To use a filter, simply add the filter constraints to the filter text box as seen below and click Apply to the right. The below screenshot has wireshark filtering on a specific IP. screenshot
      2. If you'd like to only see traffic to/from a single AP use the filter wlan.addr == [bssid] screenshot
    4. There are many filters that can be used in Wireshark. Some handy ones include:
      IP: ip.addr==x.x.x.x
      wlan MAC: wlan.addr==xx:xx:xx:xx:xx:xx
      Association request wlan.fc.type_subtype eq 0
      Association response wlan.fc.type_subtype eq 1
      Probe request wlan.fc.type_subtype eq 4
      Probe response wlan.fc.type_subtype eq 5
      Beacon wlan.fc.type_subtype eq 8
      Authentication wlan.fc.type_subtype eq 11
      Deauthentication wlan.fc.type_subtype eq 12
    5. Filters can be combined to specify if packets should match all filters (with &&) or any filters (with ||).
      For example, if you wanted to view packets that only contain both IPs and you could use the following: ip.addr== && ip.addr==
      Or, if you want to see all packets containing and all packets containing, you could use the following: ip.addr= || ip.addr==
    6. You can visit for more tips on filters.
      A handy 'cheat sheet' with most filters can be found here.

Candela  Technologies, 2417 Main Street, Suite 201, Ferndale, WA 98248, USA | | +1.360.380.1618
Facebook | LinkedIn | Blog