Vous êtes sur la page 1sur 9



How to capture WiFi traffic using Wireshark
on Windows
Acrylic WiFi professional
Acrylic WiFi Free
How to capture WiFi traffic using Wireshark on Windows
Previous Next
How to capture WiFi traffic using Wireshark on Windows
Wireshark uses libpcap or Winpcap libraries to capture network traffic on Windows. Winpcap
libraries are not intended to work with wireless network cards, therefore they do not support WiFi
network traffic capturing using Wireshark on Windows. Therefore, Wireshark monitor mode for
Windows is not supported by default.
Winpcap Capture Limitations and WiFi traffic on Wireshark
Capture is mostly limited by Winpcap and not by Wireshark. However, Wireshark
includes Airpcap support, a special -and expensive- set of WiFi network adapters, which drivers
support network traffic monitoring on monitor mode. In other words, WiFi network traffic capturing
on promiscuous mode.
Acrylic WiFi products include an NDIS traffic capture driver that captures WiFi network traffic on
monitor mode on Windows, capturing WiFi traffic with Wireshark on Windows Vista, Windows 7,
Windows 8, and Windows 8.1. This driver adds wireless network compatibility on Windows to other
WiFi sniffers.
NDIS Driver and WiFi interfaces on Wireshark
To make this integration possible, Acrylic installs an airpcap.dll library in the system. When
Wireshark loads the installed airpcap library, it returns a fake list of airpcap network cards installed.
One Airpcap device for each integrated WiFi network card or external USB WiFi network card.

Through this method, you can use your preferred network analyzer compatible with Airpcap to
monitor WiFi packets under windows. You can view wifi traffic by using Wireshark, cain & Abel,
Elcomsoft wireless security auditor or with Acrylic. By double clicking on the network interface on
wireshark, you can access the interface settings. You can see that the interface shows a link-layer
header, which includes captured packet signal level information.

By clicking on the Wireless settings button, you can configure advanced settings, such as WiFi
channel to monitor and FCS check. FCS, or Frame Check Sequence, is a WiFi network packet
integrity signature that discards corrupt packets.

WiFi traffic capturing using Wireshark
All in all, after installing Acrylic WiFi, launch Wireshark with Administrator privileges (by right clicking
on the Wireshark icon and selecting Run as administrator) and select any NDIS network interface
WiFi network card. In this example, the Dell integrated WiFi network card (Dell Wireless 1702/b/g/n).

Video tutorial Acrylic WiFi NDIS driver with Wireshark on Windows
Download Acrylic WiFi Professional for free and start capturing WiFi packets under Windows. If you
like Acrylic, support us by registering your Acrylic WiFi professional license and become a Wi-Fi

Capture WiFi with Wireshark under windows
Analyze your WiFi with Acrylic and enable monitor mode under windows
Do you like Acrylic WiFi? Drop us a comment and share this article over social networks. Dont
forget to check our hardware compatibility list for better performance.
By Tarlogic Security|May 9th, 2014|Acrylic WiFi Free, Acrylic WiFi professional|5 Comments
Share This Story, Choose Your Platform!
Google +1
About the Author: Tarlogic Security

Tarlogic is an spanish startup security company, focused on ethical hacking services and advanced
WLAN analysis. We are Wi-Fi enthusiasts and we develop WLAN software for security, monitoring,
troubleshooting, coverage analysis and site survey.
Nigel 10 May, 2014 at 14:33 - Reply
This is a great feature! Being able to use Wireshark in Windows for WiFi capturing has been always
been difficult and has required specific wireless interface cards to capture in monitor mode. Your
solution means that anyone can now capture WiFi packets, which is great news.
I have been testing some captures in Wireshark and it seems to work well. One question I have is
around channel offsets. No matter which wireless NIC I use, the channel offset option is always
grayed out. Will you be building in support for 40Mhz and 80Mhz channels (assuming the NIC can
support those channel widths)?
Tarlogic Security 10 May, 2014 at 15:44 - Reply
Thanks for your comment Nigel. We are still enhancing our NDIS driver. Ill forward your comments
to our dev team.
WiFi packet capture is also supported under windows with Elcomsoft software and Cain & Abel .
Brian 12 August, 2014 at 07:19 - Reply
Do you have recommended/supported drivers? Im using WUSB6300,, but a) in Wireshark, the
timestamps are negative but unchanging, b) the RSSIs in the radiotap header are always 0, and c)
the FCS bytes arent passed up to Wireshark (regardless of what I select in Wireless Settings) and
so Wireshark is treating the last 4 bytes as FCS (so everything is malformed). Some of this might be
Wireshark related (v1.8.6), but I suspect some of this is adapter related too.
Tarlogic Security 12 August, 2014 at 10:05 - Reply
Hello Brian,
You can check for compatible hardware
athttps://www.acrylicwifi.com/en/support/compatible-hardware/. Wireshark
timestamps are currently not implemented in our wrapper library, but its planned
on our TODO. Next releases will include that option.
Regarding b) and c) unfortunately this is not a Wireshark nor Acrylic related issue.
The problem relies on the NDIS interface implementation of some manufacturers.
Despite theyre WHQL-certified by Microsoft, many of these NDIS
implementations are broken or at least not fully compliant when using monitor
mode. Thats the reason why RSSIs are always 0 on your device (some
manufacturers have only values of -100, -50 or 0, for instance). Same with FCS.
Our driver request NDIS interface to return frames with the specified FCS
configuration and is the manufacturer driver responsibility to check if FCS is
correct or not. However, some driver implementations do not return those four
FCS bytes, or they return garbage instead.
We have been trying to contact several vendors but at this time only Broadcom
answered us. They state that their drivers are fully NDIS compliant.
The solution is to use compatible hardware listed
athttps://www.acrylicwifi.com/en/support/compatible-hardware/ . Feel free to
report us information about compatibility and other bugs.
Tarlogic Security 21 August, 2014 at 10:21 - Reply
We have fixed some Radiotap issues like timestamps and rates information and improved data
capture speed with Wireshark. Those enhancements are now included at Acrylic WiFi v2.0.
Leave A Comment

Post Comment

Acrylic WiFi Free
Acrylic WiFi heatmaps
Acrylic WiFi pentester
Acrylic WiFi professional
Sin categora

How to capture WiFi traffic using Wireshark on Windows
May 9th, 2014

10 Advanced things with Acrylic WiFi Free and WLAN NDIS driver
March 7th, 2014
How to Create a Wireless Network Site Survey Project
May 9th, 2014
airpcap alternative calibrate wifi map capture wifi coverage map coverage
mapscoverage report device inventory kml wifi monitor mode wifi windows ndis driver ndis wifi onsite
survey packet retry Site survey site survey program site survey project site survey
WiFi tutorial wifi capture wifi coverage mapwifi cracking WiFI incidence resolution WiFi map WiFi
measurementsWiFi performance WiFi security wifi sniffer wifi
speed wireshark wlan analysis wlan heat map wlan scanner WLAN
Scope wlan software
August 2014
July 2014
May 2014
March 2014
February 2014
December 2013
Contact Info
Email: support@acrylicwifi.com
Web: Tarlogic Security
Free WLAN Scanner Acrylic WiFi
Professional Wi-Fi analyzer
Heatmaps WiFi site survey
Acrylic WiFi security analysis
Acrylic WiFi Pentester
Acrylic WiFi Law Enforcement
Company Info
Acrylic WiFi Partners
Privacy policy
Quality policy
Monitor mode hardware
Video tutorials
WiFi software Acrylic WiFi Free and professional v2.0
Is a Hidden WiFi Network Secure? (Hidden SSID)
Is a WPA/WPA2 Wi-Fi network secure?
View WiFi Map with Heatmaps v2.0 site survey evolved
Copyright 2014 Tarlogic Security | All Rights Reserved