How to capture WiFi traffic using Wireshark on Windows

Start / Acrylic Wi-Fi Professional / How to capture WiFi traffic using Wireshark on Windows

How to capture WiFi traffic using Wireshark on Windows

Wireshark uses libpcap or Winpcap libraries to capture network traffic on Windows. Winpcap libraries are not intended to work with wireless network cards, therefore they do not support WiFi network traffic capturing using Wireshark on Windows. Therefore, Wireshark monitor mode for Windows is not supported by default.

Winpcap Capture Limitations and WiFi traffic on Wireshark

Capture is mostly limited by Winpcap and not by Wireshark. However, Wireshark includes Airpcap support, a special -and expensive- set of WiFi network adapters, which drivers support network traffic monitoring on monitor mode. In other words, WiFi network traffic capturing on promiscuous mode.

Acrylic WiFi products include an NDIS traffic capture driver that captures WiFi network traffic on monitor mode on Windows, capturing WiFi traffic with Wireshark on Windows Vista, Windows 7, Windows 8, and Windows 8.1. This driver adds wireless network compatibility on Windows to other WiFi sniffers.

NDIS Driver and WiFi interfaces on Wireshark

To make this integration possible, Acrylic installs an airpcap.dll library in the system. When Wireshark loads the installed airpcap library, it returns a fake list of airpcap network cards installed. One Airpcap device for each integrated WiFi network card or external USB WiFi network card.

WiFi network card using Wireshark on Windows

Through this method, you can use your preferred network analyzer compatible with Airpcap to monitor WiFi packets under windows. You can view wifi traffic by using Wireshark, cain & Abel, Elcomsoft wireless security auditor or with Acrylic. By double clicking on the network interface on wireshark, you can access the interface settings. You can see that the interface shows a link-layer header, which includes captured packet signal level information.

Wireshark NDIS WiFi interface detail on Windows

By clicking on the “Wireless settings” button, you can configure advanced settings, such as WiFi channel to monitor and FCS check. FCS, or Frame Check Sequence, is a WiFi network packet integrity signature that discards corrupt packets.

Wireshark select channel using NDIS WiFi network card on Windows

WiFi traffic capturing using Wireshark

All in all, after installing Acrylic WiFi, launch Wireshark with Administrator privileges (by right clicking on the Wireshark icon and selecting “Run as administrator”) and select any NDIS network interface WiFi network card. In this example, the Dell integrated WiFi network card (Dell Wireless 1702/b/g/n). Wireshark Capture NDIS WiFi Windows

 

Video tutorial Acrylic WiFi NDIS driver with Wireshark on Windows

Download Acrylic WiFi Professional for free and start capturing WiFi packets under Windows. If you like Acrylic, support us by registering your Acrylic WiFi professional license and become a Wi-Fi PRO! (Advanced and additional packet capture capabilities will be available soon).

WiFi packet capture with Acrylic WiFi professional

Buy Professional version

Capture WiFi with Wireshark under windows

Analyze your WiFi with Acrylic and enable monitor mode under windows
Buy Professional version

Do you like Acrylic WiFi? Drop us a comment and share this article over social networks. Don’t forget to check our hardware compatibility list for better performance.

By | 2017-10-26T15:40:32+00:00 9 May. 2014|36 Comments

36 Comments

  1. Nigel 10 May, 2014 at 14:33 - Reply

    Hi,

    This is a great feature! Being able to use Wireshark in Windows for WiFi capturing has been always been difficult and has required specific wireless interface cards to capture in monitor mode. Your solution means that anyone can now capture WiFi packets, which is great news.

    I have been testing some captures in Wireshark and it seems to work well. One question I have is around channel offsets. No matter which wireless NIC I use, the channel offset option is always grayed out. Will you be building in support for 40Mhz and 80Mhz channels (assuming the NIC can support those channel widths)?

    Thanks

    Nigel.

  2. Tarlogic Security 10 May, 2014 at 15:44 - Reply

    Thanks for your comment Nigel. We are still enhancing our NDIS driver. I’ll forward your comments to our dev team.

    WiFi packet capture is also supported under windows with Elcomsoft software and Cain & Abel .

  3. Brian 12 August, 2014 at 07:19 - Reply

    Do you have recommended/supported drivers? I’m using WUSB6300,, but a) in Wireshark, the timestamps are negative but unchanging, b) the RSSIs in the radiotap header are always 0, and c) the FCS bytes aren’t passed up to Wireshark (regardless of what I select in “Wireless Settings”) and so Wireshark is treating the last 4 bytes as FCS (so everything is malformed). Some of this might be Wireshark related (v1.8.6), but I suspect some of this is adapter related too.

    • Tarlogic Security 12 August, 2014 at 10:05 - Reply

      Hello Brian,

      You can check for compatible hardware at https://www.acrylicwifi.com/en/support/compatible-hardware/. Wireshark timestamps are currently not implemented in our wrapper library, but it’s planned on our TODO. Next releases will include that option.
      Regarding b) and c) unfortunately this is not a Wireshark nor Acrylic related issue. The problem relies on the NDIS interface implementation of some manufacturers. Despite they’re WHQL-certified by Microsoft, many of these NDIS implementations are broken or at least not fully compliant when using monitor mode. That’s the reason why RSSIs are always 0 on your device (some manufacturers have only values of -100, -50 or 0, for instance). Same with FCS. Our driver request NDIS interface to return frames with the specified FCS configuration and is the manufacturer driver responsibility to check if FCS is correct or not. However, some driver implementations do not return those four FCS bytes, or they return garbage instead.

      We have been trying to contact several vendors but at this time only Broadcom answered us. They state that their drivers are fully NDIS compliant.

      The solution is to use compatible hardware listed at https://www.acrylicwifi.com/en/support/compatible-hardware/ . Feel free to report us information about compatibility and other bugs.

  4. Tarlogic Security 21 August, 2014 at 10:21 - Reply

    We have fixed some Radiotap issues like timestamps and rates information and improved data capture speed with Wireshark. Those enhancements are now included at Acrylic WiFi v2.0.

  5. Kirk Klassen 30 September, 2014 at 19:33 - Reply

    Awesome product, cannot wait to learn more about it and how to use it.

  6. Kevin 15 January, 2015 at 21:39 - Reply

    I would like to echo Nigel’s request for supported channel offset in monitor mode. I am using a Netgear A6200 (as per AcrylicWifi recommendation) but also appear unable to capture wide channels in monitor mode.

    • Tarlogic Security 17 January, 2015 at 20:36 - Reply

      Hello Kevin,

      NDIS drivers doesn’t allow to switch to 40Mhz wide channels to perform packet capture on monitor mode. We are testing several methods to be able to capture under those networks and include that feature in upcoming software releases 🙂

  7. Jürgen 11 February, 2015 at 12:17 - Reply

    I get this error when installing the Airpcap emulation: “Unable to install NDIS driver (102760528)”
    I’m using Windows 8.1 with a Netgear A6200 and Acrylic WiFi 2.2.

    • Tarlogic Security 8 June, 2015 at 09:47 - Reply

      Hello,

      The error is arising while copying 32 bits version of msvcp110.dll (which is a microsoft library). The installer is detecting that the file doesn’t exists and it proceeds to install it. But at the time of copying it to syswow64, the copy function fails because the file already exists, so the installer stops the execution.

      We suspect that there is some flag on the file that is making the function that checks if it exists to return a false negative. Could you check if that file already exists on c:\WINDOWS\SYSWOW64 ?

      As a workaround, please try to temporarily remove msvcp110.dll and msvcr110.dll from c:\windows\SYSWOW64 (please make a backup of those files), and run the installer again. The installer should correctly copy those files after the installation.

  8. Batelo 18 March, 2015 at 13:55 - Reply

    Nice Post, But I have one question is there any way to handle large amount of PCAP file ? I mean I have collected too many data using airodump-ng and i have PCAP file. But when i was using Wireshark for analysis process it is very difficult to filter interesting part. So I have used PCAP2XML tool for converting my PCAP file into XML or SQlite db and only getting my interested part, like Mac Addresses, Destination Address and all.. Have a look also please let me know if some other tools are available.

    Tool: – http://bit.ly/1DxcncQ
    Tool Blog: – http://bit.ly/1DxciWG

    • Tarlogic Security 8 June, 2015 at 09:51 - Reply

      Nice tool!

      I’m not aware of others tools to perform that kind of analysis. Note however that pcap files can be opened with Acrylic WiFi Professional to view information about connections.

  9. om wireless 9 April, 2015 at 09:35 - Reply

    I am facing problem in configuring channel , no matter whether i select it from tool bar within wire shark or if i go by double click on interface and then changing from wireless setting . i always see that it is not capturing on the channel which i selected.

    • Tarlogic Security 14 June, 2015 at 10:53 - Reply

      Check if you are running Wireshark with Administrator rights.
      If you are still not receiving packets review that Acrylic WiFi packet capture driver option was checked when installing Acrylic WiFi and that your wlan card is compatible with monitor mode

  10. Iwizzie 8 June, 2015 at 01:36 - Reply

    can you email me a pdf about hacking WiFi using wireshark please. I am studying ICT and i am a beginner in hacking, my friends told me about wireshark but i dont know how to use it. I will be grateful for your helo

    • Tarlogic Security 8 June, 2015 at 09:54 - Reply

      Well, Wireshark is a packet analysis tool, not a hacking tool by itself. Unfortunately we can’t provide you support in that way, only for Acrylic WiFi related issues.
      Take a look to Wireshark wiki – https://wiki.wireshark.org/Wi-Fi

  11. Jonny 8 June, 2015 at 11:36 - Reply

    Hi Guys

    When I run wireshark and try to capture wifi probe requests it only starts to work if I have Acrylic running in the background. Is this a requirement to use wireshark to capture in monitor mode ?

    Cheers
    Jonny

    • Tarlogic Security 8 June, 2015 at 11:50 - Reply

      It shouldn’t be a requirement. Maybe it’s due to the current channel configuration. Please be sure to execute Wireshark as Administrator and let us know if it works for you.

  12. Paul 14 June, 2015 at 00:15 - Reply

    Hello,

    want to try acrylic wifi with the wireshark capture function.
    Unfortunately I receive following error:

    Unable to install integration modules (4194336)
    Close the installer and try to install again.

    I closed and tried again, without success.
    I also check the msvcp and msvcr dlls in SysWOW64 and deleted it, without success.

    System: W7 64 bit

    Any ideas?h

    • Tarlogic Security 14 June, 2015 at 10:51 - Reply

      Hello,
      The problem is that the installer can’t copy airpcap integration libraries because they’re already in use by another program.
      Please check that there is no instance of Acrylic, Wireshark, or any other software that uses airpcap, running while installing the integration modules.

      Let me know if this solves your issue.

  13. Abhishek 25 September, 2015 at 17:32 - Reply

    Wireshark collects packets of the already connect wifi . I want to collect packets of a non connected wifi. Is this possible?

  14. Manu 6 February, 2016 at 19:58 - Reply

    I am facing screen saying cant install NDIS driver!
    Code:0x80070005
    pls help me resolve issue.

  15. james 10 February, 2016 at 11:48 - Reply

    Hi, I am not a hacker by any means, and have limited cpu skills, how easy is this software to use for some one such as myself ? thanks in advance.

    • Maria Fernandez Bouzas 23 February, 2016 at 09:49 - Reply

      Hi James! Acrylic WiFi Professional is meant to be used by anyone, from WiFi professionals to users that want to check their own home wireless service. It is a very user-friendly software but if you have any doubts you can drop us an email and our support team will help you as soon as possible: support@acrylicwifi.com. Best regards!

  16. Ronit 28 February, 2016 at 09:12 - Reply

    I am trying to use elcomsoft wireless security auditor for packet sniffing but it was unable to find any airpcap card

    • Tarlogic Security 13 March, 2016 at 12:31 - Reply

      Hello Ronit,

      Please check that Acrylic WiFi integration modules were installed (if unsure, just reinstall). Your wlan card should compatible with monitor mode and you should be able to capture packets with acrylic Wifi Professional. If that’s working, then try to run elcomsoft software as administrator.
      Thanks,

  17. prabha 7 March, 2016 at 05:02 - Reply

    hey, my wifi stops working when I start capturing packets, all networks are disconnecting, they are getting back to normal after I close wireshark, I can only see 802.11 beacon frames, nothing else , wifi stops after that.

  18. Abhi 21 March, 2016 at 12:12 - Reply

    HI
    sir i need to know the method how to capture packets from a remote machine in windows 7.
    Is it possible by wire Shark.

  19. Igor 25 May, 2016 at 22:17 - Reply

    I’ve installed a NDIS driver but when I’m trying to sniff Wi-Fi traffic (either in Wireshark or in Acryl) Wi-Fi connection fails (even credentials pop-up window doesn’t appear) and Windows event log says that this network is unavailable. If I stop sniffing, Wi-Fi works well. Any ideas?

    • Tarlogic Security 1 June, 2016 at 12:25 - Reply

      Hello Igor,
      That’s the expected behaviour. While using your WiFi adapter to inspect WiFi traffic the NDIS driver will take complete control of it, so you’re not going to be able to use the WiFi connection during a monitorization. This is necessary in order to set the adapter into a special mode so it can capture WiFi traffic. Besides, as the monitorization performs a channel hopping (i.e. constantly changing the frequency to receive packets from all channels), it’s not possible to maintain a connection with a WiFi network on a specific channel.

      Hope this clarifies your question.

  20. Sancho 1 June, 2016 at 00:46 - Reply

    Hello,
    My wifi card is a Realtek RTL8723BE Wireless LAN 802.11n PCI-E NIC, clearly not present within the list of compatible wifi cards for Acrylic, therefore unable to work with Wireshark.
    Nevertheless, apparently Acrylic Wifi Professional Tool (on Windows 10) is able to sniff networks and packets and it confuses me a little bit.

    Then, if I understood it properly, should I buy and use an external USB in order to be able to use Wireshark?
    Maybe I should wait for a new compatible release?

    • Tarlogic Security 1 June, 2016 at 12:34 - Reply

      Hello Sancho,

      With Acrylic WiFi you can see your surrounding networks with all WiFi adapters. Only the special feature ‘Monitor mode’ requires a supported adapter. However, even if your adapter is not listed as supported it’s possible that the software can inspect WiFi traffic correctly. The adapters listed on our web are a group that we have tested and proved that they work, but are not the only ones that will work.

      If you can see packets on Acrylic WiFi selecting your adapter in ‘Monitor mode’, then you should be able to see them also in Wireshark. If not, please run Wireshark as administrator.

      Hope this helps

Deja un comentario

¿ Quieres conocer todo sobre Acrylic WiFi ?