Letters mosaic
Return to blog

Monitor Mode and Native Capture Mode in Acrylic Wi-Fi

- Tarlogic Research

Capture in monitor mode vs. native, differences:

Monitor Mode (Promiscuous Mode or Listening Mode) and Native Capture Mode or Normal Mode are the two capture modes supported by the wifi cards in Windows and then we will see the differences of performing a capture in monitor mode vs. native.

While the capture in normal mode, focuses on identifying WiFi access points, in the capture in monitor mode, you can capture all WiFi packets, including data packets.

Depending on the type of capture, native or monitor mode, we will get a different level of information about our WiFi network and surrounding devices, here are the differences for each of these types of capture.

Native capture mode

It is the capture that supports any standard software that uses wifi. When monitoring using Native Capture Mode, wireless cards operate as a standard Wi-Fi adapter and uses the manufacturer’s drivers that are installed on the computer.

By using Windows native mechanisms, the wireless card only captures a certain type of Management packets, specifically Beacon packets, that are broadcasted by access points. These packets are transmitted several times per second by access points to broadcast networks that are currently available.

Acrylic Suite tools are compatible with any WiFi card on the market in native or normal capture mode, analyze and interpret these packets, displaying the information they contain and storing it in pcap files or in the current project.

To perform a native data capture, no special hardware is required, it is sufficient to have an integrated wifi or usb card.

Monitor mode

Monitor capture mode vs. native mode is a data capture mode that allows using the WiFi adapter in listening mode or promiscuous mode. Operating in this mode, WiFi network cards are able to capture all types of WiFi Management packets (including Beacon packets), Data packets and Control packets. This way, it is possible to visualize not only access points but also clients that are transmitting within WiFi frequency bands.

How to capture in monitor mode in windows.

Monitor capture on Windows can be enabled using Acrylic Wi-Fi Sniffer (802.11a/b/g/n/ac) to allow the other Acrylic Suite products to communicate with it to capture in monitor mode and also provide these capture capabilities to third party tools such as Wireshark.

Acrylic Wi-Fi Sniffer allows monitor mode capture in a simple manner. Because it has been designed to be an easy-to-use and cost-effective alternative to use monitor mode capture in windows, it can retrieve all available data including information about SNR (Signal-to-Noise Ratio) values.

SNR is a good parameter to measure the quality of a communication since it takes into account the received signal strength and the noise present in the wireless environment. Its value varies between 0 (worst) and 100 (best) and is considered a good value above 20.

SNR is available in both Acrylic Wi-Fi Analyzer and Acrylic Wi-Fi Heatmaps through Acrylic Wi-Fi Sniffer, it also supports the latest 802.11ac standards with all channel widths (20, 40, 80 and 160 MHz).

You can check out Acrylic Wi-Fi Sniffer compatible cards.

Available information with Acrylic Wi-Fi Analyzer

Native Mode

  • SSID
  • MAC address
  • Signal strength
  • Channels
  • Channel width
  • Bandwidth
  • IEEE 802.11
  • Maximum packet transmission rate
  • Encriptation type (WEP, WPA, WPA2, WPA3, WPS PIN)
  • Manufacturer
  • Latitude and longitude (this information is available when a GPS device is connected)

 

capture in monitor mode vs. native

Monitor mode

While performing a data capture in monitor mode, Acrylic Wi-Fi Analyzer provides, in addition to all the information available with the normal mode capture, information about the following aspects:

  • On which channels to monitor.
  • Identification of the name of hidden wifi SSIDs.
  • Client devices connected to the different access points (#)
  • Retries of sent packets (Retries)
  • Data packets (Data)
  • Management packets (Mgt)
  • Number of packets sent by that device.
  • Number of packets received by that device.

wifi capture in monitor mode vs. native on windows

Comparison: Monitor mode vs. native

Native
Monitor
Access Point Detection
SSID, RSSI, Mac, channel, vendor,…
Geopositioning capture with Latitude and Longitude
Available when GPS is connected
Network client detection
Clients of the network you are connected to
Wifi client detection
Clients connected to any AP
Detection of any wifi device
Phones, laptops, game consoles, televisions, …
Hidden SSID name detection
Find out the name of a hidden network
Noise measurements (SNR)
Measures signal interference
Data packet capture
Detect all wifi traffic
Transmission quality metrics
Packet resending rate

Plots available in using Acrylic Wi-Fi Heatmaps

Acrylic Wi-Fi Heatmaps in addition to making use of Acrylic Wi-Fi Sniffer, has built-in support for two additional methods to make use of the monitor mode, one, as implemented by Acrylic Wi-Fi Sniffer, is the capture through a Windows NDIS driver, and the other is the use of specialized Airpcap hardware, right now both the NDIS driver and these cards are obsolete and Acrylic Wi-Fi Sniffer is the recommended alternative to Airpcap. These two methods are maintained for compatibility, but are not guaranteed to remain available in future updates.

NDIS wifi driver

The NDIS driver, besides being included in Acrylic Wi-Fi Sniffer, is also available in Acrylic Wi-Fi Heatmaps and allows capture in monitor mode for 802.11a/b/g/n and 20MHz channel widths, always depending on the card, to activate the monitor capture mode it is necessary to have a compatible card and install the driver, which can be done from the application itself.

AirPCAP card

We can also perform a capture in monitor mode using specific Wi-Fi analysis hardware, such as the AirPcap cards developed by Riverbed. These cards are currently discontinued and do not support the new 802.11ac/ax standards. They only support capture in monitor mode, they are not valid for use as conventional Wi-Fi cards. If we perform a capture in monitor mode with an AirPcap card, we will be able to display, in addition to all the data available with a capture in monitor mode using a card compatible with the NDIS driver, information about the SNR (Signal-to-Noise Ratio) values.

In Acrylic Wi-Fi Heatmaps, the native capture mode, compatible with all wifi cards on the market, allows generating the following charts and diagrams (plots).

*Plots available when performing an active site survey.

Native
NDIS
Airpcap
Acrylic Wi-Fi Sniffer
Signal strength
RSSI
Coverage per access point
Coverage by channel
Channel overlap
Maximum transfer rates supported
Number of access points
Data grouped by cell
Device density
Number of wifi clients
Packet forwarding rate
Interference, signal-to-noise ratio
SNR
Capture on latest 802.11 standards
802.11 a/b/g/n/ac, widths 20,40,80,160MHz

Normal Mode

Charts available when capturing in native mode:

Monitor Mode

When performing data capture in monitor mode, in addition to all plots available using normal mode, we can show:

* Available using Acrylic Wi-Fi Sniffer or an AirPcap card

Acrylic Wi-Fi Sniffer allows capturing traffic transmitted using the latests 802.11ac standards with channel widths of 20, 40, 80 and 160Mhz. This enhancement applies to all software plots.

As you can see in the image, RF Spectrum graph is not available in any mode. This is because it is only available by using a specific device: a spectrum analyzer. If you want more information about what this chart is for, how to activate it and how to use it, please take a look at the article “Wi-Fi Spectrum Analysis, How to Perform One, and What Information It Provides