I need to a sniffer to view the modulation and negotiation details for 802.11ac. I really want to be able to view the modulation details and understand the speed negotiation. Any recommendations for a good sniffer, free or cost? Even a security pen test tool if I can see the info I need.
I did come across npcap and the radiotap headers but I couldn't find adequate instructions to get it installed. Any help is very much appreciated.
Wireshark is the standard tool and will give you all the info available from the Wi-Fi driver including RadioTap headers. If you need something beyond that, we are talking about real testing equipment and thousands of dollars.
If someone knows a solution in-between I am interested.
Can you elaborate on getting Radiotap to work with wireshark? Tutorial?
I don't know how to install the radiotap headers in wirehark, running windows?
If not, is there a an easy linux distro with wireshark and radiotap ready to go? maybe a live cd?
Wireshark comes with the RadioTap dissector. All you need is to download Wireshark, capture some Wi-Fi packets and select one.
Here is a screenshot of Wireshark 2.6.0 on Mac showing the RadioTap header: https://aijaa.com/XYJfzn (I couldn't figure out how to add an image here)
What dongles are you using with Wireshark to sniff /ac signals ?
Just the built-in Wi-Fi adapter.
I haven't yet come across problems with MU-MIMO or beam forming. We'll see how 802.11ax will change the game.
Try CACE Technologies adapter. It will allow you to see the Radiotap headers and other important frames that you'd be missing in most cases.
Personally, I use the Linksys AE6000 dongle with OmniPeek.
(Note that I stopped with the Globeron / CWNP business per 31 Dec. 2017)
but I made many items public available about this topic.
* all info is here http://www.globeron.com/news/press-releases
and here www.youtube.com/wwwgloberoncom
To react on Howard:
* Savvius Omnipeek need to use the Netgear A6210 dongle (2x2 .11ac) or use an AP that support .11ac monitor mode and forward
to OmniPeek or forward to Wireshark.
(Netgear A6200, different chipset)
Linksys AE6000 works, but is .11ac 1x1:1 (1 Spatial Stream, up to 433 Mbps)
see . wikidevi for all details about dongles.
and mcs.index.com about datarates related to Spatial Streams and bandwidth.
For .11ac 3x3:3 capture, use a MacBookAir internal Chipset and Wireshark and Airtool (of Adrian Granados)
(for Windows as mentioned Riverbed "Cace AirPcap", but this is .11n only (but beacons are send at 20 MHz anyway),
you cannot capture data frames at 80 MHz for example.
Also on Twitter (search under @globeron) you can find details about Linux and RTL8814AU chipset (like ComFast CF-917)
.11ac 4x4:3 (3 streams!) to capture with Wireshark and the linux drivers (but this requires some skills to put the driver in the
capture mode with iwdev, iw, etc.):
Or use an Access Point (AP) 4x4:4, e.g Cisco AP4800 is the latest AP with 4x radios built-in (do not confuse 4x4:4 with 4 Radios,
as a 5 GHz radio is a radiochain of 4x "little" radios to provide 4x spatial streams).
Other tools (RF/Spectrum, Protocol Captures, Site Survey, Security, Management,, etc.)
Hope it helps
Ronald van Kleunen CWNE #108
Thanks Ronald, for mentioning the single stream limitation of the AE6000, I had forgotten about that.
I find it very useful in my situation, as our devices are only single stream. They do support 20, 40 and 80 MHz widths.
Personally I have not seen any customers using 80 MHz, but most of our customers are Enterprise class, and they are under different constraints.
Devices such as bar code scanners, printers, and other physically constrained devices really don't need high throughput. Even the fastest printers are limited by the physical limitations and speeds that they can print at.
Thanks for all the references too.
I especially liked the roaming analysis tools paper. It was very complete.