This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Differences between Monitor mode in linux and Airpcap in windows

0
1

Hi

I need to sniff WiFi packets, can anyone tell what is the difference between using Monitor mode and Aircrack-ng in linux and using the Airpcap in windows? there is any kind of data that can be extracted from one method but not from the other? what is the better way to sniff WiFi packets?

Thanks!

asked 13 Oct '15, 08:08

MichaelB's gravatar image

MichaelB
6123
accept rate: 0%

edited 13 Oct '15, 16:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

2 Answers:

2

IMHO, go with the Linux solution and stay away from AirPCAP! Reasons:

  1. Economical = AIRPCAP want $700 for a WiFi adapter.

  2. Technical:

a. Lack of 11ac support

b. I cannot find any documentation in which AirPCAP supports LDPC coding. Unfortunately, all the new 11n and all the 11ac adapters support LDPC. If your WiFi capturing adapter does not support LDPC, then you cannot capture data packets between the AP/wireless router and the WiFi client.

I have asked a similar question on other communities (my question was related to the preferred WiFi capturing tool/software) and all the WiFi developers came back with the same answer: use Linux and get a WiFi card that supports the features you need.

answered 13 Oct '15, 18:20

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

1

UPDATE: The AirPcap Nx WiFi adapter uses the the AR9170 WiFi chipset from Qualcomm-Atheros. The AR9170 chipset does not support LDPC coding which means that the AirPcap Nx adapter also does not support LDPC coding.

If the WLAN being monitored (Access Point and client) uses LDPC coding, then the WiFi adapter used for capturing WiFi frames must also support LDPC coding too. Otherwise, packets sent at HT or VHT rates in one or both directions will be missing or damaged. Since LDPC coding occurs at the hardware level, a firmware upgrade cannot provide LDPC coding to the WiFi adapter.

(15 Oct '15, 07:08) Amato_C

0

what is the difference between using Monitor mode and Aircrack-ng in linux and using the Airpcap in windows?

I'd say not much. In both cases you will see WLAN/Wifi frames of other stations, besides your own frames.

The main reason why you need Airpcap on Windows, is because you can't (easily) put a wlan/wifi card in monitor mode on Windows, at least not with WinPcap.

there is any kind of data that can be extracted from one method but not from the other?

Airpcap will probably report signal strength and similar HW related values, which your wifi card on Linux might or might not report (depends on the card and the driver).

what is the better way to sniff WiFi packets?

Better in terms of what? Both methods will deliver wlan/wifi frames. I don't see a way to do that 'better'.

Regards
Kurt

answered 13 Oct '15, 13:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%