This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

Hi

I need to sniff WiFi packets, can anyone tell what is the difference between using Monitor mode and Aircrack-ng in linux and using the Airpcap in windows? there is any kind of data that can be extracted from one method but not from the other? what is the better way to sniff WiFi packets?

Thanks!

asked 13 Oct '15, 08:08

MichaelB's gravatar image

MichaelB
6123
accept rate: 0%

edited 13 Oct '15, 16:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


IMHO, go with the Linux solution and stay away from AirPCAP! Reasons:

  1. Economical = AIRPCAP want $700 for a WiFi adapter.

  2. Technical:

a. Lack of 11ac support

b. I cannot find any documentation in which AirPCAP supports LDPC coding. Unfortunately, all the new 11n and all the 11ac adapters support LDPC. If your WiFi capturing adapter does not support LDPC, then you cannot capture data packets between the AP/wireless router and the WiFi client.

I have asked a similar question on other communities (my question was related to the preferred WiFi capturing tool/software) and all the WiFi developers came back with the same answer: use Linux and get a WiFi card that supports the features you need.

permanent link

answered 13 Oct '15, 18:20

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

1

UPDATE: The AirPcap Nx WiFi adapter uses the the AR9170 WiFi chipset from Qualcomm-Atheros. The AR9170 chipset does not support LDPC coding which means that the AirPcap Nx adapter also does not support LDPC coding.

If the WLAN being monitored (Access Point and client) uses LDPC coding, then the WiFi adapter used for capturing WiFi frames must also support LDPC coding too. Otherwise, packets sent at HT or VHT rates in one or both directions will be missing or damaged. Since LDPC coding occurs at the hardware level, a firmware upgrade cannot provide LDPC coding to the WiFi adapter.

(15 Oct '15, 07:08) Amato_C

what is the difference between using Monitor mode and Aircrack-ng in linux and using the Airpcap in windows?

I'd say not much. In both cases you will see WLAN/Wifi frames of other stations, besides your own frames.

The main reason why you need Airpcap on Windows, is because you can't (easily) put a wlan/wifi card in monitor mode on Windows, at least not with WinPcap.

there is any kind of data that can be extracted from one method but not from the other?

Airpcap will probably report signal strength and similar HW related values, which your wifi card on Linux might or might not report (depends on the card and the driver).

what is the better way to sniff WiFi packets?

Better in terms of what? Both methods will deliver wlan/wifi frames. I don't see a way to do that 'better'.

Regards
Kurt

permanent link

answered 13 Oct '15, 13:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×134

question asked: 13 Oct '15, 08:08

question was seen: 3,456 times

last updated: 15 Oct '15, 07:08

p​o​w​e​r​e​d by O​S​Q​A