I use a Netgear A6210 USB adapter to do WiFi captures. Savvius OmniPeek has a driver to put it into promiscuous mode and it works well. It supports 802.11ac. Is there a way that Wireshark could be set up to support this adapter? Here's a link to show the adapter on Amazon (which is where Savvius tells you to go to buy it). I'm at Sharkfest 2016 right now and will be for the rest of the week - I'm Ron Fox. https://www.amazon.com/Savvius-WiFI-Adapter-OmniPeek-802-11ac/dp/B0157LUUB0?ie=UTF8&redirect=true asked 13 Jun '16, 11:00 RonF |
2 Answers:
Hi Ron, you can eventually give a try to Npcap that is a fork of WinPcap using NDIS6.0 and that can capture WiFi packets depending on the drivers used. answered 13 Jun '16, 15:49 Pascal Quantin |
Please use Npcap (together with Wireshark): https://github.com/nmap/npcap/releases Npcap has a feature called "Raw 802.11 Packet Capture": Npcap is able to see 802.11 packets instead of fake Ethernet packets on ordinary wireless adapters. You need to select the "Support raw 802.11 traffic (and monitor mode) for wireless adapters" option in the installation wizard to enable this feature.
Moreover, Npcap provides the WlanHelper.exe tool to help you switch to Monitor Mode on Windows. See more details about this feature in section "For software that use Npcap raw 802.11 feature" in the docs. See more details about radiotap here: http://www.radiotap.org/ answered 15 Jun '16, 06:48 Yang Luo I'm going to try this. I have a question; how do I install this with Wireshark? Do I simply install Wireshark, decline when it asks me if I want to install winpcap and then install this driver after I'm done? Or should I install this driver first? (20 Jun '16, 16:05) RonF You can install Npcap driver first or later, the order doesn't matter. But when you install Wireshark first, you need to make sure you doesn't install WinPcap. (20 Jun '16, 17:00) Yang Luo Hm. So I installed npcap 0.07 r17 and then installed Wireshark 2.0.4. I enabled "Raw 802.11 Packet Capture" but not the WinAPI compatibility mode. When I brought up Wireshark I told it to NOT install WinPcap. Upon actually starting the software it told me "Unable to load WinPcap (wpcap.dll); yuou will not be able to capture packets." I'm going to uninstall npcap and reinstall it using the WinAPI compatible mode to see if that works. (22 Jun '16, 13:06) RonF Wireshark 2.0.4 does not support Npcap installed without WinPcap compatibility mode. Only the very latest 2.1.1 development builds can. (22 Jun '16, 13:40) Pascal Quantin Just as Pascal said, please download the latest 2.1.1 Wireshark here: https://www.wireshark.org/download/automated/win64/ Or you can add "C:\Windows\System32\Npcap" manually to your PATH, then re-login or reboot. Then you can use a stable version Wireshark too. (22 Jun '16, 17:31) Yang Luo |
Linux might work. Do you require windows?
Looks like I spoke too soon. I have several of these for use with OmniPeek and they enumerate on Linux as:
/home/admin# lsusb Bus 002 Device 005: ID 0846:9053 NetGear, Inc.
This link (https://wikidevi.com/wiki/Netgear_A6210) says MediaTek has a driver, but there is none for my Kali Rolling install with kernel 4.4.0-kali1-amd64 built-in.
It's not worth the effort for me to go get some driver and compile, but you could try. On Windows, did you try npcap? That has never worked for me, but others have had success.
I'd prefer Windows. I'm working in a corporate environment where all the PC's have Windows on them. I could possibly get them to give me a dedicated laptop to use that I could convert over to Linux. I'm at Sharkfest and the development team have suggested I give npcap I try, which I plan to do as soon as I get back from this and have a chance to put it up on my secondary laptop.
If I WERE to put this up on Linux, what release/version of Linux should I use?
Why not use the OmniPeek software? It works on Windows and Savvius (the company who develops AND SUPPORTS the OmniPeek software) provides the drivers for Windows.
As a user of OmniPeek, I prefer to use it rather than Wireshark to capture WiFi. However, I still use Wireshark for some post analysis.