This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

2x2 MIMO USB WiFi adapter that works with Wireshark in Windows or Linux

0

I'm lookong for a 2x2 MIMO USB WLAN adapter (802.11ac or 802.11n) that can reliable capture packets. Should work in Linux or in Windows 7/8/10 with Npcap.

Can someone confirm an adapter that works?

asked 27 Dec '16, 11:58

Tooz's gravatar image

Tooz
11114
accept rate: 0%


2 Answers:

0

I can confirm a 3x3 802.11n USB adapter that works with Linux (recent kernel!) and Windows (Omnipeek). This does 2.4 and 5GHz bands.

One Netgear variant:

Bus 002 Device 004: ID 0846:9012 NetGear, Inc. WNDA4100 802.11abgn 3x3:3 [Ralink RT3573]

As well, the Savvius 802.11n adapters use the same chipset, so they work just the same as would just about any device with this chipset:

https://www.amazon.com/Savvius-OmniWiFi-Capture-Adapter-802-11a/dp/B00AOBXK9S/ref=sr_1_1?ie=UTF8&qid=1482870179&sr=8-1&keywords=savvius

I can't help with npcap - never works for me as I always get a BSoD. Good luck - maybe others can help you get something going with this. I looked forward to when it is stabilized.

The Savvius 802.11ac adapter is crappy - very poor Rx strength so do not recommend it unless you really need to do 802.11ac, but even then, I would still look for another solution. Does not work in Linux, either: can compile a STA driver but no monitor mode support.

The AirPcap Nx is weak - does not support short guard interval so you will likely miss a LOT of traffic, so that fails your reliable requirement but is 2x2 802.11n. Works nicely in Windows for what it does capture unless you use Windows7 & USB3 (we do... and no, it doesn't work then), and Linux enumerates it as:

Bus 001 Device 004: ID cace:0300 CACE Technologies Inc. AirPcap NX [Atheros AR9001U-(2)NG]

It looks like it uses the carl9170 driver on my 4.8 series kernel:

usbcore: registered new interface driver carl9170
usb 1-1.1: firmware: direct-loading firmware carl9170-1.fw

Only problem is that all the chipsets that I have that use the carl9170 driver support monitor mode, however, they do not do promiscuous mode. I understand this to be a kernel regression in the driver from a number of years ago, but it is what it is: not really useful for wifi packet capture as only broadcast and multicast traffic come in.

Note also you have Microsoft Network Monitor tool that can capture wifi frames. It will save as pcap then can analyze ex post facto with Wireshark or whatever. Not as good as real time capture, but sometimes we have to live with less than ideal...

The Acrylic WiFi guys may have a driver for some devices as well on Windows.

answered 27 Dec '16, 12:40

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Thanks! I'll buy Netgear WNDA4100. Netgear A6200 works in Microsoft Network Monitor but A6200 does not report other data rates than 802.11g. Acrylic WiFi driver has some problems with Wireshark. Wireshark shows only random data frames. Microsoft Network Monitor shows all frames.

TP-Link TL-WN722N works well in Linux but it is only 1x1 MIMO.

Edit: All these adapters use same chip than Netgear WNDA4100 so they'll work as well? http://dy.fi/k0h

(27 Dec '16, 12:56) Tooz

TP-Link TL-WN722N works well in Linux but it is only 1x1 MIMO.

It's also only 2.4GHz. For real throughput, the market is moving to 5GHz with clearer channels (transient condition, but let's take it while it lasts) and 802.11n and 802.11ac.

If this answers your question can you accept the answer for others? See the FAQ for more information.

(27 Dec '16, 13:07) Bob Jones

@Bob Jones,

If you haven't done so please report npcap issues at the GitHub site for the nmap project, the developer is very responsive and we need all such issues to be resolved before Wireshark can move on from WinPcap.

Also, does Win 7 support USB3? I thought that Win 7 depends on 3rd party manufacturer drivers for USB3.

(27 Dec '16, 16:41) grahamb ♦

Please report the BSoD to here: https://github.com/nmap/nmap/issues

(27 Dec '16, 20:31) Yang Luo

I bought TP-Link TL-WDN4200. It use same chip as Netgear WNDA4100 http://goo.gl/G3LOZ8 , TP-Link TL-WDN4200 is not able to capture all traffic. Only broadcast traffic is captured. I tested by using data rate 11 mbps for unicast and broadcast but only broadcast was captured. TL-WDN4200 works in Linux OK if you don't use it to capture traffic. Unicast is captured if it is destined to TL-WDN4200 itself.

Does Netgear WNDA4100 really work different way? WNDA4100 is hard to get and I will not like to buy it if it does not work.

(19 Apr '17, 08:20) Tooz

Does Netgear WNDA4100 really work different way?

Yes, it can work different, however, the root cause is probably not the specific device, i.e. you'll get the same results with the Netgear. I suspect this is your issue:

https://ask.wireshark.org/questions/53260/cannot-capture-frames-other-than-broadcast-or-multicast-over-wlan

(19 Apr '17, 11:27) Bob Jones
showing 5 of 6 show 1 more comments

1

Hi. I'm the author of Npcap. And I daily use NetGear A6200 adapter for the development of Npcap. So that adapter is the only one that I can personally assure to work. I choose it because it's not expensive and have a fast speed.

Here's a list of the compatible chipsets maintained by Aircrack-ng for reference: https://www.aircrack-ng.org/doku.php?id=compatibility_drivers. I can't guarantee that the working adapters in that list also works for Npcap. So it's just a reference.

Maybe Npcap should maintain its own compatible adapter/chipset list, but I can't afford the expense. So please let me know if there are any adapters confirmed to be working or not working.

answered 27 Dec '16, 20:30

Yang%20Luo's gravatar image

Yang Luo
9117
accept rate: 4%

The latest version is just completely unusable - these are my symptoms:

http://seclists.org/nmap-dev/2016/q4/176

Someone else was kind enough to run into the very same issue and document it. On reboot, I get no network access, at all, on any adapter. net start npf indicates that it is already started, which is the only noted difference to the post there.

I can't operate in this state without any network so cannot wait until I get a BSoD, sorry. It's fully non-functional anyway, so not sure why the BSoD is really relevant at this point. Off to uninstall...again...

(28 Dec '16, 02:57) Bob Jones

Is your Netgear A6200 version 1 (Broadcom) or version 2 (Realtek)? https://wikidevi.com/wiki/Netgear_A6200 . I have Broadcom version.

I tried Npcap but I lost all my connections after reboot. I have installed Virtual Box so it might be this bug https://github.com/nmap/nmap/issues/610 .

(28 Dec '16, 05:09) Tooz

@bob-jones, please provide your NPFInstall.log to the Nmap list.

(28 Dec '16, 18:01) Yang Luo

@Tooz, I'm using a Broadcom one. So you should work.

Please uninstall VirtualBox and try installing Npcap again.

(28 Dec '16, 18:03) Yang Luo

I need Virtual Box so I have to wait for the bug being solved.

(29 Dec '16, 08:08) Tooz

Just uninstall it when testing if there's a conflict issue. You can install it back when it's done.

(02 Jan '17, 05:07) Yang Luo
showing 5 of 6 show 1 more comments