WiFi Packet Capturing and Analysis using Wireshark and Airodump-ng

Wireless networks are widely used today for internet connectivity in homes, offices, universities, and public environments. Unlike wired networks, WiFi communication occurs over radio frequencies and uses the IEEE 802.11 protocol family. Because the communication happens through the air, network packets can be captured and analyzed using specialized tools.

This blog explains WiFi communication fundamentals, important terminology, types of WiFi packets, device modes such as managed and monitor mode, and how tools like Wireshark, Airodump-ng, and Tcpdump can be used to capture and analyze wireless packets.

1. Basics of WiFi Communication

WiFi operates using the IEEE 802.11 standard. Devices communicate using radio signals through an access point (AP) or directly with other devices.

Access Point (AP) – Device that provides wireless connectivity.
Client Devices – Laptops, smartphones, IoT devices connecting to the AP.
Wireless Channel – Radio frequency channel used for communication.

Communication happens through packets broadcast via radio signals and received by devices operating on the same channel.

2. Important WiFi Terminology

SSID (Service Set Identifier)

SSID is the name of the wireless network visible when scanning WiFi networks. Example: Home_Network

BSSID (Basic Service Set Identifier)

BSSID is the unique MAC address of an access point.

ESSID

Multiple access points using the same SSID form an Extended Service Set.

MAC Address

Every wireless device has a unique hardware address.

WiFi Channels

2.4 GHz
5 GHz
6 GHz (WiFi 6E)

Encryption Types

WEP – Old and insecure
WPA – Improved security
WPA2 – AES encryption
WPA3 – Latest standard

3. WiFi Packet Types

WiFi communication uses IEEE 802.11 frames divided into three categories.

Management Frames

Beacon
Probe Request
Probe Response
Authentication
Association Request
Association Response
Deauthentication
Disassociation

Management frames help devices discover and connect to networks.

Control Frames

RTS (Request To Send)
CTS (Clear To Send)
ACK (Acknowledgement)

Data Frames

Carry actual user data such as web traffic or file transfers.

4. WiFi Device Modes

Managed Mode

Default mode where the device connects normally to an access point.

Monitor Mode

Allows the wireless adapter to capture all packets in the air, including packets not intended for the device.

Master Mode

Used when the device acts as an access point.

5. Installing Required Tools

Install Wireshark

sudo apt update
sudo apt install wireshark

Install Aircrack-ng Suite

sudo apt install aircrack-ng

Install Tcpdump

sudo apt install tcpdump

Verify Installation

wireshark --version
airmon-ng
tcpdump --version

6. Checking Monitor Mode Support

Check Wireless Interface

iwconfig

Check Monitor Mode Support

iw list

Example output:

Supported interface modes:
 * IBSS
 * managed
 * monitor
 * AP

If monitor appears in the list, your WiFi adapter supports monitor mode.

7. Enabling Monitor Mode

Enable Monitor Mode

sudo airmon-ng start wlan0

This creates a monitor interface:

wlan0mon

Verify Mode

iwconfig

Disable Monitor Mode

sudo airmon-ng stop wlan0mon

8. Packet Capture using Airodump-ng

Start Capture

sudo airodump-ng wlan0mon

Displays:

BSSID
Channel
Encryption
Signal strength
Connected clients

Capture Specific Network

sudo airodump-ng --bssid <BSSID> -c <channel> -w capture wlan0mon

9. Capturing Specific Packets (Probe Requests)

Probe requests are management frames sent by devices when searching for available WiFi networks.

Capture using Tcpdump

sudo tcpdump -i wlan0mon -e -I 'type mgt subtype probe-req'

Low Level BPF Filtering

sudo tcpdump -i wlan0mon -e 'link[0] & 0x0c = 0x00 and link[0] & 0xf0 = 0x40'

Save Captured Packets

sudo tcpdump -i wlan0mon -e 'link[0] & 0x0c = 0x00 and link[0] & 0xf0 = 0x40' -w probe_requests.pcap

10. Packet Analysis using Wireshark

Open Capture File

wireshark capture.cap

Wireshark Filters

Management Frames

wlan.fc.type == 0

Probe Requests

wlan.fc.type_subtype == 0x04

11. Ethical and Legal Considerations

Packet capturing should only be performed on networks where you have permission. Unauthorized monitoring of wireless traffic may violate privacy laws and organizational policies.

Conclusion

Understanding WiFi communication and packet structures is essential for network analysis, troubleshooting, and security research. Tools like Wireshark and Airodump-ng allow administrators and researchers to capture and analyze wireless packets to better understand network behavior.

Using monitor mode and packet capture tools makes it possible to observe management frames such as probe requests, beacon frames, and authentication processes, providing deeper insights into wireless network operations.