Skip to content

Wi-Fi Capture

The Wi-Fi Capture feature enables monitor-mode packet capture (sniffing) of wireless traffic using Wireshark integration. This powerful tool allows you to capture all Wi-Fi frames on a specific channel for detailed analysis.

Wi-Fi Capture Window

Opening Wi-Fi Capture

Access Wi-Fi Capture in three ways:

  1. Toolbar Button - Click the Wi-Fi Sniffing button in the toolbar
  2. Menu Bar - Select Tools → Wi-Fi Sniffing
  3. Keyboard Shortcut - Press ⌘F

Prerequisites

Before using Wi-Fi Capture, you must have:

1. Wireshark Installed

Wi-Fi Capture requires Wireshark for packet capture in monitor mode.

Download: https://www.wireshark.org

Installation: Install Wireshark from the official DMG package

What PingStalker Checks: - Wireshark installation at /Applications/Wireshark.app - If not found, a warning appears with download link

Wireshark Required

2. BPF (Berkeley Packet Filter) Access

Monitor mode requires BPF device access.

How to Enable: 1. Click the warning banner if shown 2. Install ChmodBPF utility (included with PingStalker or Wireshark) 3. Restart PingStalker

What This Does: Grants permissions to access BPF devices (/dev/bpf*) required for packet capture

Also Needed For: Network Logs active monitoring

Wi-Fi Capture Window

The capture window provides interface, channel, and control options:

Interface Selection

Choose which Wi-Fi interface to use for capture:

Single Wi-Fi Mac: - Typically shows "Wi-Fi (en0)" - Uses your only Wi-Fi adapter

Multiple Wi-Fi Macs: - Shows all Wi-Fi interfaces - Example: "Wi-Fi (en0)", "Wi-Fi 2 (en1)" - Useful for Macs with multiple adapters or USB Wi-Fi dongles

Note: The selected interface will be disconnected from its network during capture and placed in monitor mode.

Channel Selection

Choose the wireless channel to monitor:

2.4 GHz Band

Available Channels: 1-14 (region dependent)

5 GHz Band

Available Channels: Multiple non-overlapping channels Channel Widths: 20, 40, 80, 160 MHz

6 GHz Band (Wi-Fi 6E)

Available Channels: 1-233 (with 6 GHz capable hardware)

Changing Channels During Capture

You can change channels while capture is running without stopping:

  1. Wireshark remains open
  2. Select a different channel in PingStalker
  3. The Wi-Fi interface switches to the new channel
  4. Wireshark continues capturing on the new channel

Use Case: Monitor multiple channels in a single capture session to find hidden networks or analyze roaming

Starting a Capture

To begin packet capture:

  1. Select the Wi-Fi interface
  2. Choose the channel and width
  3. Click Start Capture

What Happens

Step 1: PingStalker disassociates your Wi-Fi interface from its current network

Step 2: Interface is placed in monitor mode

Step 3: Interface is set to the selected channel

Step 4: Wireshark launches automatically with the interface in monitor mode

Step 5: Packet capture begins immediately

Status Display: - "Capturing on channel X" - Interface name and channel displayed - Wireshark window opens

Capturing Status

Wireshark Integration

PingStalker launches Wireshark with:

  • Monitor mode enabled
  • Correct interface selected
  • Capture started automatically
  • Real-time packet display

What You See in Wireshark: - All Wi-Fi frames on the selected channel - Management frames (beacons, probes, association) - Control frames (ACK, RTS/CTS) - Data frames (encrypted payload)

Stopping a Capture

When you're done capturing:

  1. In Wireshark: Stop the capture (red square button)
  2. Save the capture file (.pcap or .pcapng) if desired
  3. In PingStalker: Click Stop Capture or close the window (PingStalker should auto-detect when you stop the capture)

Automatic Reconnection

When capture stops, PingStalker automatically:

  1. Removes the interface from monitor mode
  2. Re-enables managed mode
  3. Attempts to reconnect your device to your previous Wi-Fi network

Restarting Wi-Fi Interface

If your Wi-Fi interface becomes unresponsive or stuck, use the Restart Wi-Fi Interface button.

Restart Interface

Capture Use Cases

1. Network Discovery

Purpose: Find hidden SSIDs and all access points

Method: 1. Capture on common channels (1, 6, 11 for 2.4 GHz) 2. Filter for beacon frames in Wireshark: wlan.fc.type_subtype == 0x08 3. Identify all broadcasting SSIDs and BSSIDs

See: Hidden networks that don't appear in normal Wi-Fi scans

2. Channel Analysis

Purpose: Identify interference and overlapping networks

Method: 1. Capture on target channel with widest bandwidth 2. Count beacon frames from different BSSIDs 3. Analyze channel utilization

Wireshark Filter: wlan.fc.type_subtype == 0x08

Use: Plan channel assignments for optimal performance

3. Roaming Analysis

Purpose: Observe client roaming behavior

Method: 1. Capture on primary channels 2. Filter for association/reassociation frames 3. Track client MAC moving between BSSIDs

Wireshark Filters: - Association Request: wlan.fc.type_subtype == 0x00 - Reassociation Request: wlan.fc.type_subtype == 0x02

4. Security Assessment

Purpose: Identify security weaknesses

Method: 1. Capture on all channels in use 2. Identify WPA/WPA2/WPA3 usage 3. Look for open networks or weak security

Wireshark Filter: wlan.rsn.version or wlan.wep.key

Note: Capturing encrypted data doesn't decrypt it. This is for network audit purposes.

5. Troubleshooting Connectivity

Purpose: Diagnose connection failures

Method: 1. Capture during connection attempt 2. Watch 4-way handshake: eapol 3. Identify authentication failures

See: Deauthentication reasons, failed associations, EAP failures

Analyzing Captures

Common Wireshark Filters

Beacon Frames (AP broadcasts):

wlan.fc.type_subtype == 0x08

Probe Requests (client searching):

wlan.fc.type_subtype == 0x04

Data Frames:

wlan.fc.type == 2

Specific SSID:

wlan.ssid == "YourNetworkName"

Specific Device (by MAC):

wlan.addr == 00:11:22:33:44:55

WPA Handshake:

eapol

Deauthentication:

wlan.fc.type_subtype == 0x0c

Viewing Statistics

In Wireshark:

Wireless → WLAN Traffic: - See all detected SSIDs and BSSIDs - Packet counts per network - Channel distribution

Statistics → Protocol Hierarchy: - Breakdown of frame types - Management vs. control vs. data frames

Statistics → Conversations: - Which devices are communicating - Data transfer amounts

Important Notes

Network Disruption

During Capture: - Selected Wi-Fi interface cannot access the internet - Any running downloads or connections on that interface are interrupted - Other interfaces (Ethernet, other Wi-Fi adapters) continue working

Use Case Recommendation: - Capture on secondary Wi-Fi adapter if available - Or accept temporary disconnection during capture

You May: - Capture on networks you own or have permission to monitor - Analyze your own wireless traffic - Perform authorized security assessments - Troubleshoot connectivity issues

You May Not: - Capture traffic on networks without authorization - Decrypt others' encrypted communications - Use captures for unauthorized access attempts - Violate wiretapping or eavesdropping laws

Always: Obtain proper authorization before capturing Wi-Fi traffic

Troubleshooting

"Wireshark Not Found"

Solution: 1. Download from https://www.wireshark.org 2. Install to /Applications/Wireshark.app 3. Restart PingStalker

"BPF Access Required"

Solution: 1. Click warning banner 2. Install ChmodBPF 3. Restart PingStalker 4. Verify /dev/bpf* devices exist with proper permissions

Capture Starts But No Packets

Causes: - Wrong channel selected - No traffic on selected channel - Interface not in monitor mode

Solutions: - Change to busier channel - Verify Wireshark shows monitor mode - Close Wireshark, and try again.

Wi-Fi Capture is a powerful tool for network analysis and troubleshooting. Use it responsibly and always with proper authorization. Combine with Wireless Details for comprehensive Wi-Fi analysis.