The Wi-Fi component of this project has been deprecated as it is now incorporated in Wireshark 4.0 as a built-in extcap interface (wifidump).

wlan-extcap

Wireshark extcap interface for remote wireless captures using a Linux device.

This extcap interface is basically a wrapper for the sshdump extcap interface that includes additional options to customize the capture. For example, if capturing Wi-Fi traffic, you can choose the Wi-Fi channel to capture on. It also simplifies the configuration of the extcap interface so that the user doesn't have to deal with complex remote capture commands, etc.

The wlandump extcap interface currently provides two capture interfaces: Wi-Fi and Zigbee, each with its own set of options. The wifidump interface allows you to perform remote Wi-Fi captures on a specific channel and channel width using a Linux device with a Wi-Fi adapter that can be put into monitor mode. The zbdump interface allows you to perform remote Zigbee captures using Linux device with a TI CC2531 USB dongle.

Installation

If you're running Wireshark on Windows:

1. Install Python.
2. The wlandump extcap interface requires the sshdump extcap interface, which is not installed by default on Windows. When installing Wireshark on Windows, select SSHdump as one of the components to install:

2. Copy wlandump to C:\Program Files\Wireshark\extcap\
3. Create a file called wlandump.bat in the same C:\Program Files\Wireshark\extcap\ directory with the following content:

@echo off
<PATH_TO_PYTHON_INTERPRETER> <PATH_TO_WLANDUMP> %*

Where <PATH_TO_PYTHON_INTERPRETER> is the path to the Python executable and <PATH_TO_WLANPIDUMP> is the path to the wlandump extcap interface script. For example:

@echo off
"C:\Program Files (x86)\Python37-32\python.exe" "C:\Program Files\Wireshark\extcap\wlandump" %*

If you're running Wireshark on macOS:

1. Copy wlandump to /Applications/Wireshark.app/Contents/MacOS/extcap/
2. Make sure it has execution permissions:

$ chmod +x /Applications/Wireshark.app/Contents/MacOS/extcap/wlandump

If you're running Wireshark on Linux

The steps are the same as the ones above for macOS, the only difference is the path to copy wlandump to. To find the correct path:

1. On Wireshark, go to Help -> About Wireshark;
2. Change to tab Folders;
3. Use the path indicated by Extcap path.

Launch Wireshark and verify that the capture interfaces provided by the wlandump extcap interface are listed:

Note: You will have to reinstall the wlandump extcap interface on your computer each time you update Wireshark. The Wireshark installer doesn't preserve 3rd-party extcap interfaces added to the extcap folder.

Remote Wi-Fi Captures

The wifidump capture interface allows you to perform remote Wi-Fi captures on a specific channel and channel width using a Linux device with a Wi-Fi adapter that can be put into monitor mode.

Setup

The wifidump capture interface uses tcpdump as the remote tool for Wi-Fi captures. Make sure tcpdump can be run remotely by the SSH user and without the need of root privileges. For example:

$ sudo groupadd pcap
$ sudo usermod -a -G pcap USERNAME
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo chmod 750 /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

where USERNAME is the SSH user for connecting remotely.

The interface also requires of the ip, iw command line utilities to put the Wi-Fi adapter in monitor mode and set the desired channel and channel width. Make sure these two utilities are installed and then create the file /etc/sudoers.d/wifidump with the following content:

USERNAME ALL = (root) NOPASSWD: /sbin/ip, /usr/sbin/iw

where USERNAME is, again, the SSH user for connecting remotely. Also, in some systems the location of the ip and iw might be different, so you need to adjust the paths accordingly.

Usage

1. Click the gear icon next to "Wi-Fi remote capture" to display the interface options, then choose the interface name, channel, and channel width you want to capture on:

Note: All 802.11 channels are listed, however, the Wi-Fi adapter on the remote device may support only a subset of them. If you choose a channel that is not supported by the Wi-Fi adapter or a channel width that doesn't apply to the selected channel, the capture will fail.

2. Go to the Server tab and enter the remote SSH server address, e.g. 192.168.42.1.

3. Go to the Authentication tab and enter the username and password.

Note: The password is not saved, so to avoid having to enter the password each time you start a capture, I would recommend you setup passwordless SSH authentication.

4. Click the Start button to start the capture.

Remote Zigbee Captures

The zbdump capture interface uses whsniff as the remote tool for Zigbee captures using the TI CC2531 USB dongle. To install whsniff in the remote Linux device:

1. Install libusb-1.0-0-dev:

$ sudo apt-get install libusb-1.0-0-dev

2. Download the latest release in tarball from github and untar it. Then build and install whsniff.

$ curl -L https://github.com/homewsn/whsniff/archive/v1.1.tar.gz | tar zx
$ cd whsniff-1.1
$ make
$ sudo make install

Then create the file /etc/sudoers.d/zbdump with the following content:

USERNAME ALL = (root) NOPASSWD: /usr/local/bin/whsniff, /usr/bin/killall /usr/local/bin/whsniff

where USERNAME is the SSH user for connecting remotely.

Usage

1. Click the gear icon next to "Zigbee remote capture" to display the interface options, then choose the Zigbee channel you want to capture on:

2. Go to the Server tab and enter the remote SSH server address, e.g. 192.168.42.1.

3. Go to the Authentication tab and enter the username and password.

Note: The password is not saved, so to avoid having to enter the password each time you start a capture, I would recommend you setup passwordless SSH authentication.

4. Click the Start button to start the capture.