LabEx
Log InJoin Free

Capture Wireless Frames in Tshark

WiresharkBeginner
Practice Now

Introduction

In this lab, you will learn to capture and analyze wireless network frames using Tshark, Wireshark's command-line utility. You'll practice enabling monitor mode on a wireless interface, capturing packets with specific filters, and examining frame details through practical exercises.

The lab covers essential techniques including interface configuration, real-time packet capture, and targeted analysis of 802.11 beacon frames. You'll gain hands-on experience with both command-line and GUI methods to observe wireless traffic typically invisible in standard network modes.

Enable Monitor Mode with -I

In this step, you will learn how to enable monitor mode in Wireshark using the -I flag. Monitor mode is a special wireless interface mode that allows your network adapter to capture all wireless traffic on a specific channel, including packets not addressed to your device. This is different from normal "managed mode" where your device only receives packets intended for it.

Before starting, we need to verify your wireless interface is available. Most Linux systems use wlan0 as the default wireless interface name. We'll use the iwconfig command to check:

iwconfig

You should see wlan0 listed among the interfaces. If you see a different name, you'll need to substitute it in the following commands.

Next, we'll use airmon-ng from the aircrack-ng suite to enable monitor mode. This tool helps manage wireless interfaces:

sudo airmon-ng start wlan0

This command creates a new virtual interface in monitor mode, typically named wlan0mon. The "mon" suffix indicates it's in monitor mode.

Let's verify the mode is active by checking the interface properties:

iwconfig wlan0mon

In the output, look for "Mode:Monitor" which confirms the interface is properly configured. You might also see details about frequency and channel here.

Now we're ready to launch Wireshark with monitor mode enabled:

wireshark -I -i wlan0mon

The -I flag specifically tells Wireshark to use monitor mode, while -i wlan0mon specifies our monitor interface. Without these, Wireshark would try to capture in normal managed mode.

When Wireshark opens, check the interface list. You should see wlan0mon with a "(monitor mode)" indicator next to it. This visual confirmation helps ensure you're capturing all wireless traffic properly.

Start Capture with -i wlan0

In this step, you'll capture wireless network traffic using Wireshark's command line interface. The -i flag is crucial as it tells Wireshark which network interface to monitor. Since we're working with wireless networks, we'll use the monitor mode interface we prepared earlier.

Before starting, let's confirm our monitor mode interface is properly set up. This verification ensures we're capturing the right type of wireless data:

iwconfig wlan0mon

Look for "Mode:Monitor" in the output - this confirms your interface is ready to capture all wireless traffic in your vicinity, not just traffic destined for your device.

Now we'll launch Wireshark to begin capturing packets:

wireshark -i wlan0mon

The -i wlan0mon portion specifically tells Wireshark to use our monitor mode interface. In the Wireshark window that appears:

  • The packet list will populate in real-time as devices around you transmit wireless frames
  • Verify "wlan0mon" appears in the status bar to confirm correct interface selection
  • Watch the packet counter increase, showing successful capture activity

To stop capturing packets when you're done:

  • Click the prominent red "Stop" button in the toolbar
  • Alternatively, press Ctrl+E to toggle capture on/off

For situations where you prefer working in the terminal or need to automate captures, Tshark (Wireshark's command-line version) is perfect:

tshark -i wlan0mon -c 10

This command captures exactly 10 packets then automatically stops, displaying the results directly in your terminal. The -c flag controls how many packets to capture before stopping.

Filter Beacons with -Y "wlan.fc.type_subtype==0x08"

In this step, you will learn how to filter for beacon frames in Wireshark using the display filter syntax. Beacon frames are special management frames (type 0x08) that wireless access points continuously broadcast to announce their network presence. These frames contain essential information like the network name (SSID), supported data rates, and security settings.

  1. First, ensure Wireshark is running with capture on wlan0mon (from previous step):
wireshark -i wlan0mon

This command launches Wireshark and starts capturing packets on the wlan0mon interface, which should already be in monitor mode from earlier setup.

  1. In the Wireshark interface:
    • Locate the "Filter" toolbar at the top (just below the main menu)
    • Enter the filter expression:
wlan.fc.type_subtype == 0x08

This filter tells Wireshark to only display packets where the frame type/subtype matches beacon frames (0x08 in hexadecimal).

  • Press Enter or click Apply to activate the filter

  1. You should now only see beacon frames in the packet list. These typically show:

    • Source MAC address of the access point (identifies the physical device)
    • SSID (network name) in the packet details (what users see as the WiFi name)
    • Regular intervals (usually every 100ms, which is the default beacon interval)

  2. To examine a beacon frame in detail:

    • Select any beacon frame in the packet list by clicking on it
    • Expand the "IEEE 802.11 Wireless LAN Management Frame" section in the middle panel
    • Here you can view important details like:
      • SSID (under Tagged Parameters)
      • Supported data rates
      • Channel information
      • Security capabilities

  3. For command-line filtering with tshark (useful for automated captures):

tshark -i wlan0mon -Y "wlan.fc.type_subtype==0x08" -c 5

This command captures exactly 5 beacon frames (-c 5) that match our filter (-Y) from the wlan0mon interface, then automatically exits. The -Y flag in tshark works similarly to Wireshark's display filter.

Display Frames with -V

In this step, you will learn how to use Wireshark's verbose output mode with the -V flag to display detailed frame information in the terminal. This is particularly useful when working with command-line tools like tshark, as it provides more comprehensive information than the default summary view.

  1. First, ensure you have some captured beacon frames (from previous step). We'll use tshark to display them with full details:
tshark -r /tmp/capture.pcap -Y "wlan.fc.type_subtype==0x08" -V

This command reads from your saved capture file (/tmp/capture.pcap) and filters for beacon frames (type_subtype 0x08). The -V flag tells tshark to show all available details about each frame.

  1. The -V flag provides verbose output showing:

    • Complete frame headers (including all 802.11 frame fields)
    • All protocol layers (from physical layer up to application data)
    • Detailed field values (with explanations of what each value means)
    • Hexadecimal payload dumps (useful for analyzing raw packet contents)

  2. To capture and display live frames with verbose output:

tshark -i wlan0mon -Y "wlan.fc.type_subtype==0x08" -V -c 5

This will:

  • Capture from wlan0mon interface (your monitor mode interface)
  • Filter for beacon frames only (using the same filter as before)
  • Show verbose output (with all the details explained above)
  • Stop after 5 frames (the -c 5 parameter limits the capture)

  1. Key information to observe in the verbose output:

    • Frame Control field values (shows frame type, direction, and other flags)
    • MAC addresses (source, destination, and BSSID)
    • Beacon interval (how often the AP sends beacon frames)
    • Capability information (what features the AP supports)
    • Supported rates (the data rates the AP can handle)

  2. For better readability, especially with long outputs, you can pipe to less:

tshark -i wlan0mon -Y "wlan.fc.type_subtype==0x08" -V -c 5 | less

This lets you scroll through the output page by page using arrow keys, rather than having it all dump to your terminal at once. Press 'q' to exit the less viewer when you're done.

Summary

In this lab, you have learned how to capture wireless frames using Wireshark in monitor mode. Key steps included enabling monitor mode with airmon-ng, verifying the interface status with iwconfig, and launching Wireshark with the -I flag for monitor mode capture. You also practiced specifying the monitoring interface with -i and observing real-time traffic.

Additionally, you explored filtering techniques using -Y for beacon frames and -V for detailed analysis. The lab covered both GUI and command-line methods, including tshark for headless operations, providing a solid foundation for wireless frame analysis.

Related Wireshark Courses
Wireshark for Beginners

Wireshark for Beginners

cybersecuritywireshark
Cybersecurity Analysis with Wireshark and Tshark

Cybersecurity Analysis with Wireshark and Tshark

cybersecuritywireshark