Capturing WiFi traffic

CLI

  • macOS (10.14.6) airport binary symlink:
$ sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
  • While connected, view current station's channel: airport -I
  • Must be disassociated with wireless station: sudo airport -z
  • Must be on the correct wireless wireless channel: airport -c $CHANNEL
  • While disconnected, CLI dump: sudo tcpdump -Ini en0

  • Currently unsure of how to decrypt a capture via tcpdump, but any format-compatible traffic captured via tcpdump can be opened in Wireshark, where it can do the decryption.

GUI

Applies to either method

  • Be aware: Depending on the encryption scheme (namely WPA), you may need to capture the WiFi association process of the device you're wanting to capture. Meaning, you'll want the device you want to capture traffic for in an unassociated state, and then join the SSID after capturing has begun.
  • The association process may be required, involving 802.11 and EAPOL messages:

Why is this interesting?

WiFi traffic is just radio chatter on a certain channel, so it's easy to observe this chatter. However, if the WiFi network employs a form of encryption, said chatter only shows physical, layer 1 communications, commonly known as "beacons" in the wireless world. These encrypted beacons do not expose the internal protocols being used by the devices on the network. (So no TCP, no UDP, no HTTP, etc.)

However, if you know the WiFi name (Service Set Identifier, SSID) and password, you can decrypt these beacons and see the internal protocols. This is what we're after.

Learning the value of not being seen

Once captured and decrypted, we can now see application-level, or at least layer 2 traffic and above, up to other SSL/TLS-encrypted data: