Clear To Send

CTS 383: Deep Dive – Wi-Fi Troubleshooting at the Frame Level

Listen Later

Thank you to our sponsor:

Meter: Visit meter.com/cleartosend to book a demo!

This video, a deep dive on frame analysis, covers the essentials of capturing Wi-Fi frames and analyzing them using Wireshark. These skills discussed are useful for troubleshooting and for those studying for their CWAP certification.

Capturing Wi-Fi Frames

To properly capture 802.11 frames, a Wi-Fi network interface card (NIC) must be set to monitor mode, as simply running Wireshark will only capture data at Layer 3 and above.

This video, a deep dive on frame analysis, covers the essentials of capturing Wi-Fi frames and analyzing them using Wireshark. The speakers note that the skills discussed are useful for troubleshooting and for those studying for their CWAP certification.

Capturing Wi-Fi Frames

To properly capture 802.11 frames, a Wi-Fi network interface card (NIC) must be set to monitor mode, as simply running Wireshark will only capture data at Layer 3 and above.

Capture Tools and Tips:

  • macOS: Users can employ the AirTool software to put their card into monitor mode and perform a packet capture on one channel.
  • Unix-based systems are generally easier to use for capture due to more monitor-mode-friendly drivers.
  • Dedicated Tools: Dedicated tools like the Sidekick (which uses Unix and has multiple Wi-Fi NICs for multi-channel capture) and the WLAN Go (a lightweight tool that can be attached to a phone and supports Wi-Fi 7 frame captures) are also recommended.
  • Placement: The capture device should be closer to the client (for client-side troubleshooting) or the AP (for AP-side troubleshooting).
  • AP Capture: Some systems allow packet captures to be performed directly on the access points, which can track a client's MAC address across different APs and channels, or even capture traffic on the wired port.
  • Best Practice: The speakers recommend capturing all traffic first and then filtering later in Wireshark to ensure nothing is missed.
    • Analyzing Frames with Wireshark

    Analysis begins by importing the 802.11 frames into Wireshark. Key features and tips for navigating potentially overwhelming files (containing thousands or millions of frames) include:

    1. Filters and Profiles

    • Display Filters: Filters are essential for cutting through the noise. Wi-Fi filters typically begin with wlan..
    • Right-Click Filtering: A fast way to create a filter is to right-click on a specific field in a frame and select “Apply as Filter” or “Prepare as Filter”.
    • wlan.addr Filter: To see both uplink and downlink traffic for a specific device, modify a filter based on the transmit address (wlan.ta) to use wlan.addr instead.
    • Profiles: Users can create or download profiles (like the WLAN Pros Master or MetaGeek profile) to store a set of default Wi-Fi filters and apply color-coding to different frame types, such as management or data frames.

      • 2. Visual Aids and Customization

      • Packet Diagram: This feature (found in Wireshark's preferences under the layout view) displays a diagram of the frame's header fields, bit-by-bit, which is helpful for studying different protocols.
      • Column Customization: Columns can be added or adjusted by right-clicking on any column.
      • Aliases: For devices not using randomized MAC addresses, users can create aliases (names) for MAC addresses in the ethers file to make the frame list more readable.

        • 3. I/O Graphs (Input/Output Graphs)

        • I/O graphs are an underutilized feature for visualizing events and trends over time.
        • Roaming Analysis: They are particularly useful for analyzing roaming by graphing events like probe requests and reassociations.
        • Signal Strength: I/O graphs can also track Layer 1 data like RSSI values over time, allowing analysts to correlate signal strength drops with client behavior like when the client starts probing.
        • Other Applications: They can show the proportion of transmitted frames versus retry frames, or be used to visualize rate shifting.

          • 4. Practice and Export

          • Learning: The best way to learn is to study normal traffic first (e.g., active/passive discovery, authentication, association) to become more efficient at spotting anomalies later.
          • Exporting: For large captures, users can mark frames of interest (Command M on a Mac) and then export only the marked packets to a new PCAP file, making the analysis of those specific frames faster and easier.

            • Resources

            • PCAPs – https://drive.google.com/drive/u/0/folders/1werkXdRkSO0709myQ4q86Ric4tK7hGVD
            • Wireshark cheat sheet https://www.cleartosend.net/cts-047-troubleshooting-wifi-wireshark/
            • Wireshark profiles:
              • https://mrncciew.com/2025/09/02/get-rockstarwifi-wireshark-profile/
              • https://github.com/metageek-llc/wireshark-profiles
              • CTS 125: 802.11 Frame Captures on Windows: https://www.cleartosend.net/wireless-frame-captures-windows/
              • CTS 121: Capturing Wireless Frames with a Mac: https://www.cleartosend.net/capturing-wireless-frames-mac/
              • CTS 102: Capturing Wireless Frames: https://www.cleartosend.net/cts-102-capturing-wireless-frames/

                • The post CTS 383: Deep Dive – Wi-Fi Troubleshooting at the Frame Level appeared first on Clear To Send.

                ...more
                View all episodesView all episodes
                Download on the App Store
                Clear To SendBy Rowell Dionicio and François Vergès