This is a very quick article to help anyone trying to setup the WLANPi as a capture adapter in Wireshark 4. I only tried it with the WLANPi Pro and Wireshark 4.0.1 on my Windows 10 laptop, so apologies if your experience differs, but I’m hoping this post contains enough info to get you started if you’ve never done this before.
This post also assumes your WLANPi has an IP address and you can SSH to it from the Wireshark laptop. It may be possible to connect to the WLAN using the USB-OTG or some other means but I’ve not tested it and will only be looking at the SSH method here.
Thanks to Nigel for pointing out that Wireshark 4 now ships with the ‘extcap’ plug-in built in. This means we don’t need to install anything onto the laptop other than Wireshark 4.x (and no changes or config on the WLANPi)!
I’m not sure if this step is completely necessary and I didn’t have time to test without it, so I recommend ticking the ‘Sshdump, Ciscodump, and Wifidump’ option under Tools in the Wireshark installer. The rest of the Wireshark settings can be your choice.
Once you’ve got Wireshark installed/upgraded and opened you should see all your available adapters listed at the bottom. If you have a lot of adapters you may need to scroll the list down using the scroll bar highlighted red below. Then you should see a ‘Wi-Fi remote capture’ adapter highlighted in green below.
Click on the little gear icon to the left of ‘Wi-Fi remote capture’ adapter to enter the connection details for your WLANPi.
The first tab (titled Server) is where you enter the IP address of the WLANPi and the port to use. This should be 22 for SSH to the WLANPi. If you’ve messed with that port on your WLANPi then you already know more than me and probably don’t need this post.
Click along to the next tab titled Authentication. Here you need to enter your username and password for SSH to the WLANPi. By default this is wlanpi & wlanpi (all lowercase) but if you’ve ever logged into the web interface of the WLANPi then you might have been forced to set your own custom password. If this is the case enter that custom password. If you’ve forgotten what you set then contact the amazing WLANPi team for help (but it’s probably time to re-image your WLANPi).
Finally click along to the Capture tab where you get to set the good stuff!
I’ve no idea what ‘Remote interface’ does so I left it at auto and didn’t mess with it. Side note, I did try hitting the refresh button on the right to see if it would detect 2 WNIC’s in the WLANPi pro and allow me to capture on multiple channels but it appeared to do nothing. Please let me know if you find a way to take multi-channel captures using Wireshark and the multiple adapters in the WLANPi Pro!
Set the channel you want to capture on and the channel width. YES, you can select 6GHz channels from the list!!! But I don’t have any 6GHz AP’s yet so I didn’t test if this worked. I presume it will…
Once you’ve entered all these required settings click the Save button at the bottom. Note: the password will not be saved once you exit Wireshark and you will need to re-enter this every time you open Wireshark to connect to the WLANPi.
Now you’ve configured the adapter there are multiple ways to kick off the sweet sweet capturing. Capture>Start along the top of Wireshark works. Double-clicking on the adapter in the adapter list also works. Or you can right-click on the adapter in the list and select Start like in the screenshot below.
If your setup is correct and Wireshark can connect to your WLANPi then you’ll see the below pop-up showing a line graph representing the traffic flow and some stats about how many packets frames are captured. To end the capture when you’re ready just click Stop Capture. Then go ahead and inspect or save your pcap like any other capture method.
If Wireshark cannot connect to your WLANPi over the IP and port you’ve specified then you’ll see a timeout error like below. (In this example I deliberately entered the wrong IP to force this error).
If Wireshark cannot connect to your WLANPi because you entered the wrong SSH credentials you’ll get an Authentication error like below.
Note: Wireshark is not perfect. It actually crashed for me while taking the screenshots for this post. But its better than nothing in a pinch or a home lab.
A massive thanks to Nigel, Adrian of Intuibits fame, and all the WLANPi team who made this possible. I believe Adrian wrote the adapter that Wireshark now include in their tool which is an amazing achievement but also a massive contribution.
Andrew – I got this working, however within Windows Wireshark, I do not seem to be able to see the raw eapol frames – is there something special I have to do to decode that data? I do see the frames, but they are wrapped in LLC and/or 802.11, and thus I can’t see the 4 way handshake exchange, or details about the auth in an 802.1x exchange. I did figure out how to capture multiple adapters – maybe after a year, you have as well. It’s a matter of creating multiple copies of that “wi-fi remote capture” interface within the windows directory structure where they are saved – just call them each something unique.
Thanks Patty! That is great info about getting the multi-channel captures to work.
Regarding your question, the 4 key messages in the handshake are encrypted by the PTK, so all you get to see in Wireshark is the encrypted WPA Key Data. If you’ve captured a WPA2-PSK (re)association (and you know the passphrase) then you can use Wireshark to decrypt the key messages. I won’t put the instructions here because they’re not short, just Google how to decrypt 802.11 in Wireshark. That’ll allow you to the key message contents. This won’t work for Dot1X or WPA3-SAE though.