Results 1 to 9 of 9

Thread: Monitor mode captures on OSX

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default Monitor mode captures on OSX

    I'm trying to determine the difference between capturing 802.11 frames in the following ways on OSX (10.8.5). It's a bit esoteric, but I commonly use this method to capture frames for importing into Eye PA, but perhaps I'm missing something.

    Option 1: use "airportd":
    $sudo /usr/libexec/airportd en0 sniff <channel>

    Option 2: use "airport" followed by tcpdump:
    sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=<channel>
    sudo tcpdump -I -P -i en0 -w /tmp/capture.pcap (or alternatvely eliminate the -w and watch packets real-time).

    From what I can tell:
    Both commands, according to the wifi icon on OSX, put the interface into 'monitor' mode.
    Both commands output a pcap file that is readable in both wireshark & Eye PA.
    Both commands appear to capture management, control and data frames.

    The rub:
    Option 1 disconnects you from the network. This is expected, when putting an interface into 'monitor' mode.

    Option 2 does NOT disconnect you, provided you've set the channel to the same channel your currently connected to. This has a distinct advantage of keeping your connection up while capturing in monitor mode.

    My question: Option 2 does not seem like it should work, or more specifically, it does not seem like I should be able to remain connected while also capturing frames in monitor mode. Has anyone else encountered or looked into the validity of capturing frames w/ Option 2?

    My workflow for Eye PA:
    capture frames in OSX, launch VM of windows 7 (parralells, virtualbox etc.), and open the .pcap file in Eye PA via guest-to-host drive sharing. That enables me to use Eye PA when I forget to bring the AirPCap card along.

    EDIT: I corrected the sytanx for the "airport" way (Option 2) to include the actual path of the binary.
    Last edited by mike909; 10-25-2013 at 03:12 AM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts