Capturing is 80% of the work for Wi-Fi PCAPs.
Here’s a 5-step checklist for usable Wi-Fi packet captures.
- Verify the capture NIC was in monitor mode
-802.11 traffic should be visible.
-You shouldn’t only see layer 3 and above
- Ensure there’s two way traffic
-Transmit and receive traffic for devices in the area
- Check that frames are reasonably in order.
-Example: 4-way handshake messages show 1,2,3,4
-Frames may genuinely be out of order in poor RF conditions
-In that case, try multiple cards. Make sure it’s not isolated to one card
- Don’t pre-filter captures when possible
-tcpdump and other tools allow filtering while capturing
-Refrain from doing this if the filesize is still manageable
-You don’t always know what frames are of interest beforehand
- Check the capture locations match the problem
-Roaming? Get target/origin AP captures concurrently.
-Specific client problem? Get captures near the client.
Sometimes wireless captures are genuinely messy:
-Malformed frames
-Mass re-transmits
-Clients constantly getting the boot
These tips are to ensure pcaps have the minimum viable qualities to make troubleshooting conclusions from.
You may discover after verifying these that the environment still has terrible RF quality.
A single frame can change your whole troubleshooting journey.
Bonus: Not every NIC and driver captures at the same quality. Try multiple NICs if you suspect any quality issues.
Have bad quality wireless captures impacted your ability to troubleshoot?
