01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

(/) (/Search)

WIRELESS INFRASTRUCTURE

07/19/2016
7:00 AM

Rowell Dionicio (/author/36200943)

Commentary
Connect Directly
 (https://twitter.com/rowelldionicio)  (https://www.linkedin.com/in/rowelldionicio)  (mailto:rowell@packet6.com)

Rating:

0
votes

+ -
Like 0

Tweet

Share

WiFi Troubleshooting Using Wireshark

Learn how to use the popular network analyzer to track down WiFi problems.

When it comes to open-source tools for network engineers, a top choice is Wireshark, created in 1997 by Gerald
Combs, who needed a tool to track network problems. Originally named Ethereal, the network analyzer is
supported by a community that has added additional dissectors, features, and bug fixes.

Wireshark isn't just for wired networks; wireless network engineers can utilize the tool to help them troubleshoot
and diagnose various WiFi issues. Before getting into the details of using Wireshark to capture WiFi traffic, let's go
over the particular requirements.

In a Windows operating system, you need a network card capable of capturing wireless frames. The built-in
network card is not capable of this because drivers may not allow a user to manually select a channel, or to
place the wireless network in monitor mode.
https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 1/13
 On macOS,
01/10/2018 an engineer can natively collect
WiFiwireless frames
Troubleshooting through
Using the| Network
Wireshark built-inComputing
wireless card. I highly
recommend a free application called Airtool (https://www.adriangranados.com/apps/airtool), which
simplifies the capture of wireless frames in macOS by allowing easy channel selection and parameter
modification. For example, you may want to capture frames on a 40MHz channel. It’s also possible to simply
select an individual channel on either the 2.4 GHz or 5 GHz spectrum.

A counter displays the numbers of frames collected, and when you stop the capture, it's saved as a .pcap filed,
which is saved to a location of your choice and automatically opened in Wireshark.

Reading wireless frames

When opening Wireshark, you'll see a number of columns displaying various types of information. The application
is broken out into three sections: frame capture list, frame information, and frame bytes.

With all this information in hand, a wireless network engineer can dive into detailed analysis by observing the
source and destination MAC addresses, the type of frame by looking at the Frame Control Field, and more.

For example, you can view an SSID’s capabilities by examining a beacon frame from the access point. Within the
beacon frame, the Frame Control Field will indicate that the beacon frame is a management frame with a subtype
value of 1000.

The tagged parameters of the wireless management frame shows what the service set supports, such as the
basic data rates, security, high-throughput capabilities, and vendor-specific capabilities. Digging into this
information can help an engineer troubleshoot issues regarding client connectivity to an access point.

In addition to troubleshooting client connectivity, you can view client frame exchanges through Wireshark. An
example is device authentication and authorization with an access point.

Sponsored Content
5 Common Pitfalls of SD-WAN Adoption
(http://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsscx9WByTM1ssyLR7kG7_fEs7AufLg
7CHVtoeMm3FVpPvMsJG34iGVkfWydrs8U4EDtJdI4l0dnQajBnyBcN970NZ86RhjBDFhtLBuYm_cBbEfp
F9MkEV7cp_YohAvaNwIi1OfXZJpjjbKn_dVUBp-
lZGdfY5QRtmGwE4sdcEcSvioqShem9ncR4nUYB3nGHxpFqeoyrkY12SmiUehnjZCNtV2PHbFlyXqGkDv
XAcHIZ5Vk821RyMFSGo4nBJWG3gV2lVFVqZuPI5_M4WJl%2526sig%253DCg0ArKJSzDa_s1rk7g_fEAE
https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 2/13
01/10/2018 %2526urlfix%253D1%2526adurl%253Dhttp://www.informationweek.com/whitepaper
WiFi Troubleshooting Using Wireshark | Network Computing
/infrastructure-as-a-service/cloud/five-common-pitfalls-of-sd-wan-
adoption/400333%3Fcid%3Dmp_nc_natvad%26_mc%3Dmp_nc_natvad)
Here's are some valuable lessons from the first wave of enterprises to adopt SD-WAN.
Brought to you by Intelligent Demand

(http://adclick.g.d
oubleclick.net/pcs
/click%253Fxai%2
53DAKAOjsscx9
WByTM1ssyLR7k
G7_fEs7AufLg7C
HVtoeMm3FVpPv
MsJG34iGVkfWyd
rs8U4EDtJdI4l0dn
QajBnyBcN970NZ
86RhjBDFhtLBuY
m_cBbEfpF9MkE
V7cp_YohAvaNwIi
1OfXZJpjjbKn_dV
UBp-
lZGdfY5QRtmGw
E4sdcEcSvioqSh
em9ncR4nUYB3n
GHxpFqeoyrkY12
SmiUehnjZCNtV2
PHbFlyXqGkDvX
AcHIZ5Vk821RyM
FSGo4nBJWG3gV
2lVFVqZuPI5_M4
WJl%2526sig%25
3DCg0ArKJSzDa_
s1rk7g_fEAE%25
26urlfix%253D1%
2526adurl%253Dh
ttp://www.informa
tionweek.com/whi
tepaper/infrastruc
ture-as-a-
service/cloud/five
-common-pitfalls-
of-sd-wan-
adoption/400333
%3Fcid%3Dmp_n
c_natvad%26_mc
%3Dmp_nc_natva
d)

Encrypted frames

When capturing frames from a wireless network with WEP or WPA/WPA2 security, the details of the frame are
encrypted preventing you from seeing details. If you know the password, you can decrypt the contents. Within
Wireshark’s Preferences, under IEEE 802.11, enable decryption and insert the wireless network’s password to
create the decryption key.

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 3/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

Visualizing wireless captures

With the thousands of packet captures gathered by Wireshark, it is possible to look at the data in a different way
using graphs. One example is viewing how many retry frames were detected out of the total amount captured.

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 4/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

To get a sense of how many retries occurred during your capture, navigate to Statistics > I/O Graph. In the graph
window, click on the plus icon to add a new data point and rename it “retries.” Add a display filter of “wlan.fc.retry
== 1” and change the color of this filter to red. Modify the Y Axis to display Packets/s, and enable “All packets.”

Now there is a graphical representation of the number of retries from your Wireshark capture.

Adding WiFi columns

By default, Wireshark doesn’t display any WiFi related columns. But it’s actually quite easy to add columns once
you are aware of what kind of display filters you can work with.

Let’s say you want a column displaying the Duration of a frame. This would help you determine how much air time
devices are using to communicate on the wireless medium.

To add a column, right click on any existing column and select Column Preferences. Any column with a checkbox
indicates it is displayed in the Wireshark Frame List. Click the plus icon to add a new column. Give the column the
name of “Duration,” a type of “Custom,” and a field name of "wlan.duration." Then click OK to close the column
preferences window.

When viewing the list of frames, you can now see the Duration value which is taken from the Duration field of the
802.11 wireless header.

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 5/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

Other columns that may be useful include:

Channel (wlan_radio.channel) - This can be used if you have an aggregated list of frames captured from
different channels.
Data rate (wlan_radio.data_rate) - To view what data rate the frame was sent at by the transmitter.
MCS Index (wlan_radio.11n.mcs_index or wlan_radio.11ac.mcs) – To identify what MCS index was used by
a transmitter of a frame. This is useful for 802.11n and 802.11ac.

Display filters

Sifting through hundreds or even thousands of wireless frames in Wireshark can feel like looking for a needle in a
haystack. Fortunately, it is possible to narrow down a search through the use of display filters.

Display filters are used to identify specific types of frames or packets. There are many different fields and
information elements to search on. Display filters are very specific so it can be frustrating at times when trying to
find out which display filter to begin with. Here are some common filters:

Filter for all frames with a specific MAC address

wlan.addr == mac_address
Filter for all Management frames
wlan.fc.type == 0
Filter for all Control frames
wlan.fc.type == 1
Filter for all Data frames
wlan.fc.type == 2

For a list of more display filters, this blog (http://www.semfionetworks.com/blog/wireshark-most-

common-80211-filters) includes a helpful PDF you can download for free.

Wireshark is an indispensable tool for network troubleshooting. Knowing the ins and outs of Wireshark will help
turn a wireless network engineer into a network analysis expert.
https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 6/13
 We welcome
01/10/2018 your comments on thisWiFi
topic on our social
Troubleshooting media| channels,
Using Wireshark or [contact us directly]
Network Computing
with questions about the site.
(https://www.networkcomputing.com/about-us)

EMAIL THIS (/printmail/1324242) PRINT (/print/1324242) RSS (/rss/all)

MORE INSIGHTS
Webcasts
The Network of the Future is Powered by AI (https://webinar.informationweek.com/4854?
keycode=sbx&cid=smartbox_techweb_webcast_8.500000852)
Purple Team Tactics & TI for Effectively Training Your Cybersecurity Team
(http://webinar.darkreading.com/3676?keycode=sbx&cid=smartbox_techweb_webcast_8.500000850)
MORE WEBCASTS (/webinar_upcoming)

White Papers
Protecting ATM Networks, a Deception Approach (http://www.informationweek.com/whitepaper/security-
management-and-analytics/security-monitoring/a-deception-approach-to-protecting-atm-networks/400483?
cid=smartbox_techweb_whitepaper_14.500003361)
The Essential Guide to Security (http://www.informationweek.com/whitepaper/security-monitoring/endpoint-
security/the-essential-guide-to-security/397363?cid=smartbox_techweb_whitepaper_14.500003266)
MORE WHITE PAPERS (http://www.informationweek.com/whitepaper/Infrastructure)

Reports
2017 State of IT Report (http://reg.interop.com/stateofit?
kcode=nwc_rptbx&cid=smartbox_techweb_report_7.300005737)
How Enterprises Are Attacking the IT Security Problem
(http://www.informationweek.com/whitepaper/cybersecurity/security-monitoring/[strategic-security-report]-
how-enterprises-are-attacking-the-cybersecurity-challenge/390403?
cid=smartbox_techweb_report_7.300005733)
MORE REPORTS (http://www.informationweek.com/whitepaper/search?querytext=&search-results-
topics=infrastructure&search-results-subtopics=&search-results-
company=53472&startdatetimepicker=&enddatetimepicker=&search-results-format-researchreport=on)

SUBSCRIBE TO NEWSLETTERS (/user)

 SLIDESHOWS
https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 7/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

4 Unlikely Places Wi-Fi Access Points Are Hiding (/wireless-infrastructure/4-unlikely-

places-wi- -access-points-are-hiding/1724944876)
Read (/wireless-infrastructure/4-unlikely-places-wi-fi-access-points-are-hiding/1724944876)
Post a Comment (/wireless-infrastructure/4-unlikely-places-wi-fi-access-points-are-hiding/1724944876#comment-
form)

Skills Network Managers Need in the Age of AI (/networking/skills-network-managers-need-age-ai/1151504750)

8 Networking Startups Shaking Up the Industry (/networking/8-networking-startups-shaking-industry/2066335955)

MORE SLIDESHOWS (/slideshows)

CARTOON

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 8/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

(/cloud-infrastructure/multi-cloud-management-tricky-business/1880400952)

CARTOON ARCHIVE (/cartoons)

WEBINARS

Lambda Architecture with In-Memory Technology (https://webinar.informationweek.com/3421?

keycode=sbx&cid=smartbox_techweb_webcast_8.500000853)
The Network of the Future is Powered by AI (https://webinar.informationweek.com/4854?
keycode=sbx&cid=smartbox_techweb_webcast_8.500000852)
Purple Team Tactics & TI for Effectively Training Your Cybersecurity Team (http://webinar.darkreading.com/3676?
keycode=sbx&cid=smartbox_techweb_webcast_8.500000850)

WEBINARS ARCHIVES (/webinar_archives)

WHITE PAPERS

Protecting ATM Networks, a Deception Approach (http://www.informationweek.com/whitepaper/security-

management-and-analytics/security-monitoring/a-deception-approach-to-protecting-atm-networks/400483?
cid=smartbox_techweb_whitepaper_14.500003361)
The Essential Guide to Security (http://www.informationweek.com/whitepaper/security-monitoring/endpoint-
security/the-essential-guide-to-security/397363?cid=smartbox_techweb_whitepaper_14.500003266)

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 9/13
 Definitive
01/10/2018 Guide to Software-Defined Perimeters
WiFi Troubleshooting Using Wireshark | Network Computing
(http://www.informationweek.com/whitepaper/infrastructure/data-centers/definitive-guide-to-software-defined-
perimeters/401003?cid=smartbox_techweb_whitepaper_14.500003385)
6 Keys to Faster Phishing Mitigation (http://www.informationweek.com/whitepaper/network-and-perimeter-
security/security/6-keys-to-faster-phishing-mitigation/401233?
cid=smartbox_techweb_whitepaper_14.500003383)
SOC-as-a-Service for Cloud Infrastructures and SaaS Applications
(http://www.informationweek.com/whitepaper/cloud-security/security-management-and-analytics/soc-as-a-
service-for-cloud-infrastructures-and-saas-applications/400763?
cid=smartbox_techweb_whitepaper_14.500003366)

MORE WHITE PAPERS (http://www.informationweek.com/whitepaper/Infrastructure)

CURRENT ISSUE

(http://www.networkcomputing.com/nwcdigital/20171107?cid=smartbox_techweb_nwcdigital_20171107)

2018 State of Infrastructure Report

(http://www.networkcomputing.com/nwcdigital/20171107?
cid=smartbox_techweb_nwcdigital_20171107)
DOWNLOAD THIS ISSUE! (http://www.networkcomputing.com/nwcdigital/20171107?cid=smartbox_techweb_nwcdigital_20171107)

BACK ISSUES (/backissue-archives) MUST READS (/mustreads)

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 10/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

VIDEO

(/storage/does- (/networking/tom-
hyperconverged- hollingsworth-
infrastructure-save- networkings-
money/1709320553? transition-
itc=AD_NWC_VID_R software/377321358
HC_VIDBOX) ?
Does itc=AD_NWC_VID_R
Hyperconverged HC_VIDBOX)
Tom Hollingsworth
on Networking's

ALL VIDEOS (/videos)

REPORTS

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 11/13
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing
[Ponemon Report] The Value of Threat Intelligence
(https://www.informationweek.com/whitepaper/security-management-and-
analytics/security-platforms/the-value-of-threat-intelligence-the-2017-ponemon-
report/393183?cid=smartbox_techweb_analytics_7.300005738)
DOWNLOAD NOW! (https://www.informationweek.com/whitepaper/security-management-and-analytics/security-platforms/the-value-of-threat-intelligence-the-
2017-ponemon-report/393183?cid=smartbox_techweb_analytics_7.300005738)

MORE REPORTS (http://www.informationweek.com/whitepaper/search?querytext=&search-results-

topics=infrastructure&search-results-subtopics=&search-results-
company=53472&startdatetimepicker=&enddatetimepicker=&search-results-format-researchreport=on)

TWITTER FEED
Tweets about "from:networkcomputin OR @networkcomputin OR #networkcomputin" (https://twitter.com/search?
q=from%3Anetworkcomputin+OR+%40networkcomputin+OR+%23networkcomputin)

ABOUT US (/about-us)
ADVERTISE (http://createyournextcustomer.com/contact-me/)
REPRINTS (http://www.wrightsreprints.com/reprints/?magid=2200)

TWITTER (https://twitter.com/networkcomputin)
FACEBOOK (https://www.facebook.com/networkcomputingcom)

LINKEDIN (https://www.linkedin.com/groups/4403419)
GOOGLE+ (https://plus.google.com/+Networkcomputingcom/posts)
RSS (/feeds)

(http://www.ubmtechweb.com/)

TECHNOLOGY GROUP

Black Hat (http://www.blackhat.com/us-14/) Enterprise Connect (http://www.enterpriseconnect.com/)

Content Marketing Institute (http://contentmarketinginstitute.com/) GDC (http://www.gdconf.com/)

Content Marketing World (http://www.contentmarketingworld.com/) Gamasutra (http://www.gamasutra.com/)

Dark Reading (http://www.darkreading.com/) HDI (http://www.thinkhdi.com/)

ICMI (http://www.icmi.com/) No Jitter (http://www.nojitter.com/)

InformationWeek (http://www.informationweek.com/) Service Management World (http://www.smworld.com/)

Interop (http://www.interop.com) XRDC (http://www.xrdconf.com/)

Network Computing (http://www.networkcomputing.com/)

COMMUNITIES SERVED

Content Marketing (http://tech.ubm.com/community-brands/content-marketing-2/)

Enterprise IT (http://tech.ubm.com/community-brands/enterprise-it/)

Enterprise Communications (http://tech.ubm.com/community-brands/enterprise-communications/)

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 12/13
Game Developers (http://tech.ubm.com/community-brands/game-and-app-developers/)
01/10/2018 WiFi Troubleshooting Using Wireshark | Network Computing

Information Security (http://tech.ubm.com/community-brands/information-security/)

IT Services & Support (http://tech.ubm.com/community-brands/technical-service-and-support/)

WORKING WITH US

Advertising Contacts (http://createyournextcustomer.techweb.com/contact-us/)

Event Calendar (http://events.ubm.com/?company=10)

Tech Marketing (http://createyournextcustomer.techweb.com/)

Solutions (http://createyournextcustomer.techweb.com/)

Contact Us (http://tech.ubm.com/contact-us/)

Licensing (https://wrightsmedia.com/sites/ubm/index.cfm)

Terms of Service | Privacy Statement | Legal Entities | Copyright © 2018 UBM, All rights reserved

https://www.networkcomputing.com/networking/wifi-troubleshooting-using-wireshark/1555390832 13/13