AirPcap Frequently Asked Questions
- What is AirPcap?
- What are the differences between each of your AirPcap versions?
- How is AirPcap different from other WLAN packet capture tools?
- Which AirPcap versions provide support for multi-channel monitoring and aggregation?
- I have a primary requirement to attach an external antenna for my WLAN analysis. Do you have any options?
- Do you provide support for 802.11a?
- Does AirPcap offer on-board timestamping in microseconds?
- Is there a way to see the keys derived from the various EAPOL handshakes as long as the pass phrases and full exchange are present?
- I’m using a laptop with a built-in adapter. Do you have a version of AirPcap that will support built-in adapters?
- When I plug my AirPcap Nx adapter into my Vista system and launch WireShark or the AirPcap Control Panel, the application freezes until I remove the adapter.
- Do you have a version of AirPcap that runs on Linux, OS X, FreeBSD, VMS, or OS/2?
- I see that you provide packet-transmission and 11a support in AirPcap Ex. Does the packet transmission include custom crafted packets, or is it just playing back .cap streams?
- Can AirPcap sniff multiple channels at one time and debug WPA/WPA2 data?
- I am using Wireshark to do Ethernet packet analysis and would like to do wireless packet capture as well, Do I just need to buy AirPcap from your company and install it and Wireshark will be enabled to deliver wireless data automatically?
- Is the signal strength of the AirPcap Tx adapter adjustable?
- Can AirPcap Tx be set in totally passive mode?
- Does AirPcap Tx run under BartPE?
- Why does AirPcap NX cards have two antennas? I understand that 802.11n offers MIMO capabilities. Is this related to that? Can you explain how the RF reception of these two antennas are aggregated or filtered on baseband?
- I'm interested in AirPcap but the PCs in my test lab do not have USB 2.0 ports Is 2.0 a hard or soft requirement?
What is AirPcap?
AirPcap is an adapter that captures all or a filtered set of WLAN frames and delivers the data to the Wireshark platform. Once AirPcap is installed, Wireshark displays a special toolbar that provides direct control of the AirPcap adapter during wireless data capture.
The Wireshark UI is then employed to perform network and data analysis on the packets derived from an AirPcap capture session.
AirPcap is also the name of a family of products that includes AirPcap Classic, AirPcap Tx, AirPcap Ex and AirPcap Nx. This product family represents the first open, affordable, and easy-to-deploy 802.11 WLAN packet capture solutions for the Windows platform. The various members of the AirPcap family + Wireshark provide information about wireless protocols and radio signals, enabling you to capture and analyze low-level 802.11a/b/g/n wireless traffic, including control frames, management frames, and power information.
In addition to all of the packet capture features and functionality of AirPcap Classic, AirPcap Tx, AirPcap Ex, and AirPcap Nx support packet injection. This ability to transmit raw 802.11 frames is an invaluable aid in assessing the security of your wireless network. Several security tools, including Cain & Abel and Aircrack-ng, can use the AirPcap Tx adapter transmit features for advanced penetration testing.
AirPcap Nx is a new AirPcap family member that includes a USB-based 802.11 a/b/g/n adapter with two external antenna connectors. AirPcap Nx provides packet transmission capabilities, multi-channel monitoring and aggregation, on-board microsecond timestamping precision, and more.
AirPcap Nx is the first solution to capture, decode, and visualize 802.11n protocol traffic from any laptop or desktop PC.
Most WLAN packet analyzers provide proprietary drivers that are based on driver source code provided by Broadcom, Atheros, and other wireless chip manufacturers. AirPcap provides its own promiscuous driver that operates independently from on-board NICs and their drivers, allowing AirPcap to work with the broadest range of laptops and desktop PCs possible.
No other products provide 802.11 capture and transmission in a small package that can be easily moved between workstations.
In addition, AirPcap is the only solution on the market that easily enables capturing packets from multiple 802.11 channels by simply plugging more than one USB adapter into a laptop or desktop PC.
AirPcap Classic, AirPcap Tx, AirPcap Ex, and AirPcap Nx all support multi-channel monitoring and aggregation.
AirPcap Ex (802.11a/b/g) is a wireless USB adapter with an external antenna connector, and comes with a cable and antenna. AirPcap Nx (802.11a/b/g/n) is a wireless USB adapter with two external antenna connectors, and comes with two pigtails and two antennas. Since both adapters have internal printed antennas, they will operate without a external antennas.
Both AirPcap Ex and AirPcap Nx provide support for 802.11a packet capture and analysis.
AirPcap Ex and AirPcap Nx provide support for hardware timestamping with microsecond precision.
WPA temporal keys (PTK and GTK) are not displayed by Wireshark. Pairwise keys are derived but not displayed, and group keys are not, as yet, derived.
No, and most people like it that way. Really! AirPcap Classic, Tx, Ex, and Nx are USB adapters, which leaves you free to you to use your built-in adapter for normal network operations while simultaneously using your AirPcap adapter for analysis. This is much more convenient and flexible than trying to use a single adapter for everything.
There is a known bug in the USB stack of Vista SP2 that causes the AirPcap Nx adapter to lock-up. While Microsoft is aware of the situation, they have not yet provided a solution for Vista. We can supply a registry patch to fix the problem if you can first provide a registry dump of your Vista machine.
The below commands will generate a file called 'dump.reg' in the root directory of the C: drive:
- Open a command prompt: Start > search box > cmd
- Type: regedit /e c:\dump.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI
- Click [Yes] to the prompt (if any) from User Account Control window.
Please email this partial registry dump file to firstname.lastname@example.org. Once we have this file we will create and return a custom patch file for your computer.
AirPcap runs on the following platforms:
Windows XP (service pack 2, 32 or 64 bit)
Windows 2003 (32 or 64 bit)
Windows Vista (32 or 64 bit)
Windows 7 (32 or 64 bit)
There are no plans to port AirPcap to other platforms at this time.
For the moment, our solution allows you to create custom packets that can then be sent over the air. We don't have replay capabilities yet. The packets are sent one at a time, but the API gives you the flexibility to send pretty much any way you like.
Our AirPcap Classic 3-Pack, AirPcap Ex 3-pack, and AirPcap Nx 3-pack can capture traffic from 3 channels at the same time, and aggregate it in a single capture. WPA and WPA2 can be decrypted and analyzed using the Wireshark network analyzer, included with the AirPcap product CD.
I am using Wireshark to do Ethernet packet analysis and would like to do wireless packet capture as well, Do I just need to buy AirPcap from your company and install it and Wireshark will be enabled to deliver wireless data automatically?
That’s right. After installing our driver and plugging our adapter in the USB port, Wireshark, as will start capturing wireless traffic.
It's not. The Tx frequency and strength are very strictly regulated by the FCC. The signal strength is set to the maximum allowed by the ship-to country.
AirPcap Tx is totally passive unless you use a program that explicitly injects packets.
We've never tested it under BartPE, but our understanding is that BartPE is just a stripped down version of Windows that runs from a CD. In that case, we can't see any reason why AirPcap shouldn't work with it. You probably want to include the AirPcap driver when you build the BartPE image to avoid installing it every time.
Why does AirPcap NX cards have two antennas? I understand that 802.11n offers MIMO capabilities. Is this related to that? Can you explain how the RF reception of these two antennas are aggregated or filtered on baseband?
The use of two antennas is due to both MIMO and two other RF techniques used by 802.11n to offer higher rates and better reception. Different techniques to merge the signals are used, depending on the specific modulation used (HT-OFDM with 20 or 40MHz channels, or DL-OFDM). In some cases, the packet is transmitted on both antennas, and each antenna transmits a part of the packet using a slightly different modulation. In other cases, the packet is "duplicated" on the two antennas and on reception the RF combines the two "copies" of the packet (a sort of redundancy). In the case of receiving packets with an 802.11b/g modulation, (OFDM), the two antennas are used for "antenna diversity", i.e., they use the fact that separate antennas receive a slightly different RF signal. In this case, the RF section combines the two signals for better reception.
A complete explanation of all these techniques can be found in the IEEE 802.11n specification.