Skip to content

Capturing wireless traffic using airport

On my MacBook, I use airport for capturing the wireless traffic for various purposes like discovering weak passwords on access points.

You can make a symlink to airport or you can make an alias in your ‘~/.bash_profile’.

I use an alias:

aelius@macbook:~$ sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/

Quick test (performing a wireless scan):

aelius@macbook:~$ airport -s
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                     Telekom_FON d4:21:22:2c:50:3c -77  11      Y  DE NONE
                     WLAN-058496 d4:21:22:2c:50:3b -79  11      Y  DE WPA2(PSK/AES/AES) 
                    Siloff300860 38:10:d5:84:df:de -62  6       Y  DE WPA2(PSK/AES/AES) 
                          Angase 64:66:b3:99:e5:94 -77  5,+1    Y  -- WPA(PSK/AES/AES) WPA2(PSK/AES/AES) 
                      ALLIS_HOME 1c:3a:de:cb:cb:e5 -46  2       Y  DE WPA(PSK/TKIP,AES/TKIP) WPA2(PSK/TKIP,AES/TKIP) 
                             tex 1c:3a:de:cb:cb:e6 -46  132,+1  Y  -- WPA2(PSK/AES/AES) 

Let’s give a try on channel 6. I need root access and I will use sudo:

aelius@macbook:~$ sudo airport en0 sniff 6
Password:
Capturing 802.11 frames on en0.
Session saved to /tmp/airportSniffMqWYcS.cap.

On another terminal tab I run a command to verify the size of the capture (every two sec.)
I know, I can install watch using Homebrew or MacPorts.

while :; do clear; du -csh /tmp/airport*; sleep 2; done

Looks like the capture file size is about 8MB:

8.1M	/tmp/airportSniffMqWYcS.cap

You can see that the capture file have a standard format:

aelius@macbook:~$ file /tmp/airportSniffMqWYcS.cap 
/tmp/airportSniffMqWYcS.cap: tcpdump capture file (little-endian) - version 2.4 (802.11 with radiotap header, capture length 524288)

You can read it in a friendly format using tcpdump:

aelius@macbook:~$ tcpdump -ttttnnr /tmp/airportSniffMqWYcS.cap 
reading from file /tmp/airportSniffMqWYcS.cap, link-type IEEE802_11_RADIO (802.11 plus radiotap header)
2018-07-05 23:30:48.113498 3354791525us tsft 1.0 Mb/s 2437 MHz 11g -73dBm signal -95dBm noise antenna 0 Beacon (Angase) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 5, PRIVACY
2018-07-05 23:30:48.182106 3354859643us tsft 1.0 Mb/s 2437 MHz 11g -63dBm signal -95dBm noise antenna 0 Beacon (ALLIS_HOME) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 2, PRIVACY
2018-07-05 23:30:48.191303 3354870997us tsft short preamble 6.0 Mb/s 2437 MHz 11g -59dBm signal -95dBm noise antenna 0 Beacon (Siloff300860) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
2018-07-05 23:30:48.214633 3354894655us tsft wep fragmented bad-fcs -66dBm signal -95dBm noise antenna 0 2437 MHz 11n ht/20 72.2 Mb/s MCS 7 20 MHz short GI mixed BCC FEC Data IV:40a9dd Pad d KeyID 1
2018-07-05 23:30:48.214788 3354894873us tsft wep bad-fcs -66dBm signal -95dBm noise antenna 0 2437 MHz 11n ht/20 72.2 Mb/s MCS 7 20 MHz short GI mixed BCC FEC Authentication IV:147e78 Pad a KeyID 2
2018-07-05 23:30:48.214965 3354895045us tsft short preamble 24.0 Mb/s 2437 MHz 11g -59dBm signal -95dBm noise antenna 0 Request-To-Send TA:38:10:d5:84:df:de 
2018-07-05 23:30:48.240418 3354920466us tsft short preamble 24.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 Clear-To-Send RA:f0:24:75:49:51:c9 
2018-07-05 23:30:48.240498 3354920577us tsft short preamble 24.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 BA RA:f0:24:75:49:51:c9 
2018-07-05 23:30:48.284455 3354962040us tsft 1.0 Mb/s 2437 MHz 11g -65dBm signal -95dBm noise antenna 0 Beacon (ALLIS_HOME) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 2, PRIVACY
2018-07-05 23:30:48.293695 3354973399us tsft short preamble 6.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 Beacon (Siloff300860) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
2018-07-05 23:30:48.318038 3354996070us tsft 1.0 Mb/s 2437 MHz 11g -72dBm signal -95dBm noise antenna 0 Beacon (Angase) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 5, PRIVACY
2018-07-05 23:30:48.387100 3355064440us tsft 1.0 Mb/s 2437 MHz 11g -68dBm signal -95dBm noise antenna 0 Beacon (ALLIS_HOME) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 2, PRIVACY
2018-07-05 23:30:48.389689 3355069024us tsft short preamble 6.0 Mb/s 2437 MHz 11g -89dBm signal -95dBm noise antenna 0 Beacon (DIRECT-51-HP OfficeJet Pro 8720) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] ESS CH: 6, PRIVACY
2018-07-05 23:30:48.396269 3355075798us tsft short preamble 6.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 Beacon (Siloff300860) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
............ // some lines removed // ............
2018-07-05 23:31:00.164883 3366844648us tsft fragmented bad-fcs -66dBm signal -86dBm noise antenna 0 2437 MHz 11n ht/20 72.2 Mb/s MCS 7 20 MHz short GI mixed BCC FEC 18:23:d3:47:42:7e RS511 > 5e:cf:4d:82:f7:4e IP Information, send seq 104, rcv seq 71, Flags [Response], length 1474
	0x0000:  074f d08e 1db5 d59d 73f6 b2fe f9ce f22c  .O......s......,
	0x0010:  1b99 9b9e a698 0b5b e7f2 d558 5171 c460  .......[...XQq.`
	0x0020:  8741 7035 7c8c 361d 68c3 e5f5 528c 2523  .Ap5|.6.h...R.%#
	0x0030:  c66e b2f0 e18c c7f0 5130 9a2d a858 cfaa  .n......Q0.-.X..
	0x0040:  81d6 bca9 44c8 6629 5d56 e522 f0b6 ab33  ....D.f)]V."...3
	0x0050:  5bba a447 512c a5ed f340 2daa 952c 580d  [..GQ,...@-..,X.
	0x0060:  4669 efa3 2ced 9184 6f89 7975 0a14 3792  Fi..,...o.yu..7.
	0x0070:  f2c0 042f 8156 b0e8 a2c4 dea0 fe2a ffee  .../.V.......*..
	0x0080:  aa2b b380 3a8f 1cd8 074c f8f9 2571 515f  .+..:....L..%qQ_
	0x0090:  e74d 0d4d 842f f005 7f5b 9bd0 cd52 0b01  .M.M./...[...R..
	0x00a0:  c8e2 150c f11c 9b73 bd59 6d7c 2deb d600  .......s.Ym|-...
	0x00b0:  fb32 3274 42d5 c5f7 4408 9f46 b458 c9ea  .22tB...D..F.X..
	0x00c0:  27e2 c37d d9ae d4c4 0d48 0928 02cc 09db  '..}.....H.(....
	0x00d0:  2cba 103d 08f4 b8c7 b54f bebd 2b21 320f  ,..=.....O..+!2.
	0x00e0:  2973 58df 4e14 90fb cc17 f82a ad3e bc54  )sX.N......*.>.T
	0x00f0:  a4e2 1c4b 0d0c 9422 d445 c353 372c db6e  ...K...".E.S7,.n
	0x0100:  1cc5 7bca dafe 554f a26e 6fe8 7d44 aa1f  ..{...UO.no.}D..
	0x0110:  5939 29a2 cd82 e08b 52a5 abd1 d2f5 cf2d  Y9).....R......-
	0x0120:  7b51 055d b469 f1db 14f8 f8cc c3e0 7ea9  {Q.].i........~.

You can use aircrack-ng also:

aelius@macbook:~$ aircrack-ng -w Work/worldlist.txt -b 38:10:d5:84:df:de /tmp/airportSniffMqWYcS.cap 
Opening /tmp/airportSniffMqWYcS.cap
...........
Published inMacOS