Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Analyze WiFi packet traffic via command line Network
Many Mac OS X users lament the lack of sophisticated network analysis tools, often prevalent and seemingly prolific on Linux systems. What many don't know is that Mac OS X comes with a built-in command-line tool to do all sorts of nifty things with Wi-Fi networks, from packet capture (traffic sniffing) to scanning nearby networks' signal to noise ratios.

Mac OS X ships with a command-line tool called airport that can do all sorts of nifty things with Wi-Fi networks. Unfortunately, it's so squirreled away that most people don't seem to know about it. The utility is part of the Apple80211 Private Framework used to power your Mac's Airport menubar icon.

Invoking the utility without arguments prints a useful (if incomplete) usage message. At a Terminal command prompt, type:
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport
The tool lets you do a number of interesting things, so it's worth playing around with. While you're playing, you may as well create a symlink (a shortcut) to the utility so you don't have to type that long path name all the time:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/bin/airport
Among the easiest things you can do is print a list of the Wi-Fi networks within range of your computer, but unlike the Airport menubar item, this report shows you a bunch of extra, precise data, such as which encryption protocol (if any) is being used on the network:
$ airport en1 scan
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                       moscohome 00:22:6b:8b:86:51 -61  10      N  -- WPA2(PSK/AES/AES) 
                     PUBLIC-455H 00:15:6d:60:95:d1 -82  1       N  -- NONE
                    Alex Network 00:1e:e5:24:c4:4f -86  1       Y  TW WPA(PSK/TKIP,AES/TKIP) WPA2(PSK/TKIP,AES/TKIP) 
                   linksysELNIDO 00:21:29:a3:fd:99 -90  6       N  -- WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) 
                        2WIRE024 00:18:3f:02:2f:49 -88  6       N  US WEP
                        2WIRE940 00:12:88:d9:85:41 -93  6       N  US WEP
If I wanted to see which of my neighbors still haven't upgraded from WEP, I could just filter using grep:

airport en1 scan | grep WEP

More awesome, perhaps, is the tool's ability to actually perform traffic sniffing and capture packets. Tell airport to sniff, and optionally provide a channel (which you now know thanks to your ability to scan). You need to be an administrator (i.e., you need sudo privileges) to do this:

sudo airport en1 sniff 6

This creates a file called airportSniffXXXXXX.cap in the /tmp directory, where XXXXXX is a string for uniqueness. You can then feed this file into your favorite network analyzer such as Wireshark to examine the traffic offline.

[crarko adds: I tested this, and it works as described. Things like this and Wireshark are powerful tools in the hands of a network administrator. I trust I don't need to remind you to use your powers for good, and not for evil.]
    •    
  • Currently 4.82 / 5
  You rated: 5 / 5 (17 votes cast)
 
[40,832 views]  

Analyze WiFi packet traffic via command line | 10 comments | Create New Account
Click here to return to the 'Analyze WiFi packet traffic via command line' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Analyze WiFi packet traffic via command line
Authored by: scottkitts on Dec 09, '10 06:54:50PM

Is this OS version specific? Couldn't get it to do anything in 10.4.11.



[ Reply to This | # ]
10.4 has an older, less capable version...
Authored by: airdrummer on Dec 11, '10 04:14:24PM

v.429.6, which doesn't do sniffing...use a -h to get the minimal help



[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: RobK on Dec 13, '10 06:58:18AM

It does work in Tiger but airport uses different command line options.

To see the options, enter:
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -h



[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: afb on Dec 09, '10 09:10:34PM

Does anyone know what HT stands for in the scan read out?



[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: command_tab on Dec 09, '10 10:23:57PM

A device that uses 802.11n high throughput (HT) mode -- also known as Greenfield mode -- assumes that there are no 802.11a/b/g stations using the same channel. 802.11a/b/g devices cannot communicate with a Greenfield AP. Instead, their transmissions are likely to collide, causing errors and retransmissions for both parties. Normally, 802.11 devices share channels by sensing when another device is transmitting, using a back-off timer to wait until the channel is free. However, because an 802.11a/b/g device cannot tell that a Greenfield device is transmitting, it will go right ahead and transmit. To avoid this, the 802.11n standard also defines an HT mixed mode.

A device using HT mixed mode prepares to transmit in both the old 802.11a/b/g fashion and the new 802.11n fashion. Specifically, HT mixed mode devices transmit a legacy format preamble, followed by an HT format preamble. An HT mixed mode device must also send legacy format CTS-to-Self or RTS/CTS (Request to Send/Clear to Send) frames before transmitting. These "protection mechanisms" let nearby 802.11a/b/g devices -- including those not connected to the HT mixed AP -- sense when the channel is busy.

Of course, these protection mechanisms significantly reduce an 802.11n WLAN's throughput. But they are a price that must be paid to coexist peacefully with 802.11a/b/g neighbors.



[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: negritude on Dec 09, '10 11:13:43PM

Not sure if this works the same under Leopard or earlier.

Edited on Dec 09, '10 11:15:24PM by negritude



[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: Ptitboul on Dec 10, '10 04:55:49AM
This is Snow Leopard only. Older versions had this software, but with only the "legacy" options. You could do /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s but not /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport scan (which gives the same result). The new /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 sniff capability can be replaced by using /usr/sbin/tcpdump -nei en1 -s 0 -w /tmp/XXXX.pcap

[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: Cantus on Dec 15, '10 11:25:03AM
I would delete those MAC addresses if I were you, because you've just unintentionally revealed where you live. More info here.

[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: sean.peters on Dec 29, '10 09:02:06AM

Per your link: it appears that Verizon has fixed the XSS security issue here - when I try this, my Verizon router flags it as an XSS security problem and blocks it.



[ Reply to This | # ]
Analyze WiFi packet traffic via command line
Authored by: tobylane on Dec 26, '10 03:34:00PM

Is this related to how a few network cards can be used to crack security by capturing other wifi network data? I hope there is a sufficiently legit possible reason for there to be more information on this, what's the next step, etc.



[ Reply to This | # ]