Airtool 2 is a packet capture utility that allows you to capture Wi-Fi traffic using your Mac’s built-in Wi-Fi adapter. It integrates with Wireshark very nicely and lets you upload captures to cloud services such as CloudShark and Packets.
Airtool 2 also allows you to do Wi-Fi packet captures using a remote sensor. A remote sensor is just a Linux box configured to allow Airtool 2 to execute a script via SSH. This custom script performs the packet capture using a compatible Wi-Fi adapter and sends the packets back to Airtool 2. You can build a remote sensor or use a WLAN Pi. The WLAN Pi comes pre-configured with everything you need to be used as a sensor with Airtool 2 and WiFi Explorer Pro 3.
To learn more about setting up and using remote sensors, see: Capture using a remote sensor.
What’s a multi-channel capture?
Wi-Fi networks transmit packets using different radio frequencies, also called channels. A multi-channel capture consists of doing a packet capture on two or more channels simultaneously.
There’s already an option in Airtool 2 to capture packets on multiple channels using the built-in Wi-Fi adapter. However, because a Wi-Fi adapter can’t tune in to various channels simultaneously, Airtool 2 works around it by doing channel hopping: Airtool 2 captures packets on a channel for a given amount of time, then it hops to the next channel, and so on. Channel hopping works fine for specific scenarios, but you cannot use it if you need to capture data from all channels simultaneously.
Different menu options for multi-channel captures using the Mac’s Wi-Fi adapter.
To perform an actual, multi-channel capture, you need multiple Wi-Fi adapters —one adapter for each channel you want to capture on. There aren’t any compatible external adapters that we can use for packet capturing with a Mac, so we need an alternative solution: multi-source captures in Airtool 2. You can do actual multi-channel captures in Airtool 2 using multiple remote sensors and Wi-Fi adapters by choosing the Multi-Source Capture option.
Multi-source capture menu option.
Doing a multi-source capture
To do a multi-source capture, you need at least two capture sources. A capture source is a sensor/interface combination, which means you need at least two remote sensors with one Wi-Fi adapter or a single remote sensor with two Wi-Fi adapters. Airtool 2 automatically discovers remote sensors deployed in your local network. For other sensors, if you haven’t used them before, you must add them manually by going to Preferences > Sensors.
Multi-source capture configuration.
You also must specify the channel and channel width to be used for each capture source you define as part of the multi-source capture. Note, too, that even though it is possible to configure multiple capture sources to use the same channel, you will see that Airtool 2 will prevent you from using a capture source that refers to the same sensor/interface combination.
Invalid multi-source capture configuration.
Optionally, you can also limit the frame size to a maximum number of bytes (especially if you’re not interested in user data payloads) to reduce the amount of data transferred back to Airtool 2. In general, a limit of 500 bytes should allow you to capture complete beacon and probe response frames while truncating larger data packets.
And that’s all. When you click “Start Capture,” Airtool 2 connects to each sensor, sets each sensor’s interface in monitor mode, configures the channel and channel width, and starts a packet capture on all capture sources simultaneously. As Airtool 2 receives packets from each “source,” it merges them on the fly based on their timestamp to generate a single capture file.
Remote sensors must synchronize their clocks using NTP (if you’re using a WLAN Pi, it’s already configured to synchronize its clock) for the merge operation to work correctly.
As with any other capture, you can choose to have Airtool 2 save multi-source captures to a file or launch Wireshark and pass the packets to it so that you can see the capture live. You can also use advanced features, such as file rotation, automatic packet slicing, or automatically upload the captures to CloudShark or Arista Packets.
Working with multi-source captures
Airtool 2 uses the PCAP Next Generation (pcapng) capture file format. This file format allows applications to include metadata information in the file that describes different capture properties, such as the name of the interface used to capture each packet.
Airtool 2 uses this feature to append a friendly name of the capture source to each packet that it saves in the capture file. For example, if you have a sensor named “wlanpi” and the interface name is “wlan0”, the capture source name saved with the packet would be “wlanpi:wlan0.”
You can display this information in Wireshark by adding a custom column and configure it to show the field “frame.interface_name.”
Adding a custom column in Wireshark to display interface metadata.
Similarly, you can filter by this field if you want to show or export packets from a specific capture source.
Use case example
There are several use cases where multi-channel captures are useful. One of them is when you need to validate or troubleshoot roaming. In the following basic scenario, we have two dual-band access points that are part of a mesh network: access point A with BSSID 98:ed:7e:18:9c:e7 and access point B with BSSID 98:ed:7e:18:9c:e8, both of them running on channels 1 and 157. A mobile client (iPhone) initially is connected to access point A on channel 1.
A basic Wi-Fi roaming scenario.
To validate or troubleshoot the roaming event, we want to capture the packets when the client moves and roams from access point A to B. To do that, we set up two remote sensors, “NanoPi NEO3”, placed next to access point A, and “wlanpi-silver,” next to access point B, each with two Wi-Fi adapters.
The multi-source capture consists of four capture sources:
Multi-source capture configuration using two sensors with two Wi-Fi adapters each.
We start the multi-source capture, and then the client begins to move towards access point B. After filtering out irrelevant packets and other transmitters, we can see in Wireshark that the client performs an active scan to choose a better access point (28-second mark) and finally roams from access point A, on channel 1, to access point B, on channel 157 (31-second mark). You can also see the different packets annotated with source’s friendly name (remote sensor, interface name).
Multi-channel capture showing a roaming event.
This use case is a basic example of how multi-source captures work, but you can definitively use it as a base to construct more complex and sophisticated scenarios.
Troubleshooting multi-channel captures
Keeping track of remote sensors can be challenging. If the multi-source capture fails for any reason, Airtool 2 provides a “diagnostics” feature that allows you to check a remote sensor. Airtool 2 will check that the remote sensor is reachable, the required packages are installed, and that the connected Wi-Fi adapter(s) can be used to do packet captures.
To run diagnostics on a remote sensor, go to Preferences > Sensors. Then, select the sensor that you want to check, click the “Action” button, and choose “Run Diagnostics.”
Running diagnostics on a remote sensor.
Airtool 2 makes it possible to perform affordable, multi-channel captures using multiple remote sensors and Wi-Fi adapters. A remote sensor is a Linux box set up to allow Airtool 2 to run a custom packet capture script via SSH. As each source (a sensor/interface combination) sends captured packets back, Airtool 2 automatically merges them to generate a single capture file or an aggregated live capture in Wireshark.