In August 2018, we wrote a blog describing several issues we found in Apple’s CoreWLAN framework and the airport command-line utility affecting Wi-Fi scanning and monitoring in the 2018 MacBook Pro and other similar models. We also submitted the corresponding bug reports to Apple and waited for a resolution. With the release of macOS Catalina in October 2019, Apple fixed two of these issues: incorrect beacon interval and missing information elements in CoreWLAN’s Wi-Fi scan results.  

Three years later, we give you Part 2, describing two different issues now affecting packet capturing in the new M1 Macs. 

Capturing Wi-Fi traffic is an essential task of protocol analysis. Wi-Fi professionals use packet captures to validate and troubleshoot wireless networks, including connectivity, device compatibility, roaming, configuration problems, and more. And for years, doing Wi-Fi packet captures in the Mac has always worked reliably out of the box, and it is one of the main reasons many Wi-Fi professionals love their Macs to do their jobs.

Unfortunately, packet capturing is now broken in the new M1 Mac. Same as with older Intel Macs, the new M1 Mac comes with a Broadcom Wi-Fi chipset, but it’s the first Mac compatible with 802.11ax. We don’t know if it is because of the new chipset, the new ARM architecture, or macOS Big Sur, but something is wrong and breaks packet capturing in the M1 Mac.

We have already reported these issues to Apple, but we’d also like to share some details to help you understand how these issues affect WiFi Explorer Pro and Airtool.

1. Packet captures don’t use the correct channel

Update (11/08/2021): The latest version of macOS Big Sur appears to have fixed this issue. However, capturing on multiple channels by doing channel hopping remains broken on the M1 MacBook Pro (2020) as macOS doesn’t switch channels across bands correctly. The 14″ and 16″ M1 MacBook Pro (2021) do not appear to be affected.

To do a packet capture in Airtool, for example, Airtool first disconnects from the wireless network and then sets the channel we want to capture on. Airtool disconnects the interface and sets the channel using Apple’s CoreWLAN framework. However, selecting the channel doesn’t work reliably in the new M1 Mac, especially when choosing a channel from a different band. In many cases, the channel remains unchanged. For example, if the interface is previously set to a channel in the 2.4 GHz band, selecting a channel in the 5 GHz band will likely fail. The opposite is also true.

In Airtool, the capture will work, and Airtool will show that it’s capturing on the selected channel, but the packet capture will be done using a different channel. The same is true for Apple’s Wireless Diagnostics. When you do a Wi-Fi packet capture using Apple’s Sniffer utility, selecting a channel and starting the capture will work, but the packet capture will be done using the incorrect channel.

On the other hand, passive scanning in WiFi Explorer Pro doesn’t work as expected. WiFi Explorer Pro iterates over the list of 2.4 and 5 GHz channels to listen for beacons from nearby access points, but because it cannot correctly switch channels between bands, it will only show networks found in either the 2.4 GHz or 5 GHz band, but not both. Also, it some cases while iterating within the same band, setting the next channel will fail, and WiFi Explorer Pro will show less results than expected.

Passive scan only shows a few networks in the 5 GHz band.

2. Packet captures include many corrupt or garbage frames

Update (11/08/2021): The latest version of macOS Big Monterey appears to have fixed this issue.

When you do a packet capture, it is expected to find a fraction of malformed frames because of how Wi-Fi works. However, packet captures in the new M1 Mac show a large percentage of corrupt or garbage frames. For example, under high traffic conditions (such as a speed test), packet captures show many control and management frames with an incorrect size or data rate. Also, many of these frames are not even expected to be found in the capture, such as Association Request frames.

Packet capture made in the M1 shows corrupt and garbage frames.

Beacon frames appear to be correct, and therefore, passive scanning in WiFi Explorer Pro seems to show the right information; however, as it is, we can’t trust packet captures made on the M1.

Airtool uses the libpcap library shipped with macOS for capturing packets, but the problem occurs regardless of the application used for packet capturing. For example, Wi-Fi traffic captures made with the Sniffer utility from Apple’s Wireless Diagnostics also show many corrupt and garbage frames.

Conclusion

In this Part 2 of the “What’s going on, Apple?” series, we share details of new issues affecting Wi-Fi packet capturing in the new M1 Mac and how they affect apps such as WiFi Explorer Pro 3 and Airtool 2. We’ve also reported the issues to Apple and hope they will resolve them soon. In the meantime, if you find a new problem, please let us know.