Wireshark

Packet Sniffing WiFi

First, you need a WiFi adapter that support monitor mode. Usually you can tell if monitor mode is supported just by running the first step below. If it fails then you need to find another WiFi adapter.

Step one: Put the adapter into monitor mode

# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# ifconfig wlan0 up
# ifconfig wlan0
# iwconfig wlan0
wlan0     IEEE 802.11abg  ESSID:"NOAH-OFFICE"  
          Mode:Monitor  Frequency:2.412 GHz  Access Point: 00:26:F2:BB:79:F6   
          Bit Rate=1 Mb/s   Tx-Power=15 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-25 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Step two: Start Wireshark... Select the wireless adapter you want to monitor. In the filter you may want to look at just the IP communication between two devices. In this case, I was trying to figure out how my iPod Touch was talking to a digital multimeter that transmits its meter data over WiFi. Where 00:06:66:13:d4:a9 is the MAC address of the DMM device and 40:d3:2d:e8:7d:45 is the MAC address of my iPod Touch. Note that if you start capturing without a filter and then attempt to use Wireshark's prepare as filter or apply as filter feature it always fails. It creates the initial filter as eth.src == 00:06:66:13:d4:a9, which doesn't match a WiFi frame. I found that matching the wlan.bssid against the MAC address works.

(wlan.bssid == 00:06:66:13:d4:a9  || wlan.bssid == 40:d3:2d:e8:7d:45 ) && ip