As introduced in a previous post, I have been using a $199 Netgear R7800 consumer router/AP (running DD-WRT) for performing packet wireless packet captures. Here is a little more detail on the process:
Step 1: Determine the frequency and width of the desired channels. In this example, I am capturing 80 MHz wide 802.11ac in the U-NII-3 band, channel 155 (5775 MHz center, 5735 – 5815 MHz range). This is also known as the four 20 MHz channels 149 (5745 MHz center, 5735 – 5755 MHz range), 153, 157, and 161.
Step 2: SSH to the R7800. Use the iw command to determine which radio has 5 GHz support. First, use “iw phy” to list the details of all physical interfaces. Then, use “iw dev” to list the device to physical interface mappings. On my R7800, phy#0 has 5 GHz support and is represented by device ath0.
Step 3: Put the desired device into monitor mode and set the channel. In this example, I am using ath0 and channel 155 (5745 MHz center of the first channel 149, 80 MHz wide, and 5775 MHz center of the entire 80 MHz channel).
root@DD-WRT:~# ip link set ath0 down
root@DD-WRT:~# iw dev ath0 set type monitor
root@DD-WRT:~# ip link set ath0 up
root@DD-WRT:~# iw dev ath0 set freq 5745 80 5775
Step 4: Begin the capture. Here, I am saving the capture file to the ramdisk at /tmp. This particular device has only about 400 MB available, so I’m going to only capture for less than 10 seconds. After issuing the command below, press CTRL-Z to stop the capture.
root@DD-WRT:~# tcpdump -i ath0 -n -w /tmp/capture1.pcap
Step 5: Move the capture to a PC for analysis. I could use a flash drive and copy the file that way, but I already have tftp64 running on my PC for some Cisco firmware updates, so I will use tftp. 192.168.44.9 is the IP of my PC.
root@DD-WRT:~# tftp -l /tmp/capture1.pcap -p 192.168.44.9
Note: High data rate captures can become large in a hurry. This 6.3 second capture is about 237 MB in size. A quick look in Wireshark shows most of the frames were transmitted at VHT MCS 7 with 2 spatial streams, 585 Mbps rate.