Skip to content

Wireless Network Sniffing

Wireless Network Sniffing or Packet Sniffing can be done using a tool called airodump-ng which is a part of Aircrack-ng and comes preinstalled in Kali Linux. Airodump-ng is a packet sniffer use to capture all the packets within the range of the wireless adapter.


  •  Need Kali Linux installed as a host or as a virtual machine. We generally use Kali Linux as a Virtual Machine. Check this link for how to Install Kali Linux in Virtual Machine.
  •  Wireless Adapter which supports Monitor Mode.We are using ALPHA AWUS036NHA which has an Atheros AR9271 chipset.
  •  Your wireless adapter should be in Monitor Mode. Check this link for how to Enable Monitor Mode for Wireless Adapter.
  •  It’s good practice to change your MAC Address before scanning. Check this link for how to Change MAC Address in Kali Linux.

How to scan nearby wireless networks:

  • In Terminal, type:
    • Syntax: airodump-ng <ne twork_adapter>
    • Example:  airodump-ng wlan0
  •  This will start scanning all the nearby wireless access points and displays all the details about it.
  • Description of every field:
BSSIDMAC address of the access point. 
PWRSignal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn’t support signal level reporting. If the PWR is -1 for a limited number of stations then this is for a packet that came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn’t support signal level reporting.
RXQReceive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds.
BeaconsA number of announcements packets sent by the AP. Each access point about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
# DataThe number of captured data packets (if WEP, unique IV count), including data broadcast packets.
#/sA number of data packets per second measure over the last 10 seconds.
CHChannel number (taken from beacon packets). Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference or overlapping channels.
MBMaximum speed supported by the AP. If MB = 11, it’s 802.11b, if MB = 22 it’s 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported. Displays “e” following the MB speed value if the network has QoS enabled.
ENCEncryption algorithm in use. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA, WPA2 or WPA3 if TKIP or CCMP is present (WPA3 with TKIP allows WPA or WPA2 association, pure WPA3 only allows CCMP). OWE is for Opportunistic Wireless Encryption, aka Enhanced Open.
CIPHERThe cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA, and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater than 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
AUTHThe authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
ESSIDShows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests. See this section for more information concerning hidden ESSIDs.
STATIONMAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”.
RateStation’s receive rate, followed by the transmit rate. Displays “e” following each rate if the network has QoS enabled.
LostThe number of data packets lost over the last 10 seconds based on the sequence number. See the note below for a more detailed explanation.
PacketsThe number of data packets sent by the client.
NotesAdditional information about the client, such as captured EAPOL or PMKID.
ProbesThe ESSIDs probed by the client. These are the networks the client is trying to connect to if it is not currently connected.

How to scan a specific network:

  • In terminal, type:
    •  Syntax: airodump-ng –bssid <mac> –channel <ch_number> <network_adapter>
    •  Example: airodump-ng –bssid e2:33:44:55:66:77 –channel 2 wlan0
  •  This process will start scanning a particular network.  To get the MAC address and Channel Number of a particular network use the above-defined method to scan all the network and get the MAC and CH of a particular network.
  •  Additionally, if you want to write the data of scanning to a file. Add one option:
    •  Syntax: airodump-ng –bssid <mac> –channel <ch_number> –write <file_name> <network_adapter>
    •  Example: airodump-ng –bssid e2:33:44:55:66:77 –channel 2 –write test wlan0
  •  This will write all the data to a file in your current directory which can be further be use to extract passwords and important data.

Video Tutorial