Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

There are two types of sniffing that can be done on Wi-Fi with a personal computer:

  1. capturing traffic sent from or to a particular interface on the computer;
  2. "monitor mode" sniffing for all traffic on a given Wi-Fi channel.

For the first type of sniffing - which would require that you run a capture program, such as Wireshark, on one of the machines involved with the data transfer - you capture on some interface, with "monitor mode" turned off. That will show you all the Data frames that are received by the interface and provided to the host running the capture program, as well as all Data frames that the host running the capture program attempts to transmit on that interface.

I know of no operating systems on which this will provide any Control or Management frames.

The Wi-Fi Direct specification, version 1.9, indicates that at least some of the setup involves Management frames such a Probe Request frames, so you can't see that part.

If it's transferring data, rather than setting up or managing the connection, that should involve Data frames, and thus should show up.

Note, however, that the spec also says that

A P2P Device can operate concurrently with a WLAN (infrastructure network). Such a device is considered a P2P Concurrent Device. The concurrent operation requires a device to support multiple MAC entities. ... The dual MAC functionality can be provided via two separate physical MAC entities each associated with its own PHY entity, two virtual MAC entities over one PHY entity, or any other approach. Implementation of multiple MAC functionality is out of scope of this specification.

and, on at least some operating systems, that might manifest itself as two separate network interface devices for the two MAC entities, even if they're both implemented on one physical Wi-Fi interface ("two virtual MAC entities over one PHY entity"). So, if the machine is associated with a Wi-Fi network and making a Wi-Fi Direct data transfer, you would have to find out how that works on the operating system on which you're doing the transfer and running Wireshark, and you might have to use the appropriate network interface as the capture device.

For the second type of sniffing - which could be done with a machine separate from the two machines doing the transfer, and might be able to be done on one of the machines doing the transfer - you would have to be running on an operating system on which monitor mode is supported, and have a Wi-Fi adapter that supports monitor mode. For information on setting up monitor mode, see the CaptureSetup/WLAN page from the Wireshark Wiki.

In monitor mode, all frames captured by the adapter and provided to the host should be visible (including frames that get an FCS error or other errors), including Control and Management frames.

Unlike non-monitor-mode sniffing, if the network is "protected" - meaning the Data frames, and possibly some Management frames, are encrypted - the frames will be handed to the sniffer program in encrypted form, and you will need to know the network password and provide it to Wireshark in order for it to decrypt the packets. See the "How To Decrypt 802.11" page from the Wireshark Wiki" for more information on 802.11 decryption.

As for the packets involved, a quick scan of the Wi-Fi Direct specification seems to indicate that standard 802.11 frames are used, but with Vendor Specific Information Elements used in some Management frames; Wireshark might not dissect those, but it shouldn't have problems dissecting the Data frames if they can be captured.