Home > Analysis, Claim Charting, Software > Wireless packet capture and analysis

Wireless packet capture and analysis

July 3, 2013

Update (Sep 14, 2017): As of Windows 10, you no longer need to use the relatively complex VirtualWiFi solution described in the original post below. Instead, the “Mobile hotspot” solution provides a much more straightforward technique to set up a connection through your computer for Wireshark packet capture of IP traffic traversing through the computer.

Update (Sep 21, 2017): Additionally, see this later post about capturing Wi-Fi data frames in a passive over-the-air manner.


 

Fairly often when performing patent analysis, particularly when creating claim charts mapping one or more patented claims against a target product or service, I find it helpful to capture and analyze packets sent from a wireless device. Internet Protocol (IP) packet capture when using a personal computer, such as a Windows or Mac computer, is relatively straightforward using a packet capture tool. I have been using Wireshark (formerly Ethereal) for years as my preferred packet capture tool, although there are certainly other available options from which to choose, both paid and free.

Packet capture for packets sent to and from other wireless devices such as smartphones and tablets is not so straightforward, therefore I provide below details of a solution that I leverage so that you can take advantage of this approach as well during your patent analysis. The high-level summary of this solution is to set up a Windows OS computer to use Wireshark to capture packets on a virtual Wi-Fi adapter — see this Microsoft explanation of the solution, termed VirtualWiFi, which I can confirm works for me with Windows 7. Credit goes to Eric Geier for documenting how to set up virtual W-Fi adapters here.

Steps:

1. In a command prompt (“cmd”), enter the following to set up your hosted network connection: netsh wlan set hostednetwork mode=allow ssid=YourVirtualNetworkName key=YourNetworkPassword  — You can set up your SSID (YourVirtualNetworkName) and password (YourNetworkPassword) as you wish, though of course you’ll need to know these when you try to connect from your wireless device that you’re testing.

Packet capture - step 1

2. Before enabling the virtual hosted network, configure the physical network adapter to share its Internet access using the Internet Connection Sharing (ICS) feature of Windows. To enable ICS, open the Network Connections window, then right-click the network adapter that is actually connected to the Internet and select Properties. Then select the Sharing tab, check the “Allow other network users to connect through this computer’s Internet connection” checkbox, choose the hosted network connection (that you enabled in step #1) from the drop-down listbox, and click OK.

Packet capture - step 2a Packet capture - step 2b

3. In the command prompt, enter the following to start your hosted network connection: netsh wlan start hostednetwork

Packet capture - step 3

4. Open Wireshark and select Capture->Interfaces, and select the adapter for your physical network connection and click Start. You can confirm that you have the correct adapter through comparison of MAC addresses, though the easiest solution is probably just to watch the packet count of adapters when using the target wireless device — the adapter with corresponding increases in packet count is the one to use.

Packet capture - step 4

5. Connect to the new hosted Wi-Fi network with the target wireless device and execute the desired application, website, service, etc. on the target device being tested and step through whatever sequence for which you wish to analyze the corresponding packets.

6. Once done with testing and recording, select Capture->Interfaces->Stop in Wireshark to stop packet capture.

7. You will then have a set of packets to analyze, and you’ll need to determine the IP address of the wireless device being tested. There are many different considerations here as far as best approaches to walk through the packet data, such as filtering, stream following, searching, exporting, etc., so I suggest that you reference the documentation that Wireshark provides here.

8. Disable the hosted network through entering the following command in the command prompt: netsh wlan stop hostednetwork

If at any time during the steps above you wish to see the current status of the hosted network, such as the MAC addresses of connected devices, enter the following command in the command prompt: netsh wlan show hostednetwork

Packet capture - show network

Once you have performed steps 1-2 above, on system reset the hosted network will not automatically start up, so you would need to execute this command again: netsh wlan start hostednetwork. In fact, once steps 1-2 have been performed once, from then on you should not have to perform them again for subsequent testing — you can start at step 3.

I hope you enjoy your wireless packet capturing and analysis!

%d bloggers like this: