WiFi

Here the connected WiFi monitoring devices can be configured.

Above the table there is a Country dropdown menu where the correct country of operation can be set. This has a regulatory purpose and affects which channels are available for monitoring.

In the table below, each attached WiFi monitoring device is listed along with it's configuration:

• Device: the name with which the device identifies itself. This is not unique but multiple devices with the same name keep a stable order in the list.
• Maximum receive speed: This shows the current USB speed used for the WiFi device. Usually it is either 480 Mbit/s or 5000 Mbit/s. For low to medium traffic, USB2 speed is usually enough but for higher throughput. The correct (blue) USB3 port must be used to get full speed.
• Enable WiFi monitoring: controls if the device should be used to monitor WiFi traffic.
• Channel: selects the frequency on which the device should monitor.
• Mode: selects the WiFi channel mode to be used for monitoring. This depends on the configuration of the WiFi that should be monitored. As a rule of thumb for modern WiFi networks the settings HT40+ and HT40- are the most likely for channels in the 2.4GHz range and 80MHz is the most common for channels in the 5GHz range.
• Scan: this button starts a scan for WiFi networks on the respective device. The result of the scan is shown at the bottom of the page after a few seconds. WiFi monitoring will be interrupted on the device for a few seconds and will automatically resume when the scan is done.

WiFi scan results

When a WiFi scan has been performed the scan results will be shown in a table at the bottom of the page. The table shows the SSID (if available), the BSS, channel and frequency information and signal strength for each WiFi network. A link to the raw scan output for each network is also provided. This contains a lot of additional information about the settings of the WiFi network.

In this tab the SSIDs and their associated WPA2 passwords are configured for WiFi decryption. For WiFi networks that use WPA2-PSK the traffic of a client can be decrypted if the WPA2 password is know at handshake time.

This works for live WiFi monitoring and PCAP analysis of WiFi traffic.

If traffic can be decrypted the packets are converted into Ethernet packets with the appropriate source and destination MAC addresses. These Ethernet packets are then analyzed and potentially captured by the system just like regular Ethernet packets from a wired network interface.

1. On some devices such as the Allegro 500 the WiFi device does not come up in USB3 mode if the device is already connected when powering the device up. Connect the device after the system is completely booted to get full USB3 speed.
2. The achievable speed of the WiFi decryption depends on the Allegro model. More powerful models can of course also achieve higher decryption speeds, but the model Allegro 200 does not have hardware decryption available and it is therefore limited in the amount of traffic to decrypt.
3. The reception is highly influenced by the location of antenna. Especially when advanced WiFi techniques like beam forming are used, it may happen that only parts (or even none) of the traffic is seen at the capture device. For better results, try to place the antenna as near as possible to the receiver or sender, or in between two devices of interest.
   You can check the TCP stats about missed data to see if there is significant traffic not seen by the Allegro device.

The following USB wifi devices are supported for capturing WiFi traffic: