One Minute Mac Tip: Sniffing Wi-Fi traffic and capturing packets with the built-in airport utility

Many Mac OS X users lament the lack of sophisticated network analysis tools, often prevalent and seemingly prolific on Linux systems. What many don’t know is that Mac OS X comes with a built-in command-line tool to do all sorts of nifty things with Wi-Fi networks, from packet capture (traffic sniffing) to scanning nearby networks’ signal to noise ratios.

Mac OS X ships with a command-line tool called airport that can do all sorts of nifty things with Wi-Fi networks. Unfortunately, it’s so squirreled away that most people don’t seem to know about it. The utility is part of the Apple80211 Private Framework used to power your Mac’s Airport menubar icon.

Invoking the utility without arguments prints a useful (if incomplete) usage message. At a Terminal command prompt, type:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport

The tool let’s you do a number of interesting things, so it’s worth playing around with. While you’re playing, you may as well create a symlink (a shortcut) to the utility so you don’t have to type that long path name all the time:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/bin/airport

Among the easiest things you can do is print a list of the Wi-Fi networks within range of your computer, but unlike the Airport menubar item, this report shows you a bunch of extra, precise data, such as which encryption protocol (if any) is being used on the network:

$ airport en1 scan
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                       moscohome 00:22:6b:8b:86:51 -61  10      N  -- WPA2(PSK/AES/AES) 
                     PUBLIC-455H 00:15:6d:60:95:d1 -82  1       N  -- NONE
                    Alex Network 00:1e:e5:24:c4:4f -86  1       Y  TW WPA(PSK/TKIP,AES/TKIP) WPA2(PSK/TKIP,AES/TKIP) 
                   linksysELNIDO 00:21:29:a3:fd:99 -90  6       N  -- WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) 
                        2WIRE024 00:18:3f:02:2f:49 -88  6       N  US WEP
                        2WIRE940 00:12:88:d9:85:41 -93  6       N  US WEP

If I wanted to see which of my neighbors still haven’t upgraded from WEP, I could just filter using grep:

airport en1 scan | grep WEP

More awesome, perhaps, is the tool’s ability to actually perform traffic sniffing and capture packets. Tell airport to sniff, and optionally provide a channel (which you now know thanks to your ability to scan). You need to be an administrator (i.e., you need sudo privileges) to do this:

sudo airport en1 sniff 6

This creates a file called airportSniffXXXXXX.cap in the /tmp directory, where XXXXXX is a string for uniqueness. You can then feed this file into your favorite network analyzer such as Wireshark to examine the traffic offline.

5 replies on “One Minute Mac Tip: Sniffing Wi-Fi traffic and capturing packets with the built-in airport utility”

  1. Hey nice site. I love the kinky sites too, damn! HOT!!
    Anyway, about this, it didnt work for me, all it says when I hit the return key, in Terminal, is File Exists. That’s it, at one point, I seemed to be getting somewhere and i was asked for my password but my greasy fingers messed up and then anything else i did was useless.

    Im running an old old ibookG4 and will try your rsync to move stuff onto my new mac mini. Any help or suggestions would be appreciated.

  2. Hi there.
    very useful post but weirdly when I type airport en1 (or en0 or whatever) scan, nothing happen.

    I can sniff but I don’t know what to do of the .cap file. I don’t know how to make sense of what’s inside. grep doesn’t work either or if it does I don’t no how to check it it did what it is supposed to do!

  3. Hi,
    I tested it on a macbook air from 2014.
    it worked.
    just had to take out the en1 as mine was en0.

    the capture itself I could read within wireshark ..

    very nice tool to have.

    thnx
    marty

Comments are closed.