Capturing management frames using Windows Network Monitor
I am trying to capture network traffic - specifically management frames (and from these, particularly beacon frames) in Windows.
My wireless NIC is Intel Wifi AX201 160mhz, which seems to support monitor mode.
Having spent hours browsing through many articles, I found this gem - which seems to wrap it all up.
As explained by the article - wireless interfaces, by default, do not allow capturing of EVERYTHING that is exchanged in the network - usually the only type of network frame the capturing utilities will catch are data frames. As I mentioned at the top, I am after beacon frames, which consist of a specific sub-type of management frames.
Running netmon and starting a capture on your wireless NIC will indeed show frames with types 10 (2) (apply following filter: frame.WiFi.FrameControl.Type == 2), but no management (frame.WiFi.FrameControl.Type == 0).
To my disappointment (and to all the other novices trying to do the same, I guess) - Wireshark, which was my first option up to several days ago - does a poorer job (the article says it's not wireshark's fault, but windows. Whatever) - because it shows the 802.11 frames as regular ethernet ones - so one cannot even find frame controls in the captured traffic, making it way more difficult for novices to start grasping what are they looking at (I have started from scratch with Wikipedia articles).
Back to the article and to my problem - with netmon things seem to start making sense, but to my exacerbating frustration - when it comes to finally instruct on how to configure netmon to capture all frames including managament ones - it says one needs to apply some settings in the scanning option button.
Now, the article mentions one must be running netmon with Administrator privileges. And so am I, at least following this assumption on how do I know whether my process is running with administrator privileges.
In a short, when configuring the properties of my wireless NIC in Windows Network Manager I need to see a screen like
but am only seeing one like
I tried investigating if there is a way to set the interface to monitor mode (which is what is this scanning option button is used for, ultimately) via netmon's command line counterpart - nmcap - to no avail.
Would anyone inject hope here ?
Update:
I was able to display 802.11 frames in Wireshark for the first time - capturing with netsh trace start capture=yes and converting the trace file to pcapng format with etl2pcapng. It may be possible to do the same exporting the capture via Windows Network Monitor (.cap file) and opening in Wireshark. Did not try. It still feels more comfortable seeing the data in WNM.
Every Wi-Fi adapter "supports monitor mode" on hardware level. On OS level it depends entirely on the driver. If your adapter is listed in kernel.org, the Linux kernel driver supports setting monitor mode for it. This says nothing of the capability under Windows.
This Techwiser article advises how to use Microsoft Network Monitor (netmon) to verify if the Windows driver supports monitor mode. The fact that you don't see Scanning Options in the Network Manager suggests it does not.
What you can do is install a Linux VM. Unfortunately you most likely will need to get an extra USB Wi-Fi adapter, as at least for VirtualBox Windows doesn't allow passthrough of the on-board Wi-Fi adapter. For certain things other platforms are more flexible than Windows.