Airtool can perform 'local' and remote Wi-Fi packet captures using a capable Linux box with a compatible Wi-Fi adapter such as... the WLAN Pi. Airtool 2 makes it possible to perform affordable, multi-channel captures using multiple remote sensors and Wi-Fi adapters.

Download and install Airtool 2

Launch Airtool

1. Verify Airtool is running in your menu bar (Wi-Fi icon with a wrench spanner

2. Configure Airtool 2 Preferences

Airtool dropdown > Preferences

Capture using a remote sensor

Remote captures are achieved using SSH to connect to the remote device. When Airtool 2 connects to the device using SSH, it remotely executes a series of commands to capture Wi-Fi traffic. These commands drop the device's Wi-Fi adapter (e.g., wlan0) into monitor mode, set the desired channel and channel width, and then runs tcpdump to capture and send the Wi-Fi frames back over to Airtool 2 via the SSH connection.

Because Airtool 2 will use the remote device's main Wi-Fi adapter for capturing, Airtool 2 needs to connect to the device using a wired connection or a secondary Wi-Fi adapter.

If you were to do this using a secondary Wi-Fi adapter, ensure the channel you will be capturing is not the same as the Wi-Fi adapter being used for device access.

All Airtool 2 features (automatic frame slicing, capture size limits, file rotation, live captures, etc.) are available when capturing using a remote sensor in the same way as when capturing using the built-in Wi-Fi adapter.

Using a sensor

To use a remote sensor, go to Preferences > Sensors and add a new sensor. You will need the hostname or IP address of the sensor. If the sensor is not configured to use the standard SSH port (TCP port 22), then you need to specify the correct port number in the Port field. Then, choose the sensor from the Airtool 2 menu to start the remote capture.

Before the capture starts, you will be prompted to enter the name of the wireless interface you wish to capture on remotely (e.g., wlan0) and to select the channel and the channel width.

The first time you capture from the remote sensor, you will be prompted to authenticate using the remote device's SSH username and password. You can choose to have Airtool 2 remember the credentials, so you don't have to enter them every time you do a capture. Airtool 2 will store the credentials securely in your Mac's keychain.

Managing sensors

To manage the sensors, go to Preferences > Sensors. You can add, edit or delete existing sensors, mark sensors as favourite, and change the sensors' order by dragging the entries in the list.

More details: https://www.intuitibits.com/help/airtool2/#/topic-capture-remote_capture

Capture on multiple channels and remote sensors

You can also use Airtool 2 to capture Wi-Fi traffic on multiple channels simultaneously by using multiple remote sensors or a single remote sensor with multiple Wi-Fi modules. Airtool 2 generates a single capture file by merging the frames captured on each sensor based on their timestamps.

To ensure the correct merging of Wi-Fi frames from each sensor, Airtool 2 requires all sensors to synchronize their time using NTP.

Airtool 2 uses the PCAP Next Generation (pcapng) Capture File Format. This format allows Airtool 2 to annotate each frame with the sensor and interface name used to capture the frame. You can use this information to filter frames by sensor and interface name in Wireshark.

You can also capture Wi-Fi traffic on multiple channels simultaneously using the same remote sensor if the remote sensor supports more than one Wi-Fi adapter. For example, if you have three remote sensors, and each sensor supports two Wi-Fi adapters, you can capture Wi-Fi traffic on six different channels simultaneously.

Advanced Airtool 2 features, such as automatic frame slicing and live captures using Wireshark, are also available for multi-source captures.

Prepare for a multi-source capture

You must first go to Preferences > Sensors and add any remote sensors you would like to use for multi-source captures. You only need to add a remote sensor the first time you use it. After that, the remote sensor will always be available for multi-source captures.

Airtool 2 discovers WLAN Pi-based remote sensors deployed in your local area network automatically.

Also, make sure you plug in at least one compatible Wi-Fi adapter per remote sensor and know the interface name assigned to it (e.g., wlan0) as you will need it when configuring the remote sensor for capturing.

Start a multi-source capture

1. Choose Multi-Source Capture from the Airtool 2 menu.

2. Click the "+" button to add an entry for each remote sensor you want to use for capturing.

3. For each entry, configure which sensor, interface name, channel, and channel width you want to use.

4. Click "Start Capture."

Airtool 2 won't allow you to start the capture if it detects an invalid configuration. For example, you cannot use the same sensor and interface name combination twice.

To reduce the amount of data sent back from a remote sensor, you can choose to limit each captured frame's size by enabling the "Limit each frame to" option and entering the desired frame size in bytes.

More details: