WLAN Pi PCAP Capture

1 Understand the Hardware

Different WLAN Pi models have different radio capabilities. Confirm your model before starting.

2 What You Need

• WLAN Pi (any supported model) with WLAN Pi OS 3.x flashed and booted
• USB-C cable (Pi to Mac) OR Ethernet cable (Pi to LAN)
• macOS with Wireshark - brew install --cask wireshark
• Terminal (default macOS Terminal or iTerm2)
• Optional: Airtool 2 (macOS, $30) - multi-channel captures, one-click Wireshark
• Optional: Airtool Pi (iOS, free) - capture directly from iPhone via WLAN Pi Go

3 Connect to the WLAN Pi

3.1 USB-C (recommended for desk work)

Plug the Pi into your Mac. Pi IP over USB-C: 198.18.42.1

3.2 Ethernet

Connect Pi to your LAN. Find IP via LCD (Menu → Network → Ethernet), DHCP lease table, or arp -a on Mac.

3.3 SSH

ssh wlanpi@198.18.42.1

Default password: wlanpi (or Wlanpi! on newer images).

4 Verify the Capture Interface

iw dev

Look for wlanpi0 with type monitor. That is your capture interface - stays in monitor mode permanently. Leave wlan0 (managed) alone.

5 Set the Channel and Width

Always verify: iw dev wlanpi0 info - confirm channel, width, type monitor.

6 Run the Capture

mkdir -p ~/captures
sudo tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/test_ch36_$(date +%Y%m%d_%H%M%S).pcap

IEEE802_11_RADIO in output = radiotap confirmed (RSSI, MCS, PHY info included). Stop with Ctrl+C. Zero dropped packets is ideal.

Management-only (disk-saving)

sudo tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/mgmt_$(date +%Y%m%d_%H%M%S).pcap \
  type mgt or type ctl

Excludes data frames. Reduces file size 80–95% on busy channels.

Long unattended captures

sudo tcpdump -i wlanpi0 -nn -s 0 -C 100 -W 20 \
    -w ~/captures/longrun_$(date +%Y%m%d_%H%M%S).pcap

-C 100 = rotate every 100 MB. -W 20 = keep 20 files (2 GB ring buffer).

7 Verify the Capture

ls -lh ~/captures/
capinfos ~/captures/test_ch36_*.pcap

Confirm: encapsulation = IEEE 802.11 + radiotap, packet count > 0, duration matches runtime, strict time order = True.

Frame-type sanity check

tshark -r ~/captures/test_ch36_*.pcap -q -z io,phs | head -30

8 Transfer the PCAP to Your Mac

# On Pi
exit

# On Mac
mkdir -p ~/Documents/PCAPs
scp wlanpi@198.18.42.1:/home/wlanpi/captures/*.pcap ~/Documents/PCAPs/

9 Wireshark Filters

10 Cleanup (Optional)

Only if you manually flipped wlan0 into monitor mode:

sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 up
sudo systemctl restart NetworkManager

If you only used wlanpi0 no cleanup needed.

11 Common Gotchas

12 Quick Reference Card

# Mac
ssh wlanpi@198.18.42.1

# Pi
sudo iw dev wlanpi0 set channel 36 HT20
iw dev wlanpi0 info                            # verify
mkdir -p ~/captures
sudo tcpdump -i wlanpi0 -nn -s 0 \
    -w ~/captures/label_$(date +%Y%m%d_%H%M%S).pcap
# Ctrl+C to stop
capinfos ~/captures/label_*.pcap
exit

# Mac
scp wlanpi@198.18.42.1:/home/wlanpi/captures/label_*.pcap ~/Documents/PCAPs/
open -a Wireshark ~/Documents/PCAPs/label_*.pcap

13 Beyond Basic Capture

13.1 Wireshark Live Remote (sshdump)

Wireshark → SSH remote capture: sshdump → Server 198.18.42.1, port 22, user wlanpi. Remote command:

sudo iw dev wlanpi0 set channel 36; sudo tcpdump -i wlanpi0 -U -w -

13.2 Airtool 2 (macOS)

$30 macOS menu-bar app. Auto-discovers WLAN Pi sensors, multi-source capture across multiple Pis into one merged pcapng. Works with R4 and Go.

13.3 Airtool Pi (iOS) - WLAN Pi Go

Free iOS app from Intuitibits. Connect WLAN Pi Go to iPhone via USB-C → auto-discover → select channel / width (up to 320 MHz) → Start. PCAP saved to iPhone, share via AirDrop. No Mac or laptop needed. Supports multi-channel capture (up to 4 adapters) and channel hopping. Output format: pcapng.

13.4 WiFi Explorer Pi (iOS Scanning)

iOS companion app for WLAN Pi Go. Real-time Wi-Fi scanning - AP inventory, RSSI, channel utilization, security mode. No laptop needed.

13.5 WLAN Pi Profiler

sudo profiler -c 36               # 5 GHz active
sudo profiler --listen-only -c 36 # passive mode
sudo profiler --pcap capture.pcap # analyze existing

14 Multi-Band Capture

14.1 Sequential Captures

sudo iw dev wlanpi0 set channel 6 HT20
sudo tcpdump -i wlanpi0 -nn -s 0 -w ~/captures/24ghz_$(date +%H%M%S).pcap
# Ctrl+C after 60s

sudo iw dev wlanpi0 set channel 36 80MHz
sudo tcpdump -i wlanpi0 -nn -s 0 -w ~/captures/5ghz_$(date +%H%M%S).pcap

sudo iw dev wlanpi0 set channel 149 80MHz
sudo tcpdump -i wlanpi0 -nn -s 0 -w ~/captures/5ghz_hi_$(date +%H%M%S).pcap

14.2 Scripted Multi-Band Capture

#!/bin/bash
# Capture each band sequentially -- 60 seconds per channel
mkdir -p ~/captures

sudo iw dev wlanpi0 set channel 6 HT20
sudo timeout 60 tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/multiband_ch6.pcap

sudo iw dev wlanpi0 set channel 36 HT20
sudo timeout 60 tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/multiband_ch36.pcap

sudo iw dev wlanpi0 set channel 149 HT20
sudo timeout 60 tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/multiband_ch149.pcap

echo "Done -- see ~/captures/multiband_ch*.pcap"

14.3 Merge Files (Mac)

mergecap -w combined.pcapng 5ghz_ch149.pcap 6ghz_ch37.pcap

14.4 Kismet

sudo kismet -c wlanpi0

Browse http://198.18.42.1:2501/ - good for discovery, misses ~90% of traffic per channel.

15 Wi-Fi 7 (802.11be) Capture

15.1 WLAN Pi R4 + Netgear A9000 (MT7925U)

$89 USB 3.0 Wi-Fi 7 adapter. Adds a second independent Wi-Fi 7 radio to your R4.

Prerequisites: wlanpi-kernel

cd /usr/src
sudo git clone https://github.com/WLAN-Pi/wlanpi-kernel.git
cd wlanpi-kernel
sudo ./build-kernel.sh
sudo dpkg -i output/wlanpi-kernel-bookworm-v8_*.deb
sudo reboot

Verify + Set Monitor Mode

lsusb | grep 0846:9072
modinfo mt7925u
iw dev

sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up
iw dev wlan1 info

Capture 802.11be on 6 GHz

sudo iw dev wlan1 set channel 37 80MHz
sudo tcpdump -i wlan1 -nn -s 0 \
  -w ~/captures/wifi7_6ghz_$(date +%Y%m%d_%H%M%S).pcap

Verify in Wireshark: wlan_radio.phy == 12 (PHY type 12 = EHT / 802.11be).

15.2 WLAN Pi Go - Intel BE200 (Native Wi-Fi 7)

sudo iw dev wlanpi0 set channel 37 80MHz
iw dev wlanpi0 info
sudo tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/go_6ghz_$(date +%Y%m%d_%H%M%S).pcap

15.3 Dual-Radio Setup - R4 + A9000

R4 built-in MT7612U on 5 GHz + A9000 on 6 GHz simultaneously. Lowest-cost parallel dual-band.

# Terminal 1 -- 5 GHz (wlanpi0)
sudo iw dev wlanpi0 set channel 149 80MHz
sudo tcpdump -i wlanpi0 -nn -s 0 \
  -w ~/captures/dual_5g_$(date +%Y%m%d_%H%M%S).pcap

# Terminal 2 -- 6 GHz (wlan1)
sudo iw dev wlan1 set channel 37 80MHz
sudo tcpdump -i wlan1 -nn -s 0 \
  -w ~/captures/dual_6g_$(date +%Y%m%d_%H%M%S).pcap

# Mac -- merge
mergecap -w combined_dual.pcapng dual_5g_*.pcap dual_6g_*.pcap

16 Working Notes

16.1 Capture Density

On a busy 5 GHz channel (149 with active mesh + AWDL), expect 3,000–5,000 packets/sec. A 45-second capture can exceed 100,000 frames and 70 MB.

16.2 Channel Width vs. Fidelity

For protocol analysis (RSN IEs, EAPOL, beacon parsing), 20 MHz gives the cleanest captures. Use 80/160 MHz only when you need PHY-level detail across the bonded channel.

16.3 Capture Before Associating

For decrypted data frames, capture the 4-way handshake. Start before the client associates. Add PSK in Wireshark: Edit → Preferences → Protocols → IEEE 802.11 → Decryption keys.

16.4 pcapng vs. pcap

Use dumpcap instead of tcpdump for pcapng output (per-packet metadata, multi-interface annotation). Airtool Pi automatically uses pcapng.

16.5 Wi-Fi 7 Key Filters

• EHT: wlan_radio.phy == 12
• MLO IE: wlan.tag.number == 255 && wlan.ext_tag.number == 107
• TWT: wlan.fixed.action_code == 26
• BSS Color: wlan.ext_tag.he_bss_color
• 320 MHz: BE200 (WLAN Pi Go) only - MT7925U max is 160 MHz

16.6 Tool Stack by Workflow