This is more of an embarrassing tale than a real how-to document. But I found this interesting enough that I don’t mind sharing it.
A couple of weeks ago I was tasked to capture wifi traffic from a device which didn’t have any capture software built in and I wondered how one would do it.
I have used sniffing tools on my Mac to passively sniff activity on access points around me. Because I’ve always tested such tools in places with dozens of access points with multiple saturated channels, I always assumed that all wifi stations ( laptops ) frequently switch channels. I also assumed that AP (Access points) which are setup to select channels automatically are designed to automatically switch channels anytime if they find a better (less noisy) frequency to provide services at.
And because of those incorrect assumption, I concluded that sniffing another wifi station would be a difficult task because it would be impossible to dynamically change the channel of a second wifi station to follow the first one to correctly sniff all the packets.
After a short discussion with a colleague I found out that most wifi stations don’t really switch AP points unless the noise to signal ratio gets too bad, and most APs never change channels once they are fully initialized.
At the end, to sniff one device, all I had to do is keep the second device close to the first one and make sure that the second one joins the same channel as the first one. For my tests I used open wifi AP which were easier to capture/decode. At this point, if your hardware is capable of promiscuous mode and you have the right software for capture, u should be able to put in a filter with the mac address of the device you want to capture to initiate the process.