Npcap/WiFi adapters

From SecWiki
Jump to: navigation, search

One of Npcap's advanced features is support for capturing raw 802.11 WiFi frames from adapters in monitor mode. Unfortunately, not all adapters support this mode, and several which do support it have limitations in their drivers. This page will attempt to document adapters that have been tested, and the degree of support they provide.

Feature Support

Note: A common reason for an adapter to not show "Monitor Mode" in Wireshark is if you have WinPcap installed. Wireshark will not use Npcap if WinPcap is present.

Note: These features are part of the "Native 802.11 WLAN" interface, which is deprecated in Windows 10. It is possible that a device listed here under Windows 10 may perform better in Windows 8 or 8.1.

Adapter name Firmware/Driver version Windows version Monitor mode Capture works FCS Channel/frequency RSSI Npcap version tested Notes
Netgear A6210 1.0.0.36/5.1.29.0 10 Yes Yes No No No 0.96 Issue #1036
Netgear A6200 1.0.0.35/6.32.145.8 10 Yes Yes No No No 0.96 Issue #1036
Alfa AC1200 (Realtek 8812AU) 10 1030.23.502.2017 No N/A N/A N/A N/A 0.96 Windows 10 Microsoft-provided driver
Alfa AC1200 (Realtek 8812AU) 10 1030.17.1101.2016 Yes No N/A N/A N/A 0.96 Driver downloaded from realtek.com.tw
Alfa AWUS036NHA (Atheros AR9271) 10 2.0.0.32 N/A N/A N/A N/A N/A 0.96 BSoD crash in athurx.sys on Windows 10. Windows 7 may work (untested).
Alfa AWUS036NHA (Atheros AR9271) 10 10.0.0.20 Yes Yes Yes No Yes 0.96 Using Windows 8 driver from https://wikidevi.com/wiki/Talk:Atheros_AR9271
Intel AC 3160 NGW 10 18.33.0.2 Yes Yes  ? No Yes 0.96 Extra 8 bytes at the end of each frame
Alfa AWUS036H (Realtek RTL8187) 10 6.1316.1209.2009 Yes Yes Yes No Yes 0.96 Issue #1001

Key

Monitor mode 
Adapter allows setting monitor mode.
Capture works 
Npcap can be used to capture raw 802.11 frames.
FCS 
The 802.11 Frame Check Sequence is correctly set and reflected in the Radiotap header.
Channel/frequency 
The channel info and frequency are correctly returned in the Radiotap header.
RSSI 
The Received Signal Strength Indication field is correctly set in the Radiotap header.

How to help

If you would like to help us collect this information, you need a few things:

Install Npcap and Wireshark. Be sure that WinPcap is not installed. Wireshark will not use Npcap if WinPcap is installed, so raw 802.11 WiFi capture will not be available. Gather the model and version information from your WiFi card by opening Device Manager, expanding Network adapters, right-clicking your WiFi adapter, and choosing Properties. The Driver tab will show the driver version.

Here are the steps to record the info needed:

  1. Monitor mode - Open Wireshark. Open Capture options. If there is a checkbox in the Monitor Mode column for your adapter, enter {{yes}}.
  2. Capture works - Click the checkbox to enable monitor mode and start capture. If any frames show up, enter {{yes}}.
  3. FCS - If there are no Malformed Packet errors, enter {{yes}}.
  4. Channel/frequency - Expand the 802.11 radio information tree. If any packets show channel or frequency information, enter {{yes}}.
  5. RSSI - Under 802.11 radio information, if Signal strength (dBm) is not 0 and not constant, enter {{yes}}. Expected values are between -10 and -100 dBm, but other values may be reported.
  6. Notes - Enter any helpful information, especially differences between observed and expected behavior.