WiFi Hawk- Wireless Capture Expert System - Wireless Troubleshooting Tools

WiFi Hawk- Wireless Capture Expert System Tool for wireless sniffer traces analysis. Supported file types, Wireshark, dot11 native, radio tap, prism.

WiFi Hawk File Types supported

Wireshak supports different file formats around "802.11" wireless captures (over the air). Some of them have significant feature variations, that may prevent some WiFi Hawk features to work In general, the tool will try to bridge differences, and translate data between formats when applicable or possible

802.11 Native

This is what is typically obtained by doing sniffer trace with Wireshark over a device that supports native 802.11 captures On Mac OS, it is possible to do this format, using Wireless diagnostic tool

This format normally does not have FCS included, so it is less reliable (some drivers may drop bad FCS frames preventing problems)
This does not include wireless physical information, so it is not possible to determine rates, signal level or channels

Radio Tap

Used by different Linux implementations, and recently by some Meraki AP models

FCS information is optional, some drivers may provide this. When present, it will be used to increase reliability on problem detection (bad FCS frames are ignored)
It includes rate, signal level, SNR and frequency. This will be displayed on diffrent graphs on the per device flow data

PeekRemote

It is a variation of older AiroPeek application. Used normally by Cisco or Aruba APs in sniffer mode

it includes FCS information, so better reliability on problem detection
It includes rate, signal level, SNR and frequency. This will be displayed on diffrent graphs on the per device flow data
Important: Detection of this file format may fail, if the first 5 frames of the file are not Peekremote encapsulated frames. If the device receiving the capture is sending other IP traffic over the same interface, it is possible that detection of this format may fail. In that scenario, export the original file, filtering out non PeekRemote frames, and try again
Some file captures may show invalid SNR for MCS rate frames
MCS rates supported from WiFi Hawk v0.12

Omnipeek (Peektagged/Savious)

Used by Omnipeek application. It has physical information, plus dot11 frames. File name ends in ".pkt"

it includes FCS information, so better reliability on problem detection
It includes rate, signal level, SNR and frequency. This will be displayed on diffrent graphs on the per device flow data

Prism

Older 802.11 encapsulated format, used by legacy cards in Linux, and older Meraki APs in sniffer mode

it includes FCS information, so better reliability on problem detection
Although it includes SNR information, it may not be reliable

File formats currently not supported

Non 802.11 captures

Ethernet and other L2 encapsulations are not supported, and the file will be rejected

CAPWAP Encapsulated

Support for AP sniffer mode captured at WLC or AP port (Peekremote over CAPWAP) in v0.12
Client EPC support is in roadmap