On my MacBook, I use airport for capturing the wireless traffic for various purposes like discovering weak passwords on access points.
You can make a symlink to airport or you can make an alias in your ‘~/.bash_profile’.
I use an alias:
aelius@macbook:~$ sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/
Quick test (performing a wireless scan):
aelius@macbook:~$ airport -s
SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
Telekom_FON d4:21:22:2c:50:3c -77 11 Y DE NONE
WLAN-058496 d4:21:22:2c:50:3b -79 11 Y DE WPA2(PSK/AES/AES)
Siloff300860 38:10:d5:84:df:de -62 6 Y DE WPA2(PSK/AES/AES)
Angase 64:66:b3:99:e5:94 -77 5,+1 Y -- WPA(PSK/AES/AES) WPA2(PSK/AES/AES)
ALLIS_HOME 1c:3a:de:cb:cb:e5 -46 2 Y DE WPA(PSK/TKIP,AES/TKIP) WPA2(PSK/TKIP,AES/TKIP)
tex 1c:3a:de:cb:cb:e6 -46 132,+1 Y -- WPA2(PSK/AES/AES)
Let’s give a try on channel 6. I need root access and I will use sudo:
aelius@macbook:~$ sudo airport en0 sniff 6 Password: Capturing 802.11 frames on en0. Session saved to /tmp/airportSniffMqWYcS.cap.
On another terminal tab I run a command to verify the size of the capture (every two sec.)
I know, I can install watch using Homebrew or MacPorts.
while :; do clear; du -csh /tmp/airport*; sleep 2; done
Looks like the capture file size is about 8MB:
8.1M /tmp/airportSniffMqWYcS.cap
You can see that the capture file have a standard format:
aelius@macbook:~$ file /tmp/airportSniffMqWYcS.cap /tmp/airportSniffMqWYcS.cap: tcpdump capture file (little-endian) - version 2.4 (802.11 with radiotap header, capture length 524288)
You can read it in a friendly format using tcpdump:
aelius@macbook:~$ tcpdump -ttttnnr /tmp/airportSniffMqWYcS.cap
reading from file /tmp/airportSniffMqWYcS.cap, link-type IEEE802_11_RADIO (802.11 plus radiotap header)
2018-07-05 23:30:48.113498 3354791525us tsft 1.0 Mb/s 2437 MHz 11g -73dBm signal -95dBm noise antenna 0 Beacon (Angase) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 5, PRIVACY
2018-07-05 23:30:48.182106 3354859643us tsft 1.0 Mb/s 2437 MHz 11g -63dBm signal -95dBm noise antenna 0 Beacon (ALLIS_HOME) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 2, PRIVACY
2018-07-05 23:30:48.191303 3354870997us tsft short preamble 6.0 Mb/s 2437 MHz 11g -59dBm signal -95dBm noise antenna 0 Beacon (Siloff300860) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
2018-07-05 23:30:48.214633 3354894655us tsft wep fragmented bad-fcs -66dBm signal -95dBm noise antenna 0 2437 MHz 11n ht/20 72.2 Mb/s MCS 7 20 MHz short GI mixed BCC FEC Data IV:40a9dd Pad d KeyID 1
2018-07-05 23:30:48.214788 3354894873us tsft wep bad-fcs -66dBm signal -95dBm noise antenna 0 2437 MHz 11n ht/20 72.2 Mb/s MCS 7 20 MHz short GI mixed BCC FEC Authentication IV:147e78 Pad a KeyID 2
2018-07-05 23:30:48.214965 3354895045us tsft short preamble 24.0 Mb/s 2437 MHz 11g -59dBm signal -95dBm noise antenna 0 Request-To-Send TA:38:10:d5:84:df:de
2018-07-05 23:30:48.240418 3354920466us tsft short preamble 24.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 Clear-To-Send RA:f0:24:75:49:51:c9
2018-07-05 23:30:48.240498 3354920577us tsft short preamble 24.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 BA RA:f0:24:75:49:51:c9
2018-07-05 23:30:48.284455 3354962040us tsft 1.0 Mb/s 2437 MHz 11g -65dBm signal -95dBm noise antenna 0 Beacon (ALLIS_HOME) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 2, PRIVACY
2018-07-05 23:30:48.293695 3354973399us tsft short preamble 6.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 Beacon (Siloff300860) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
2018-07-05 23:30:48.318038 3354996070us tsft 1.0 Mb/s 2437 MHz 11g -72dBm signal -95dBm noise antenna 0 Beacon (Angase) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 5, PRIVACY
2018-07-05 23:30:48.387100 3355064440us tsft 1.0 Mb/s 2437 MHz 11g -68dBm signal -95dBm noise antenna 0 Beacon (ALLIS_HOME) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 2, PRIVACY
2018-07-05 23:30:48.389689 3355069024us tsft short preamble 6.0 Mb/s 2437 MHz 11g -89dBm signal -95dBm noise antenna 0 Beacon (DIRECT-51-HP OfficeJet Pro 8720) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] ESS CH: 6, PRIVACY
2018-07-05 23:30:48.396269 3355075798us tsft short preamble 6.0 Mb/s 2437 MHz 11g -60dBm signal -95dBm noise antenna 0 Beacon (Siloff300860) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
............ // some lines removed // ............
2018-07-05 23:31:00.164883 3366844648us tsft fragmented bad-fcs -66dBm signal -86dBm noise antenna 0 2437 MHz 11n ht/20 72.2 Mb/s MCS 7 20 MHz short GI mixed BCC FEC 18:23:d3:47:42:7e RS511 > 5e:cf:4d:82:f7:4e IP Information, send seq 104, rcv seq 71, Flags [Response], length 1474
0x0000: 074f d08e 1db5 d59d 73f6 b2fe f9ce f22c .O......s......,
0x0010: 1b99 9b9e a698 0b5b e7f2 d558 5171 c460 .......[...XQq.`
0x0020: 8741 7035 7c8c 361d 68c3 e5f5 528c 2523 .Ap5|.6.h...R.%#
0x0030: c66e b2f0 e18c c7f0 5130 9a2d a858 cfaa .n......Q0.-.X..
0x0040: 81d6 bca9 44c8 6629 5d56 e522 f0b6 ab33 ....D.f)]V."...3
0x0050: 5bba a447 512c a5ed f340 2daa 952c 580d [..GQ,...@-..,X.
0x0060: 4669 efa3 2ced 9184 6f89 7975 0a14 3792 Fi..,...o.yu..7.
0x0070: f2c0 042f 8156 b0e8 a2c4 dea0 fe2a ffee .../.V.......*..
0x0080: aa2b b380 3a8f 1cd8 074c f8f9 2571 515f .+..:....L..%qQ_
0x0090: e74d 0d4d 842f f005 7f5b 9bd0 cd52 0b01 .M.M./...[...R..
0x00a0: c8e2 150c f11c 9b73 bd59 6d7c 2deb d600 .......s.Ym|-...
0x00b0: fb32 3274 42d5 c5f7 4408 9f46 b458 c9ea .22tB...D..F.X..
0x00c0: 27e2 c37d d9ae d4c4 0d48 0928 02cc 09db '..}.....H.(....
0x00d0: 2cba 103d 08f4 b8c7 b54f bebd 2b21 320f ,..=.....O..+!2.
0x00e0: 2973 58df 4e14 90fb cc17 f82a ad3e bc54 )sX.N......*.>.T
0x00f0: a4e2 1c4b 0d0c 9422 d445 c353 372c db6e ...K...".E.S7,.n
0x0100: 1cc5 7bca dafe 554f a26e 6fe8 7d44 aa1f ..{...UO.no.}D..
0x0110: 5939 29a2 cd82 e08b 52a5 abd1 d2f5 cf2d Y9).....R......-
0x0120: 7b51 055d b469 f1db 14f8 f8cc c3e0 7ea9 {Q.].i........~.
You can use aircrack-ng also:
aelius@macbook:~$ aircrack-ng -w Work/worldlist.txt -b 38:10:d5:84:df:de /tmp/airportSniffMqWYcS.cap Opening /tmp/airportSniffMqWYcS.cap ...........