Capture WiFi / WLAN / 802.11 Probe Request with tcpdump

  • Posted on: 4 March 2016
  • By: robin
A Probe Request is a special type of WLAN frame sent from a terminal-device (for example your smartphone) to ask all AP nearby for their presence. This allows you to find out if smartphone or other wifi enable devices are close to you. Since many users want to use the Probe Request to identify devices:
The Probe Request  can includes the mac address of the target router aswell as the mac address of the device itself. BUT since a few years Apple started sending random mac addresses on the IPhone. This makes unique idenitification impossible on a IPhone that is not assigned to a WLAN Network. On Android it is also possible to randomize the mac address. 
However here is how to capture 802.11 Probe Requests with tcpdump:
1. Download and install tcpdump ! (On MacOS usually preinstalled)

sudo apt-get install tcpdump

2. Set your wifi controller to monitor mode. (not 100% sure if this is necessary but i also enabled the promiscuous mode)

sudo ifconfig wlan0 promisc

iwconfig wlan0 mode monitor  (you can also use airmon-ng) or work around with dumpcap

sudo dumpcap -I -i wlan0

wait a moment and then press ctrl + c ;-)
3. Start tcpdump

tcpdump -i wlan0 -e -s 256 type mgt subtype probe-resp or subtype probe-req

or with filter of some MAC adresses and saving a .pcap file (you can analyse the pcap later with wireshark)

sudo tcpdump -i wlan0 -w cap-all-xmeter-barriers.pcap -e -s 0 type mgt subtype probe-req and not \(ether host 08:08:08:08:11:22 and ether host 10:23:08:08:22:ac\)

(# of probe request over time on a Nexus4)
For my experiments i’m using a Alfa AWUS036NH WLAN Adapter. I can totally recommend it.
When you get this error:
tcpdump: 802.11 link-layer types supported only on 802.11
You need to set the linktype:

tcpdump -i wlan0 --linktype=IEEE802_11 -e -s 256 type mgt subtype probe-resp or subtype probe-req



wifi, wlan, probe, hack, sniff, wireless