Packet sniffing isn’t always about listening to everything in the air. Sometimes, you want to focus on a specific Wi-Fi network — maybe for a security assessment, maybe for debugging. That’s where targeted sniffing comes into play.
Let’s walk through how to do this effectively using airodump-ng, and how to dig into the results using tools like Wireshark.
Why Target a Specific Network?
Imagine you’re in a location with dozens of Wi-Fi networks around. You're only interested in one — let’s call it MyTargetNetwork.
If you sniff everything, you'll end up with a lot of noise. Targeted sniffing lets you capture only the traffic that matters, making analysis easier and more insightful.
Step 1: Identify BSSID and Channel
Start by putting your wireless adapter into monitor mode and scanning the area:
airodump-ng mon0
You’ll see output like this:
BSSID PWR Beacons #Data, CH MB ENC CIPHER AUTH ESSID
AA:BB:CC:DD:EE:FF -43 45 120 6 54e WPA2 CCMP PSK MyTargetNetwork
From this, extract:
-
BSSID:
AA:BB:CC:DD:EE:FF -
Channel:
6
Step 2: Start Targeted Capture
Now focus only on the network you're interested in:
airodump-ng --bssid AA:BB:CC:DD:EE:FF --channel 6 --write test mon0
This locks in on one channel and one access point. Example output:
BSSID STATION PWR Rate Lost Frames Probe
AA:BB:CC:DD:EE:FF 11:22:33:44:55:66 -61 54e 0 108
AA:BB:CC:DD:EE:FF 22:33:44:55:66:77 -72 36e 12 204
Field Descriptions:
- STATION: MAC address of a device connected to the network
- PWR: Signal strength
- Rate: Communication speed (in Mbps)
- Lost: Packets lost during transmission
- Frames: Number of frames captured
Step 3: Output Files
When writing is enabled using --write, airodump-ng creates several files:
test.cap ← Full packet capture
test.csv ← Summary data (APs and clients)
test.kismet.csv ← For use with Kismet tools
test.kismet.netxml ← XML-formatted metadata
Of these, test.cap is the most useful for deep analysis — it contains the raw 802.11 packets.
Step 4: Analyzing in Wireshark
Open the .cap file in Wireshark:
wireshark test.cap
What you’ll see:
- Beacon frames, probe requests/responses, authentication requests, and more
- If any WPA/WPA2 handshakes were captured, they’ll appear as well
- You can filter by MAC address (e.g.,
wlan.addr == 11:22:33:44:55:66)
Sample Wireshark output:
No. Time Source Destination Protocol Info
25 2.135660 11:22:33:44:55:66 AA:BB:CC:DD:EE:FF 802.11 QoS Data
26 2.138994 AA:BB:CC:DD:EE:FF 11:22:33:44:55:66 802.11 ACK
27 2.145321 11:22:33:44:55:66 Broadcast ARP Who has 192.168.1.1?
You can inspect each packet, view the raw bytes, protocol layers, and more.
Important Note on Encryption
If the network is open (no password), you’d be able to read DNS requests, websites visited, even plaintext data. However, most modern networks use WPA2 encryption, which means:
- You can capture encrypted packets
- But without the password or handshake + cracking, you can’t decrypt the contents
This is why, even with the .cap file, the payload data appears as gibberish.
Wrapping Up
Targeted packet sniffing is a practical way to zero in on a single Wi-Fi network. Whether you're an ethical hacker, network engineer, or curious learner, this technique helps reduce clutter and gives you rich, focused insight.
Just remember: always have permission before sniffing a network. Unauthorized access is illegal and unethical.
If you're a software developer who enjoys exploring different technologies and techniques like this one, check out LiveReview.
LiveReview delivers high-quality feedback on your PRs/MRs within minutes.
It saves hours per review by providing fast, automated first-pass insights. This helps both junior and senior engineers move faster.
If you're tired of waiting on peer reviews or unsure about the quality of feedback you'll receive, LiveReview is here to help.
Top comments (0)