Npcap/WiFi adapters
One of Npcap's advanced features is support for capturing raw 802.11 WiFi frames from adapters in monitor mode. Unfortunately, not all adapters support this mode, and several which do support it have limitations in their drivers. This page will attempt to document adapters that have been tested, and the degree of support they provide.
Feature Support
Note: A common reason for an adapter to not show "Monitor Mode" in Wireshark is if you have WinPcap installed. Wireshark will not use Npcap if WinPcap is present.
Note: These features are part of the "Native 802.11 WLAN" interface, which is deprecated in Windows 10. It is possible that a device listed here under Windows 10 may perform better in Windows 8 or 8.1.
| Adapter name | Firmware/Driver version | Windows version | Monitor mode | Capture works | FCS | Channel/frequency | RSSI | Npcap version tested | Notes |
|---|---|---|---|---|---|---|---|---|---|
| Netgear A6210 | 1.0.0.36/5.1.29.0 | 10 | Yes | Yes | No | No | No | 0.96 | Issue #1036 |
| Netgear A6200 | 1.0.0.35/6.32.145.8 | 10 | Yes | Yes | No | No | No | 0.96 | Issue #1036 |
| Alfa AC1200 (Realtek 8812AU) | 1030.23.502.2017 | 10 | No | N/A | N/A | N/A | N/A | 0.96 | Windows 10 Microsoft-provided driver |
| Alfa AC1200 (Realtek 8812AU) | 1030.17.1101.2016 | 10 | Yes | No | N/A | N/A | N/A | 0.96 | Driver downloaded from realtek.com.tw |
| Alfa AWUS036NHA (Atheros AR9271) | 2.0.0.32 | 10 | N/A | N/A | N/A | N/A | N/A | 0.96 | BSoD crash in athurx.sys on Windows 10. Windows 7 may work (untested). |
| Alfa AWUS036NHA (Atheros AR9271) | 10.0.0.20 | 10 | Yes | Yes | Yes | No | Yes | 0.96 | Using Windows 8 driver from https://wikidevi.com/wiki/Talk:Atheros_AR9271 |
| Intel AC 3160 NGW | 18.33.0.2 | 10 | Yes | Yes | ? | No | Yes | 0.96 | Extra 8 bytes at the end of each frame |
| Alfa AWUS036H (Realtek RTL8187) | 6.1316.1209.2009 | 10 | Yes | Yes | Yes | No | Yes | 0.96 | Issue #1001 |
| Killer Wireless-n/a/ac 1535 (Qualcomm Atheros QCNFA364AH) | 12.0.0.448 | 10.0.16299 | No | N/A | N/A | N/A | N/A | 0.99-r7 | Issue #1382 |
| Atheros AR9285 Wireless Network Adapter | Windows 7 v6.1.7601 | Yes | Yes | No | No | Yes | 0.99-r9 | Issue #1466 | |
| Intel Dual Band Wireless-AC 7265 | 19.51.14.1 | Windows 10 Pro (version 1803 OS build 17134.523) | No | N/A | N/A | N/A | N/A | 0.99-r9 | Issue #1382 |
| Intel Dual Band Wireless-AC 8260 | 20.70.1.1 | Windows 10 | No | N/A | N/A | N/A | N/A | 0.99-r9 | wlanhelper (interface) mode monitor leads to: "Error: SetInterface error, error code = 50" |
| Intel Dual Band Wireless-AC 8265 | 20.50.1.1 | Windows 10 Pro (version 1803 OS build 17134.523) | No | N/A | N/A | N/A | N/A | 0.99-r9 | Issue #1382 |
| ORiNOCO 802.11n USB (Proxim 802.11a/b/g/n Dual Band 8494-WD) | 3.5.0.14 | Windows 10 / Windows 11 Pro (23H2) | Yes | Yes | Yes | No | Yes | 1.79 | These adapters used to be shipped with Netscout AirMagnet |
Key
- Monitor mode
- Adapter allows setting monitor mode.
- Capture works
- Npcap can be used to capture raw 802.11 frames.
- FCS
- The 802.11 Frame Check Sequence is correctly set and reflected in the Radiotap header.
- Channel/frequency
- The channel info and frequency are correctly returned in the Radiotap header.
- RSSI
- The Received Signal Strength Indication field is correctly set in the Radiotap header.
How to help
If you would like to help us collect this information, you need a few things:
- The latest Npcap from Npcap.org
- Wireshark from Wireshark.org
- A WiFi network card
- A SecWiki account
Install Npcap and Wireshark. Be sure that WinPcap is not installed. Wireshark will not use Npcap if WinPcap is installed, so raw 802.11 WiFi capture will not be available. Gather the model and version information from your WiFi card by opening Device Manager, expanding Network adapters, right-clicking your WiFi adapter, and choosing Properties. The Driver tab will show the driver version.
Here are the steps to record the info needed:
- Monitor mode - Open Wireshark. Open Capture options. If there is a checkbox in the Monitor Mode column for your adapter, enter {{yes}}.
- Capture works - Click the checkbox to enable monitor mode and start capture. If any frames show up, enter {{yes}}.
- FCS - If there are no Malformed Packet errors, enter {{yes}}.
- Channel/frequency - Expand the 802.11 radio information tree. If any packets show channel or frequency information, enter {{yes}}.
- RSSI - Under 802.11 radio information, if Signal strength (dBm) is not 0 and not constant, enter {{yes}}. Expected values are between -10 and -100 dBm, but other values may be reported.
- Notes - Enter any helpful information, especially differences between observed and expected behavior.
You can fetch adapter information on the command line using the Win32_PnPSignedDriver WMI class. For example, running the following inside the Command Prompt will show each device name, manufacturer, and driver version:
> wmic path Win32_PnPSignedDriver where "DeviceClass = 'NET'" get DeviceName,Manufacturer,DriverVersion
You can do the same within PowerShell using the following command:
PS> Get-WmiObject Win32_PnPSignedDriver | where {$_.DeviceClass -eq "NET" } | select DeviceName, Manufacturer, DriverVersion