If you try to capture wireless traffic by selecting wireless interface on wireshark, it will not accurately capture the wireless packets over the air. Normally you require separate wireless adapter to do this sort of work. But there is a free tool you can use in Windows operating system.
Microsoft has developed a capturing tool called “Microsoft Network Monitor” which can be used to capture the wireless traffic over the air. You can download this tool freely from Microsoft.(http://www.microsoft.com/en-us/download/details.aspx?id=4865).Operating System requirement is as below.
Supported operating systems: Windows 7, Windows Server 2003 Service Pack 2, Windows Server 2003 Service Pack 2 x64 Edition, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 for Itanium-based Systems, Windows Vista 64-bit Editions Service Pack 1, Windows Vista Service Pack 1, Windows XP 64-bit, Windows XP Service Pack 3
In my windows7 machine I have installed this & here are the instructions to get a wireless sniffing done using this tool.Once you open the application select wireless interface card under the select network section as highlighted below.
Then click “New Capture” & click the “Capture Settings”. 
If you click on the highlighted wireless network connection, you will see a screen like below . Click Scanning option.
You need to know which channel wireless traffic you need to capture. In my example my Cisco7921 phone is operating in 802.11a band -CH149.
(WLC1) >show client summary Number of Clients................................ 2 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:1b:d4:58:e6:1a HQ-AP01 Associated 2 Yes 802.11a 1 No a0:88:b4:35:c2:f0 HQ-AP01 Associated 2 Yes 802.11n(5 GHz) 1 No (WLC1) >show client detail 00:1b:d4:58:e6:1a Client MAC Address............................... 00:1b:d4:58:e6:1a Client Username ................................. N/A AP MAC Address................................... a0:cf:5b:9e:e8:20 AP Name.......................................... HQ-AP01 Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 2 BSSID............................................ a0:cf:5b:9e:e8:2e Connected For ................................... 3145 secs Channel.......................................... 149 IP Address....................................... 10.10.15.53 Association Id................................... 3 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... 4 Client E2E version............................... No E2E support Mirroring........................................ Disabled QoS Level........................................ Platinum 802.1P Priority Tag.............................. 6 WMM Support...................................... Enabled
To capture the traffic tick “Switch to Monitor mode” check box & select the channel you want to sniff traffic( in my case 802.11a- CH149). Then click ” Apply” button.Do not click “Close & Return to Local Mode”. You will notice your normal wireless connection will be disconnected, once you select this “Monitor mode”
Then click the “start” buttone next to the “Capture Setting” as show in the 2nd screenshot in this post. Then stop the capture once you get the enough packets captured. In my example I have made a call from 7921 phone while this capture is collecting. Save this file in your computer & open it using wireshark. You will see 802.11 packets in your capture.
Here is my capture output. you will see different type of wireless frames (Beacon, ACK, Data Frame, etc) on channel 149 in 802.11a.
If you click on different type of frame you will see all the information on these wireless packet. Below is the RPT data frame going from wireless phone to soft phone in a wired media.
you will notice that this RTP traffic IP heade marked as DSCP EF by the C7921 phone. when it release to wireless media it has set QoS value 6 (keep in mind this is WMM UP value & different to Cisco’s 802.11p values in AVVID model). Centre freqency 5745 is the CH149 (UNNII-3 band) in 802.11a. If you look at the signaling traffic goes from phone to CME, it will looks like this
Noticed that even though inner DSCP value is Zero, WMM is categorize this WMM- UP4 (Controlled Load). I thought inner DSCP would be CS3 in this instance.
If you look at the Beacon frame send by the Access point, you will see information send by AP to its clients. Highlighted few QoS related parameters (QBSS load, AIFS values,U-APSD) values set by the AP.
I found following discussions in Cisco Support forum on this topic useful as well. Feel free to read those as well.
mrn-cciew 
hello ,thnx for the wonderful tip.Now in my testing ia m suppose to capture HT related information in icmp packets and verfiy the same.I am using a fedora and capturing it using wireshark over the air.But i could see in the radiotap header teh MCS related information is missing quite often are there any knows issues or its just the problem in decoding and presentation.I am using a freescale chipset.Can you please throw some light on it. Better still can you suggest a way where i can verify the UL and DL are using 802.11n HT indeed.
Hi Prashant,
If this AP is manged by WLC, then try to capture traffic at WLC connected switchport. You may be able to some of those detail in that way as well
Refer this post & I have taken capture in that way
https://mrncciew.com/2014/10/20/cwap-ht-control-field/
HTH
Rasika
Pingback: Wireless Capture Tool | John Charnock
Hello . I’m using a notebook sony vaio VPCEH with windows 8 installed and , the progrem does not find my network adapter even with it working and connected to an access point. do i need more any driver ?
Have you used admin privileges account ? If not try that
Rasika
Thank you mr Nayarasi. It worked here now. I only needed reboot the notebook.
Thank you again .
Is there anyway to find the wifi connection MCS index on Windows?
is it possible to sniff 80Mhz channels under 802.11ac using this tool? i have an ac compliant adapter, but the options only list up to n
I do not think so.
Here is a very good blog post about WiFi sniffing
http://wirelessonthego.postach.io/post/wireless-sniffer-capture-how-to
HTH
Rasika
Thanks for your post. It worked for Windows 7. Is there any similar tool for Windows 10. Please share the details if you have any.
Thanks & Regards
Vishnu Beema
Hi Vishnu,
I haven’t spend time to research what’s available on windows 10. If I do & find info, will share it with you
Rasika
Thanks for this great post. Woud you please share some sample capture file for Transmit Beam forming analysis. I have read from your prevoius blog that beamforming requires action frames. I am configuring the same in my access point also but failed in achieving that. Again, once again thanks.
I haven’t got any for that Gaurav. I will let you know if I get any of them in near future.
Rasika
Pingback: CTS 102: Capturing Wireless Frames - Clear To Send
i have lost my CD content that i received with CWSP . is there any way to get those contents back. I just want to do exercises suggested in book to understand better using the frame capture files.
Got it !!! I only searched and got the same !! Here it is..
https://www.wiley.com/WileyCDA/WileyTitle/productCd-1119211085,miniSiteCd-SYBEX.html#instructor
Thanks for sharing Raja
Hello,
Thanks for this usefull post:
is this adapted to capture in Window7 with any Access point Equipement other than Cisco ?
for this “Switch to Monitor mode” , in which side we need to apply monitor mode please ? if related to OS … how to do in WIN7 ?
Thanks in adavance!
Hi Mohamed,
Here is a detailed post from Cisco about wireless packet capture. Hope this clarify your doubts
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html
HTH
Rasika
Thanks Nayarsi,
my problem is I cannot find “monitor Mode” in Scanning proprieties ? any help to come out with this !
Another question which I need you reflexion please 🙂
in my case i have only Data (internet) to use, thus, I see no interest to have a complicated Qos management over WMM since there is no video or voice over wifi (CTRL/MNGMT should be their all the time i guess).
in your oppinion:
the shared timers ( especially AIFS, BACK-off time, CWmin Max …. ) per ACs ( VOICE, VIDEO .) will not inpact internet usage in BE_AC wich since they are considered in WMM Setup always needs to be calculated even there is no VOICE or VIDOEO throught therse queue ? if so what is your recommandation ?
Thank you so much