MY80211.com

I leeched this from the CSC forum. This was posted by Aaron Leonard. Aaron goes through the steps of turning your WIN7 into a sniffer. 

With Microsoft Network Monitor (Netmon) 3.4, you can now perform some decent 802.11a/b/g (and maybe 11n) wireless sniffing in Windows 7, using your standard wireless adapter.  The file saved from Netmon can be read by latest bleeding edge (1.5.0) Wireshark, though not in OmniPeek.  Note that, even though Netmon 3.4 is supported with XP SP3, it supports wireless sniffing only if running Win7 (and presumably Vista.)

I've tested with the following adapters/drivers:

• An Intel 6300 running drivers 13.2.1.5 and 13.5.0.6.  This adapter works well with 11a/g but does not support 11n. 
• A Linksys WUSB600Nv1 with Ralink driver 3.0.10.0.  This driver says that it supports 11n (which function I didn't test).  It seemed to report all packets as having an RSSI of -50, and as being of data rate "3.5 Mbps".
• An Atheros AR9285 with driver 8.0.0.258.  Driver reports 11n support (not tested.)  RSSI values and data rates look sound.
• A Cisco CB21AG with Atheros driver 1.0.0.120 - this also reported weird data rates (1Mbps showed up as "116 Mbps" and 11 Mbps as "124     Mbps".)

Install Netmon 3.4

Download Netmon 3.4 from Microsoft.  If running Win7 64bit, get and install NM34_x64.exe.  You'll have to log off and back on again after installing.

Sniff wireless packets from a channel

Note: if using PROSet for Win7, set it to "Use Windows to Manage WiFi".  Otherwise, PROSet is apt to take control of the adapter out from under Netmon.

Launch Netmon.  Check the wireless adapter of interest, and uncheck the others.

Click the New Capture button, then the Capture Settings button.  This pops up the Capture Settings window.  Highlight the adapter of interest and click Properties which pops up the Network Interface Configuration window.

In the Network Interface Configuration window, click [Scanning Options].  This pops up the WiFi Scanning Options window.  Check Switch to Monitor Mode.  Select the Select a layer and channel button.  Select the band and channel of interest.  Click [Apply].  Important: do not click [Close and Return to Local Mode], but keep the WiFi Scanning Options window up all the time you're capturing the sniff.

Now (keeping the WiFi Scanning Options window open), go back to the Network Interface Configuration window and click [OK] to get rid of it.  [Close] the Capture Settings window.  Back in the main Network Monitor window, click Start.

This should now cause NetMon to capture all wireless frames.  Sometimes  though it will just sit there and not capture any frames.  When this  happens, try restarting NetMon, disabling/reenabling the adapter, etc.

When done, click [Stop] and use File -> Save as to save the .CAP file.

Analyze with Wireshark

Wireshark up through 1.4.x cannot grok a Netmon 2 format file.  However, latest development Wireshark (1.5.0 and above) can.  I'm using Wireshark 1.5.1.

Problems

• NetMon recently just stopped being able to see my wireless adapter - it simply was not present in the Netmon start page, even though it was up and working fine.  Rebooting did not help.  Uninstalling Netmon Parsers, then Netmon, then reinstalling NetMon 3.4, then logging off, then logging back on, did work.