Raspberry Pi • Alfa Wi-Fi • PCAPs • Private lab

Raspberry Pi + Alfa Wi-Fi Sniffer

This project turns a Raspberry Pi and an Alfa Wi-Fi adapter into a portable packet-capture sensor for my private lab. The Pi handles the capture, the Alfa adapter listens to Wi-Fi traffic, and Wireshark on my desktop lets me analyze the saved PCAP files afterward.

The goal is to understand wireless networking at the packet level: beacons, probe requests, channels, MAC addresses, access points, DNS, ARP, DHCP, TCP, and the difference between visible metadata and encrypted payloads.

Build the sensor Capture packets
Private lab only: this project is for my own devices, my own access point, and my own lab network. It is not for spying on neighbors, capturing random traffic, or collecting private data.
Alfa Wi-Fi adapter External adapter for wireless capture in the lab.
Raspberry Pi Small Linux capture box running tcpdump and tshark.
PCAP files Saved packet captures for later analysis.
Wireshark desktop Analyze packets, filters, streams, and timelines.
The Pi becomes a small capture sensor. Wireshark becomes the analysis workstation.

What I built

This is a small portable lab tool. I can place the Raspberry Pi near my test access point, capture wireless traffic from my own lab, save the capture as a PCAP file, and analyze it later on my main computer.

Hardware

Pi capture box

The Raspberry Pi runs Linux, handles the Alfa adapter, and records packet captures without needing my main desktop to sit in the same spot.

Networking

Wireless visibility

The Alfa adapter lets me study Wi-Fi management frames, channels, beacons, probe requests, and other lab traffic that normal web tools do not show.

Analysis

PCAP workflow

Instead of trying to understand everything live, I save a capture and then open it in Wireshark where I can filter, inspect, and document it carefully.

Why this matters

Wi-Fi feels invisible until I capture it. This project gives me a safe way to see what my own wireless lab is doing.

01

Learn Wi-Fi behavior

See how access points advertise, how devices search, and how channels affect captures.

02

Practice Linux capture

Use real tools like iw, tcpdump, tshark, and SSH.

03

Build useful PCAPs

Create small, controlled captures that are easier to analyze than huge noisy files.

04

Analyze safely

Open the capture in Wireshark and write down what the packets prove.

Hardware used

The exact adapter model matters less than having a Linux-supported Wi-Fi adapter that can work with monitor mode. Alfa adapters are popular for wireless labs because many models are well supported.

Part What I use it for Why it matters
Raspberry Pi Small Linux capture machine. Portable, low-power, easy to SSH into, and good for lab sensors.
Alfa Wi-Fi adapter External Wi-Fi interface for captures. Better lab adapter than relying only on the Pi's built-in Wi-Fi.
microSD card Stores Raspberry Pi OS and capture files. Packet captures can grow, so free space matters.
Power supply Powers the Pi and USB adapter. Weak power can cause unstable adapters and failed captures.
Main desktop/laptop Runs Wireshark for analysis. Bigger screen, better storage, and easier packet review.
Note: I would keep this project on a dedicated lab Pi or lab SD card so I can experiment without risking my normal setup.

Private lab safety rules

The safety rules are part of the project. Packet capture is powerful, and the public version of this project should be clear about what it is and is not for.

Allowed lab targets

What I capture

  • My own access point
  • My own test devices
  • My own Raspberry Pi traffic
  • My own home lab network
  • CTF or training PCAP files
Not part of this project

What I avoid

  • Cracking Wi-Fi passwords
  • Deauthentication attacks
  • Evil twin access points
  • Capturing neighbors' traffic
  • Collecting credentials or private data
Rule: if I would not be comfortable explaining the capture target in a lab report, I should not capture it.

Install the capture tools

Here is the magic of apt install again: most of the tools I need are FREE Linux utilities. I install Wireshark support, command-line capture tools, wireless tools, and USB inspection tools. 

sudo apt update
sudo apt install tcpdump tshark wireshark-common iw rfkill usbutils -y
Tool roles: tcpdump captures packets, tshark analyzes captures from the terminal, iw manages Wi-Fi interfaces, and usbutils helps confirm the Alfa adapter is detected.

Identify the Alfa adapter

Before changing anything, I check that Linux can see the USB adapter and I find the interface name. It may be wlan1, wlan2, or another name depending on the Pi. 

# Show USB devices
lsusb

# Show network interfaces
ip link

# Show wireless interfaces
iw dev

# Check if anything is blocked
rfkill list
What I am looking for: the Alfa adapter should appear in lsusb, and a wireless interface should appear in iw dev.

Create a capture folder

I like keeping captures organized by project or date. PCAP files can get messy quickly. 

mkdir -p ~/captures
cd ~/captures

Capture normal traffic first

Before using monitor mode, I start with a normal capture from an interface. This is easier and confirms that my tools work. 

# Replace wlan0 with the interface that is actually carrying traffic
sudo tcpdump -i wlan0 -w ~/captures/normal-network-test.pcap
Stop the capture: press Ctrl+C when I have enough traffic. Short captures are easier to understand than giant captures.

Enable monitor mode in the lab

Monitor mode lets the adapter listen to wireless frames on a channel. I use this only inside my private lab and only to understand my own wireless environment. 

# Replace wlan1 with the Alfa interface shown by iw dev
sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up

# Confirm the interface type
iw dev
Adapter note: not every Wi-Fi adapter or driver supports monitor mode well. If this fails, I would first confirm the exact adapter chipset and Linux driver support.

Lock to one lab channel

Wi-Fi channels matter. If my lab access point is on channel 6, I set the adapter to channel 6 so the capture stays focused. 

# Example: set the monitor interface to channel 6
sudo iw dev wlan1 set channel 6

# Confirm current channel details
iw dev wlan1 info
Practical tip: focused channel captures are easier to analyze than hopping around and collecting everything.

Capture wireless packets to a PCAP file

Once the adapter is in monitor mode and locked to my lab channel, I capture packets to a file. 

mkdir -p ~/captures

sudo tcpdump -i wlan1 -w ~/captures/lab-wifi-channel-6.pcap
Capture plan: I keep the capture short, generate one lab activity, stop the capture, and then analyze it. One clean test is better than ten minutes of noise.

Generate safe lab traffic

I want traffic that is easy to recognize and belongs to my own devices. Good first tests are DNS lookups, pings, and normal browsing from a test device on my lab network.

1

DNS lookup

From a test device, generate a simple DNS lookup. 

dig example.com
2

Ping test

Generate ICMP traffic that is easy to find later. 

ping 1.1.1.1
3

HTTP test

Use a plain HTTP test site only for learning request structure. 

curl http://example.com
4

HTTPS comparison

Compare visible metadata with encrypted payloads. 

curl https://example.com

Move the PCAP to my desktop

The Pi is good for capturing, but my desktop is better for analysis. I move the PCAP file with scp. 

# From my desktop or laptop
scp pi@raspberrypi.local:~/captures/lab-wifi-channel-6.pcap .

# Open it locally
wireshark lab-wifi-channel-6.pcap
Alternative: if hostname resolution does not work, I can use the Pi's IP address instead of raspberrypi.local.

Analyze the capture in Wireshark

Once the PCAP is open, I use filters and statistics to understand what I captured.

Look at protocols

Start with protocol hierarchy to see what kinds of traffic exist. 

Statistics → Protocol Hierarchy

Look at endpoints

See which devices or addresses appear. 

Statistics → Endpoints

Filter DNS

Find name lookups from my test traffic. 

dns

Filter a device

Focus on one lab device by IP address. 

ip.addr == 192.168.1.50

Look for Wi-Fi management frames

Useful for seeing beacons, probes, and wireless metadata in a monitor-mode capture. 

wlan.fc.type == 0

Look for beacon frames

Beacon frames advertise access points. 

wlan.fc.type_subtype == 8

Look for probe requests

Probe requests show devices searching for networks. 

wlan.fc.type_subtype == 4

Look for probe responses

Probe responses are replies from access points. 

wlan.fc.type_subtype == 5

Use tshark for quick summaries on the Pi

I can also inspect the capture directly on the Raspberry Pi before moving it. 

# Basic read
tshark -r ~/captures/lab-wifi-channel-6.pcap

# Protocol summary
tshark -r ~/captures/lab-wifi-channel-6.pcap -q -z io,phs

# Conversation summary
tshark -r ~/captures/lab-wifi-channel-6.pcap -q -z conv,ip

# Show only DNS packets
tshark -r ~/captures/lab-wifi-channel-6.pcap -Y dns

Return the adapter to managed mode

After the capture, I put the adapter back to normal managed mode if I want to use it like a regular Wi-Fi client again. 

sudo ip link set wlan1 down
sudo iw dev wlan1 set type managed
sudo ip link set wlan1 up

iw dev

What I learned

This project connects hardware, Linux, wireless networking, packet capture, and analysis.

Linux

Interfaces matter

I need to know which adapter is which, what mode it is in, what channel it is on, and whether Linux can see it correctly.

Wi-Fi

Wireless is chatty

Even before application data, Wi-Fi has management frames, beacons, probes, channels, signal behavior, and metadata worth understanding.

Cybersecurity

Evidence beats guessing

A PCAP gives me packet-level evidence. Instead of saying “the network is broken,” I can show where the conversation failed or what traffic appeared.

Next steps

Once the basic capture workflow works, I can improve the project without making it unsafe.

Good upgrades

Make the project cleaner

  • Create a capture script with filenames based on date and channel.
  • Add a cron job for short scheduled captures in the lab.
  • Write a README explaining the hardware and workflow.
  • Add a systemd service for controlled capture sessions.
  • Store captures in a dedicated folder with cleanup rules.
Analysis upgrades

Make the results easier to read

  • Use tshark to summarize protocols automatically.
  • Export endpoint and conversation summaries.
  • Compare captures from different channels.
  • Document what normal lab traffic looks like.
  • Build a small packet-analysis checklist.
Related guide: use the Advanced Wireshark Guide to analyze the captures from this project.

Project cheat sheet

This is the short version of the build and capture workflow. 

# Install tools
sudo apt update
sudo apt install tcpdump tshark wireshark-common iw rfkill usbutils -y

# Identify adapter
lsusb
ip link
iw dev
rfkill list

# Create capture folder
mkdir -p ~/captures

# Normal capture test
sudo tcpdump -i wlan0 -w ~/captures/normal-network-test.pcap

# Enable monitor mode on Alfa adapter
sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up
iw dev

# Lock to lab channel
sudo iw dev wlan1 set channel 6
iw dev wlan1 info

# Capture wireless packets
sudo tcpdump -i wlan1 -w ~/captures/lab-wifi-channel-6.pcap

# Quick summaries
tshark -r ~/captures/lab-wifi-channel-6.pcap -q -z io,phs
tshark -r ~/captures/lab-wifi-channel-6.pcap -q -z conv,ip

# Copy to desktop
scp pi@raspberrypi.local:~/captures/lab-wifi-channel-6.pcap .

# Open in Wireshark
wireshark lab-wifi-channel-6.pcap

# Return adapter to managed mode
sudo ip link set wlan1 down
sudo iw dev wlan1 set type managed
sudo ip link set wlan1 up

Final idea

This project turns Wi-Fi from something invisible into something I can study. The Raspberry Pi captures, the Alfa adapter listens in my private lab, and Wireshark lets me analyze the evidence afterward. It is a practical bridge between Linux, wireless networking, packet analysis, and safe cybersecurity learning.