FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 257789
Description This article describes how to use a Mac system to sniff wireless(802.11) packets over the air on a specific channel for troubleshooting client connection issues.
Scope Any supported version of FortiAP.

This article will use a MacBook running 10.14.6 Mojave, but the feature has been available on Intel and Apple Silicon based MacBooks for nearly a decade.




To perform the capture, follow these steps:


1) Open Wireless Diagnostics on the Mac by opening the Finder (the magnifying glass icon) and typing in 'Wireless Diagnostics'.



2) Once the Application is open, select Window -> Sniffer on the taskbar to open the following screen:



3) After choosing Sniffer from the drop down, options will be provided to choose the channel and channel width, depending on the age and capabilities of the Macbook's WiFi card. This particular system has the options for 20, 40, and 80 MHz channels.







4) After picking the channel and channel width, select Start. If prompted, enter the system administrator password.


Screen Shot 2023-05-24 at 9.47.31 AM.png


5) After completing authentication, the sniffer will start. A swirling icon at the bottom of the screen will indicate that the sniff is currently taking place. This is an ideal time to reproduce any network issues discovered prior so the MacBook can capture any relevant issues.

Screen Shot 2023-05-24 at 9.48.11 AM.png


Keep in mind: During the sniff, the MacBook is only listening and recording packets over the air. As it is not a wireless client, it only "eavesdrops" on packets over the air on the selected channel and channel width.


6) After capturing the issue, select Stop on the sniffing process to minimize the amount of irrelevant logs.


7) As indicated in the previous image, wireless capture files will be created and saved in the /var/tmp directory and will need to be accessed or viewed with an application such as Wireshark, which is a free packet analyzer.


8) Navigate to the the /var/tmp directory: using Finder, select Go > Go To Folder... and enter /var/tmp.


Screen Shot 2023-05-24 at 9.49.14 AM.png


9) Once in the directory, a .pcap file with a recent timestamp should be visible. An example is shown below.


The image in this article shows multiple .pcap files, but the relevant one is highlighted.


Screen Shot 2023-05-24 at 9.51.16 AM.png


The .pcap file can be freely reviewed to help troubleshoot any network issue.