AirSnare sniffs wireless traffic listening for WPA handshakes and dumping only those frames suitable to be decrypted (one beacon + EAPOL frames + data). In order to speed up the process, AirSnare sends IEEE 802.11 DeAuth frames to the stations whose handshake is needed, properly handling retransmissions and reassociations and trying to limit the number of DeAuth frames sent to each station.
The original zizzania project has been effectively unmaintained for years—no releases, no bug fixes, and several rough edges when used on current Linux/macOS systems. AirSnare keeps the proven capture core but modernizes everything around it:
- Safer runtime: asserts replaced with error handling, killer-pipe race fixes, pooled allocations for clients/BSS/targets.
- Better ergonomics: layered config files, refactored option parsing, richer terminal output, log levels, macOS-specific notes.
- Performance/UX improvements: dissect/handshake refactors, Bloom-filtered hash tables, memory pools, passive/live guard rails.
- PMKID capture: extracts PMKID from EAPOL Message 1 and logs it in hashcat 22000 format — offline cracking without a full handshake.
AirSnare also works hand-in-hand with AirJack: AirJack handles CoreWLAN scanning, channel setting, RFMON toggles, capture orchestration, and optional cracking, while AirSnare delivers a lean libpcap backend for fast/accurate handshake capture. Together you get a single workflow (./airjack) that discovers networks, sets the correct channel, launches AirSnare with the right filters, and feeds the resulting capture straight into hcxpcapngtool/hashcat.
macOS: replace
wlan0withen0in all examples. The-c <channel>flag sets the channel vianetworksetupautomatically — running as root (sudo) is required. See macOS Support for details and manual alternatives.
Put the network interface in RFMON mode on channel 6 and save the traffic gathered from the stations associated to a specific access point excluding those whose MAC address starts with 00:11:22:
airsnare -i wlan0 -c 6 -b AA:BB:CC:DD:EE:FF -x 00:11:22:33:44:55/ff:ff:ff:00:00:00 -w out.pcap
Passively analyze the traffic generated by any station on the current channel assuming that the network interface is already RFMON mode:
airsnare -i wlan0 -n
Strip unnecessary frames from a pcap file (excluding altogether the traffic generated by one particular station) considering an handshake complete after just the first two messages (which should be enough for unicast traffic decryption):
airsnare -r in.pcap -x 00:11:22:33:44:55 -w out.pcap
The easiest way to install on macOS:
brew tap rtulke/airsnare
brew install airsnare
To upgrade to a new release:
brew update && brew upgrade airsnare
For Linux or development builds, continue with the sections below.
For Debian-based systems:
sudo apt-get install libpcap-dev
For macOS systems (Homebrew):
brew install libpcap wget
make # builds the optimized release binary (default target)
make debug # builds with -ggdb3/-Werror for development
make config # refresh vendored Makefile + uthash stub if needed
The installation process is not mandatory, AirSnare can be run from the src directory. Just in case:
make install INSTALL_PATH=/usr/local/bin # copies src/airsnare there
make uninstall INSTALL_PATH=/usr/local/bin
Set DESTDIR=/path/to/staging when packaging, and use sudo if your chosen INSTALL_PATH requires it.
AirSnare reads configuration files before parsing CLI arguments, with later sources overriding earlier ones:
/etc/airsnare.conf(system-wide, optional)~/.airsnarerc(per-user, optional)- Any file passed via
--config <path>(can be repeated) - Command-line arguments (highest priority)
Files use a minimal key = value syntax (#/; comments, optional '/" quotes). Sample values live in airsnare.conf.example. ~ expands to $HOME.
Supported keys
| Key | Type | Description / CLI equivalent |
|---|---|---|
interface, input |
string | Live interface (-i) |
pcap, input_file, read_file |
string | Input pcap (-r) |
output, write_file |
string | Output file (-w) |
channel |
int | Wi-Fi channel (-c) |
no_rfmon |
bool | Skip RFMON setup (-M) |
passive |
bool | Passive mode (-n) |
deauth_count |
int | Frames per burst (-d) |
deauth_attempts |
int | Max attempts (-a) |
deauth_interval |
int | Seconds between bursts (-t) |
dump_group_traffic |
bool | Keep broadcast/multicast (-g) |
early_quit |
bool | Stop after first handshake (-q) |
max_handshake |
int 2-4 | Required handshake messages (-2 / -3) |
bssid_include / bssid_exclude |
csv | MAC/mask filters (-b/-B) |
station_include / station_exclude |
csv | Station filters (-s/-S) |
bssid_exclude_first / station_exclude_first |
bool | Filter order (-x b / -x s) |
log_level |
string/int | error…trace or 0-4 (-v) |
CSV values accept comma-separated entries like AA:BB:.../ff:ff:.... Boolean parsing understands true/false, yes/no, on/off, 0/1. Invalid entries report filename + line number and abort that file.
Quick start
cp airsnare.conf.example ~/.airsnarerc
$EDITOR ~/.airsnarerc
./src/airsnare --config ~/.airsnarerc -n
This keeps reusable profiles while still allowing ad-hoc CLI overrides (e.g., -n, -v).
On macOS the Wi-Fi interface is typically en0. Verify with:
networksetup -listallhardwareports
All examples that reference wlan0 should use en0 on macOS.
AirSnare calls pcap_set_rfmon() automatically unless -M is passed. This requires root and
may fail depending on the adapter and System Integrity Protection (SIP) configuration. If
pcap_activate returns an error, ensure your adapter supports monitor mode and that SIP is
not blocking raw 802.11 access.
On macOS, -c <channel> sets the channel before monitor mode is activated (required because
pcap_activate takes over the interface once RFMON is enabled). Running as root is required:
sudo airsnare -i en0 -c 6 -n
Two methods are tried in order:
/usr/sbin/networksetup -setairportchannel— works on macOS Monterey and earlier- The
airportutility — automatic fallback for macOS Ventura+ (wherenetworksetupdropped the-setairportchannelsubcommand)
If both fail, AirSnare exits with a descriptive error. To set the channel manually and skip
AirSnare's auto-switching, pass -M:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport \
--channel=<channel>
sudo airsnare -i en0 -M -n
Packet injection via pcap_inject() is not supported on the built-in Wi-Fi adapter of
Apple Silicon Macs (M1/M2/M3) and most Intel Macs running macOS Monterey or later. AirSnare
will exit with an error when injection fails.
Workaround: use an external USB adapter with a macOS-compatible monitor-mode driver
(e.g. Alfa AWUS036ACH, AWUS036ACS). For capture-only workflows use passive mode (-n),
which never injects frames:
sudo airsnare -i en0 -n -w out.pcap
src/
|-- airsnare.c # Main entry point - program orchestration and lifecycle
|
|-- handler.c/h # Handler lifecycle - pcap setup, BPF filtering, packet loop
|-- dissector.c/h # Packet dissection - parses 802.11 frames, applies filters
|-- handshake.c/h # WPA handshake state machine - tracks 4-way handshake progress
|-- killer.c/h # Deauthentication subsystem - manages and injects deauth frames
|-- dispatcher.c/h # Signal handling - SIGINT/SIGTERM/SIGUSR1 via kqueue (macOS) or sigwait (Linux); periodic killer invocation
|
|-- clients.c/h # Client tracking - per-station handshake state and replay counters
|-- bsss.c/h # Access point tracking - BSS descriptors with SSID and statistics
|-- members.c/h # MAC address sets - whitelist/blacklist with subnet mask support
|
|-- ieee802.c/h # IEEE 802.11 protocol - frame structures, EAPOL, MAC utilities
|-- config.c/h # Configuration loader - layered file parsing and defaults
|-- options.c/h # Command-line parsing - argument validation and configuration
|-- terminal.c/h # Terminal output - ANSI colors, logging, statistics display
|-- util.c/h # Privilege management - setuid/setgid for dropping root
|-- iface.c/h # Interface configuration - platform-specific channel setting
|
|-- params.h # Runtime parameters - timeout constants and grace periods
|-- release.h # Version metadata - version number and author information
`-- endian.h # Endianness macros - byte order conversion for Linux/macOS