This tutorial is specially supported by the "Five-Color Stone Project" of Purple Mountain Laboratories.
Before starting, you must ensure that your hardware meets the 802.11ax collection requirements; otherwise, you will not be able to capture HE format frames.
- Sniffer Adapter:
- Standard Wi-Fi adapters (like TL-WN722N or other 11n/ac cards) cannot capture 802.11ax packets.
- You must use an adapter that supports 802.11ax, paired with a Linux driver that supports Monitor Mode.
- Experimental Equipment:
- AP (Beamformer): A router supporting Wi-Fi 6 (802.11ax) (e.g., TP-LINK BE7200).
- STA (Beamformee): A mobile phone (Android is highly recommended, avoid Apple if possible) or a laptop supporting Wi-Fi 6.
- Control Terminal: A computer with Kali Linux installed (used to run the sniffer tool and iperf server).
To maximize the induction of Beamforming, we need to establish a high-throughput Downlink Traffic stream between the AP and the STA. Because only when the AP needs to send a massive amount of data to the STA will it be motivated to initiate Channel Sounding to optimize the downlink.
- Configure AP:
- Log into the router's backend (TP-LINK's admin URL is usually
tplogin.cn). - Disable "Smart Connect" (Dual-band integration) and turn off the 2.4GHz band.
- Fix the Channel: It is recommended to choose a 5GHz channel with less interference, such as 36, 44, 149, or 153. Do not set it to "Auto". Setting it uniformly to 153 is recommended.
- Fix the Bandwidth: Set to 80MHz (most commonly used for experiments, easier to analyze).
- Ensure "MU-MIMO" and "OFDMA" options are enabled.
- Log into the router's backend (TP-LINK's admin URL is usually
- Connect STA:
- Connect the Wi-Fi 6 phone/laptop to the AP's 5GHz band.
- Confirm in the management interface that the device is connected via Wi-Fi 6 mode, and record the STA's MAC address.
- Connect the Sniffer (Kali):
- Plug the USB Wi-Fi adapter into the computer and connect it to the Kali virtual machine.
- Ensure Kali is also connected to the same LAN via a wired connection or another adapter (to run the iperf3 server).
In the Wi-Fi 6 (802.11ax) protocol, Beamforming Feedback is an "on-demand" underlying mechanism. Only when the router (AP) needs to send massive data to the target device (STA) and faces a complex channel environment will it initiate Channel Sounding to optimize the downlink.
Therefore, we need to artificially create extreme downlink network pressure to trigger the generation of BFM matrices.
iperf3 can generate extreme throughput data streams and is the best tool for triggering BFM at high frequencies. To meet the experimental needs for both Single-User (SU-MIMO) and Multi-User (MU-MIMO), please follow these steps:
On the PC or Kali VM connected to the same LAN via Ethernet, open a terminal and start the iperf3 server, specifying listening port 5201:
iperf3 -s -p 5201(Note: If you need to test dual-device concurrency, it is recommended to open two independent server instances listening on different ports, e.g., open another terminal and run iperf3 -s -p 5202)
On your Wi-Fi 6 receiver device (e.g., phone running Termux/Magic iPerf, or laptop terminal), execute the following "unlimited downlink flooding" command:
iperf3 -c <Target_Host_IP> -p 5201 -u -t 0 -b 0 -R🔑 Core Parameters Breakdown:
-c <Target_Host_IP>: Run in client mode and connect to the Server IP you just started.-p 5201: Specify communication port as 5201.-u: Use UDP protocol. UDP has no TCP congestion control and can squeeze bandwidth to the absolute limit, making it perfect for triggering beamforming.-t 0: Set transmission time to infinite (continuous running) until manually stopped withCtrl+C.-b 0: Remove bandwidth limits (force AP to transmit at maximum capacity).-R: Reverse mode. This step is crucial! It reverses the default uplink traffic into downlink traffic (Server sends to Client), forcing the AP to actively compute beamforming, thereby inducing the STA to reply with BFM inclusion matrices.
If you need to collect overlapped MU-MIMO BFM data in a complex environment, you need two Wi-Fi 6 devices requesting heavy traffic from the AP simultaneously.
- Server runs two ports simultaneously:
iperf3 -s -p 5201andiperf3 -s -p 5202. - Device A (STA 1) connects to port 5201:
iperf3 -c <Target_Host_IP> -p 5201 -u -t 0 -b 0 -R
- Device B (STA 2) simultaneously connects to port 5202:
iperf3 -c <Target_Host_IP> -p 5202 -u -t 0 -b 0 -R
At this point, to satisfy the high-bandwidth downlink demands of both devices simultaneously, the router (AP) will trigger high-frequency MU-MIMO channel sounding, and you will capture massive concurrent BFM data on the sniffer side.
Operation Steps:
-
Get Target IP:
- Log into the router's admin backend (e.g., TP-LINK default is
tplogin.cn). - Go to "Device Management" or "DHCP Client List".
- Find your experimental target device (Wi-Fi 6 phone or laptop), view and record its currently assigned LAN IP address (e.g.,
192.168.1.105).
- Log into the router's admin backend (e.g., TP-LINK default is
-
Execute Continuous Ping Test:
- On another Windows computer within the LAN, press
Win + Xto open Windows PowerShell (or CMD). - Enter the following command to continuously send packets to the target host (the
-tparameter means continuous sending untilCtrl+Cis pressed):
ping <Target_Host_IP> -t # Example: ping 192.168.1.105 -t
- On another Windows computer within the LAN, press
-
Observe Results: As long as the terminal continuously returns
Reply from 192.168.1.xxx: bytes=32 time=..., it means the wireless link connectivity is normal. You can switch back toiperf3at any time to start formal high-frequency induction sniffing.
Now let's configure the sniffing environment.
-
Open terminal and check adapter:
sudo ifconfig # Assume the adapter name is wlan0 -
Set Monitor Mode & Channel: Note: It is recommended to use the
iwcommand, asiwconfighas poor support for 802.11ax.# 1. Bring the interface down sudo ip link set dev wlan0 down # 2. Set to Monitor mode sudo iw wlan0 set type monitor # 3. Bring the interface up sudo ip link set dev wlan0 up # 4. Set channel and bandwidth (Crucial step) # Syntax: sudo iw dev <device> set channel <channel> <bandwidth_type> sudo iw dev wlan0 set channel 153 80MHz
Verify settings: Type
iw devto check if the current channel and mode are active.
Start capturing before the iperf3 traffic transmission begins.
Command Optimization: To prevent the capture file from becoming too large, we usually only focus on "Action Frames" because BFM is contained within them.
# Capture and save to file
sudo tshark -i wlan0 -w /root/he_bfm_capture.pcap
# Or use real-time line-buffering mode
sudo tshark -l -i wlan0 -w /root/he_bfm_capture.pcap- Phone is ready to run the
iperf3 ... -Rtraffic command. - Kali runs the
tsharkcommand. - Phone starts generating traffic.
- After about 60 seconds, press
Ctrl+Cin the Kali terminal to stop capturing.
This is the most critical step: extracting Wi-Fi 6 Beamforming reports from the massive data.
-
Open the file:
wireshark /root/he_bfm_capture.pcap
-
Apply Display Filter:
-
Core Filter (for HE-MIMO BFM):
wlan.he.action.he_mimo_control -
Combined Filter (to see the complete interaction, including NDPA announcement):
(wlan.fc.type_subtype == 21) || (wlan.he.action.he_mimo_control)
-
Core Filter (for HE-MIMO BFM):
-
Identify the correct BFM frame: In the filtered results, look for frames sent by the STA (Phone) to the AP (Router):
-
Protocol Column: Usually displays
802.11orHE Action. -
Info Column: Will show
Action frame, Category: HE. -
Expand Frame Structure:
- Expand
IEEE 802.11 Wireless Management - Look for
HE Action code: HE Compressed Beamforming And CQI (0) - Expand the
HE MIMO Controlfield. - Expand
Feedback Matrices, which is the targeted BFM matrix information.
- Expand
-
Protocol Column: Usually displays
-
Interpret HE MIMO Control Data:
- Nc Index / Nr Index: Antenna stream configuration.
- Channel Width: (0=20, 1=40, 2=80MHz...).
- Codebook Size: Feedback precision (e.g., 4/2 bit or 7/5 bit).
-
Beamforming Report: The long string of hexadecimal data following this is the compressed
$\phi$ and$\psi$ angle matrices.
-
Cannot capture packets / All packets are gibberish (FCS Error):
- Distance Issue: The position of the sniffer is extremely critical! AP signals are strong and easy to catch, but BFM is sent by the STA. If your adapter is too far from the phone, you won't receive the feedback frames.
- Suggestion: Place the sniffing adapter close to the phone (within 1 meter).
-
Cannot see HE Action / BFM payload:
- Encryption Issue: In WPA2/WPA3 networks, some Action Frames are encrypted (Protected Action Frame).
- Solution:
- Method 1 (Recommended): Set the router to an OWE (Enhanced Open) or completely Open (no password) network for the experiment.
- Method 2: If you must use WPA, you need to input the Wi-Fi password in Wireshark's protocol settings and completely capture the 4-way handshake when the phone connects.
-
tshark reports "Operation not supported":
- This usually means your adapter driver does not support Monitor mode or does not support 80MHz bandwidth settings. Please verify your adapter chipset model.
| Step | Key Command / Action |
|---|---|
| Set Adapter | sudo iw dev wlan0 set channel 153 80MHz |
| Trigger Traffic | iperf3 -c <Server_IP> -R (Downlink is key) |
| VHT Filter | wlan.vht.mimo_control (For Wi-Fi 5) |
| HE Filter | wlan.he.action.he_mimo_control (For Wi-Fi 6) |
| Complete Interaction | wlan.fc.type_subtype == 21 |