Sniff - 802.11 ((free))

These are the most informative for a passive observer. They control network operations. Beacons, broadcast by APs every 100 ms or so, advertise the network’s SSID (name), supported data rates, capabilities, and the BSSID (AP’s MAC address). Probe requests, sent by clients searching for known networks, leak a device’s preferred SSID list (a privacy risk). Association and authentication frames reveal when and how devices join a network.

Pure passive sniffing—listening without transmitting—is stealthy and difficult to detect. However, it is slow for attackers. More common are hybrid approaches where sniffing is combined with active techniques: sniff 802.11

These carry the actual payload—the IP packets, TCP segments, and application data. In an open (unencrypted) network, data frames are completely visible. In a WEP, WPA, or WPA2 network, the payload is encrypted, but the frame’s MAC headers remain in cleartext, revealing source and destination addresses. These are the most informative for a passive observer