npcap

This version Npcap already supports monitor mode setting using Wireshark GUI or command line.

1. For GUI, if you check the Capture packets in monitor mode option in Edit Interface Settings, your wireless adapter will turn into monitor mode immediately.
2. For CLI, run dumpcap command with -I option, your wireless adapter will turn into monitor mode right before capturing.

The WlanHelper.exe tool automatically installed to your system path after installing Npcap.

Usage:

Default options for Npcap installer GUI can be changed. An example is:
npcap-nmap-0.06-r16.exe /admin_only=no /loopback_support=yes /dlt_null=no /vlan_support=no /winpcap_mode=no

or even simpler:

npcap-nmap-0.06-r16.exe /winpcap_mode=no

As the default option of /winpcap_mode is yes. Running the installer directly without options will see Install Npcap in WinPcap API-compatible Mode CHECKED by default in the Installation Options page.

However, the above two commands will launch the installer GUI, and in the Installation Options page, the Install Npcap in WinPcap API-compatible Mode option will be UNCHECKED by default.

Notice:

The current installation options by default are (for both GUI and silent mode):
/admin_only=no /loopback_support=yes /dlt_null=no /vlan_support=no /winpcap_mode=yes

Warning:

This -wifi version Npcap is especially for the people who want to capture packets with 802.11 headers instead of Ethernet headers on their wireless adapters.

Other users who do NOT care about this feature should use a normal version Npcap. The latest normal version Npcap is 0.06 r14 at:
https://github.com/nmap/npcap/releases/download/v0.06-r14/npcap-nmap-0.06-r14.exe

Usage:

1. Install npcap-nmap-0.06-r15-wifi2.exe.
2. Run WlanHelper.exe with Administrator privilege. Type in the index of your wireless adapter (usually 0) and press Enter. Then type in 1 and press Enter to to switch on the Monitor Mode.
3. Launch Wireshark and capture on the wireless adapter, you will see all 802.11 packets (data + control + management).
4. If you need to return to Managed Mode, run WlanHelper.exe again and input the index of the adapter, then type in 0 and press Enter to to switch off the Monitor Mode.

Notice:

You need to use WlanHelper.exe tool to switch on the Monitor Mode in order to see 802.11 control and management packets in Wireshark (also encrypted 802.11 data packets, you need to specify the decipher key in Wireshark in order to decrypt those packets), otherwise you will only see 802.11 data packets.

Switching on the Monitor Mode will disconnect your wireless network from the AP, you can switch back to Managed Mode using the same WlanHelper.exe tool.

The source code of WlanHelper.exe tool is published at:
https://github.com/hsluoyz/WlanHelper

Terminology:

Managed Mode (for Linux) = Extensible Station Mode (aka ExtSTA, for Windows)
Monitor Mode (for Linux) = Network Monitor Mode (aka NetMon, for Windows)

npcap-nmap-0.06-r14.exe: Fixed the captured incorrect packet length (usually 2048) bug on VirtualBox VMs. Thanks Komosa for reporting this bug!

npcap-nmap-0.06-r14-wifi3.exe: This special -wifi version Npcap will supply Native 802.11 headers with radiotap information instead of fake Ethernet headers for wireless adapters.

WlanHelper.exe: Run this tool to switch your wireless adapter into Monitor Mode. -wifi version Npcap will do better with Monitor Mode (can see more types of packets, like QoS Null function, CF-Poll, etc). You can only see QoS Data and Data types of packets in Extensible Station Mode.

NOTICE:

If you have installed a -wifi version Npcap before, install a normal version again will still give you 802.11 packets instead of fake Ethernet packets. The cause is Windows cached some driver configurations about the old version Npcap (like the -wifi version).

The solution is:

1. Download the DriverStore Explorer [RAPR] tool from Microsoft: http://driverstoreexplorer.codeplex.com/ and run Rapr.exe (you may need to install the correct .Net framework to run this program).
2. Click on Enumerate, select all the drivers the Pkg Provider of which are Nmap Project and click on Delete Package. (Nmap doesn't have another Windows driver except Npcap, so you can feel safe to clear all Nmap driver's cache)
3. Reinstall the normal version Npcap, this time Npcap will behave correctly for wireless adapters by providing fake Ethernet headers.