Sniff AirTraffic using Macbook is easy and you just have to follow the steps below:
1.)Quit all open applications.
2.)Try to join the Wi-Fi network that you are having issues with if you are not already connected.
3.)Open Wireless Diagnostics. Tip: You can hold down the Option key and then click the Wi-Fi menu extra.
4.)Enter your admin name and password when prompted.
5.)In Wireless Diagnostics, choose Window > Sniffer,
5.)Choose appropriate channel and channel width as per your Wireless AP Radio configuration
Start the capture , click stop when you are done , A capture file will be placed on the desktop.
I also found a Video done my benmiller regarding the same:
>Apple has designed the ios devices in such a way that whenever you connect your iphone to a captive portal designed wifi network they bring it to your notice by popping up a tiny browser that you have to authenticate to get on internet.
>How does this work on the background?
155.726863 192.168.242.85 -> 192.168.242.15 DNS Standard query A captive.apple.com
155.901921 192.168.242.15 -> 192.168.242.85 DNS Standard query response CNAME captive.apple.com.edgekey.net CNAME e7279.dsce9.akamaiedge.net A 18.104.22.168
155.929087 192.168.242.85 -> 22.214.171.124 TCP 65431 > http [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1416 WS=5 TSV=760100837 TSER=0 SACK_PERM=1
155.930144 126.96.36.199 -> 192.168.242.85 TCP http > 65431 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSV=8650997 TSER=760100837 WS=0
>Once the devices gets a IP address the iphone tries to send traffic to captive.apple.com and if gets any reply the device knows that the user have already authenticated.
>If the device not able to reach the captive.apple.com then it understands that there is a captive portal to authenticate further.
>In this sample capture the device gets a response from 188.8.131.52 , he know that it does has internet access and CNA is not required.