When analyzing a Wi-Fi network, it's important to go through the IEEE standard 802.11 as the source of truth as this is one of the most interesting protocols to gain a expertise on.
Wireless networks are different from a wired LAN: here the addressable unit is a station (STA), and the STA is the message destination not the fixed location when the packet is transferred to the STA.
Within the scope of the book, we are dealing with packets captured between the WNIC controller and the access point. The access point (AP) contains one station (STA) and provides access to the distribution. In this book, we will see the how Wireshark has provided display filters for analyzing Wi-Fi frames:
In Layer 2, datagrams are called frames; they show all channel traffic and a count of all the frames received at the measuring STA. There are four types of frame, which are defined in the following table:
|
Frame type |
Value |
Wireshark display filter |
|---|---|---|
|
Management |
0x00 |
|
|
Control |
0x01 |
|
|
Data |
0x02 |
|
|
Extension |
0x03 |
|
Let's take a detailed look at these frames one by one.
Wireshark uses the wlan_mgt display filter to show all the management frames. In line with the IEEE 802.11 standard, the following management frames are defined and their corresponding values, with appropriate Wireshark display filters, are shown in the following table:
|
Name |
Value |
Wireshark display filter |
|---|---|---|
|
association request |
0x00 |
|
|
association response |
0x01 |
|
|
reassociation request |
0x02 |
|
|
reassociation response |
0x03 |
|
|
probe request |
0x04 |
|
|
probe response |
0x05 |
|
|
measurement pilot |
0x06 |
|
|
beacon frame |
0x08 |
|
|
atim |
0x09 |
|
|
disassociation |
0x0a |
|
|
authentication |
0x0b |
|
|
deauthentication |
0x0c |
|
|
action |
0x0d |
|
|
action no ack |
0x0e |
|
For example, by setting wlan.fc.type_subtype == 0x08, in the 802.11.pcap file, the entire beacon frame will be displayed in Wireshark.
A beacon is a small broadcast data packet that shows the characteristics of the wireless network, and provide information such as data rate (max data rate), capabilities (encryption on or off), Access Point MAC address, SSID (wireless network name), RSN information, vendor specific information, Wi-Fi protected setup, and so on, where:
- SSID is the name of the AP, for example:
ANish - BSSID is the MAC address of the AP, for example is
94:FB:B3:B8:DF:DD
In another example, the
wlan_mgt.ssid == "ANish" display filter will display all management frames whose SSID matches with ANish.
Data frames carry the packets that can contain the payload (such as files, screenshots, and so on). Type values for data frames used in 802.11 and their corresponding Wireshark display filters are shown in the following table:
|
Name |
Value |
Wireshark display filter |
|---|---|---|
|
data |
0x20 |
|
|
data + cf-ack |
0x21 |
|
|
data + cf-poll |
0x22 |
|
|
data + cf-ack + cf-poll |
0x23 |
|
|
null function |
0x24 |
|
|
no data cf-ack |
0x25 |
|
|
no data cf-poll |
0x26 |
|
|
no data cf-ack + cf-poll |
0x27 |
|
|
qos data |
0x28 |
|
|
qos data + cf-ack |
0x29 |
|
|
qos data + cf-poll |
0x2a |
|
|
qos data + cf-ack + cf-poll |
0x2b |
|
|
qos null |
0x2c |
|
|
no data qos cf-poll |
0x2e |
|
|
qos cf-ack + cf-poll |
0x2f |
|
For example, wlan.fc.type_subtype == 0x2A will display all the packets that contain QoS Data + CF-Poll in the packet capture file 802.11.pcap, as shown in the following screenshot:
Control frames exchange data frames between stations. Control frame ranges are 0x160 - 0x16A for control frame extensions where type = 1 and subtype = 6. Values for control frames and the corresponding Wireshark display filters are shown in the following table:
|
Name |
Value |
Wireshark display filter |
|---|---|---|
|
vht ndp announcement |
0x15 |
|
|
poll |
0x162 |
|
|
service period request |
0x163 |
|
|
grant |
0x164 |
|
|
dmg clear to send |
0x165 |
|
|
dmg denial to send |
0x166 |
|
|
grant acknowledgment |
0x167 |
|
|
sector sweep |
0x168 |
|
|
sector sweep feedback |
0x169 |
|
|
sector sweep acknowledgment |
0x16a |
|
|
control wrapper |
0x17 |
|
|
block ack request |
0x18 |
|
|
block ack |
0x19 |
|
|
power-save poll |
0x1a |
|
|
request to send |
0x1b |
|
|
clear to send |
0x1c |
|
|
acknowledgement |
0x1d |
|
|
0x1e |
| |
|
0x1f |
|
The AP advertises its capabilities in a Beacon frame; the client (STA) broadcasts itself, using its own probe request frame, on every channel—typically (channel 11). By doing this, it determines which access points are within range.
Probe response frames contain capability information, supported data rates and so on, of the AP after it receives a probe request frame.
The STA sends an authentication frame containing its identity to the AP. With open system authentication (the default), the access point responds with an authentication frame as a response, indicating acceptance (or rejection).
Shared key authentication requires WEP (64-bit or 128-bit) keys, and the same WEP keys on the client and AP should be used. The STA requests a shared key authentication, which returns unencrypted challenge text (128 bytes of randomly generated text) from the AP. The STA encrypts the text and returns the data to AP, the AP response indicating acceptance (or rejection).
The STA sends an association request frame to the AP containing the necessary information and then that the AP will send an Association response frame that includes acceptance (or rejection). If this is accepted, the STA can utilize AP to access other networks:
IEEE802.1x is based on Extensible Authentication Protocol (EAP), which is an extension of PPP (Point-to-Point Protocol), also known as "EAP over LAN" or EAPOL.
The IEEE 802.11 Working Group passed the 802.1x standard in 2001 to improve upon the security specified in the original 802.11 standard (IEEE, 2001).
Open the 802.11-AUTH-enabled.pcap file in Wireshark and use the display filter eapol to display all the
eapol messages only, as shown in the following screenshot. In the eapol packets, the session key of the device and the AP are handled.
As shown in the screenshot, all eapol packets are captured as 1 of 4, 2 of 4, 3 of 4, and 4 of 4.
The eapol packets are needed if you are trying to decrypt 802.11 traffic. The Wireshark wiki link https://wiki.wireshark.org/HowToDecrypt802.11 is an excellent source of information on how to decrypt traffic with the help of Wireshark.
The 802.11 standard specifies a common medium access control (MAC) layer (the data link layer) that supports the operation of 802.11-based wireless LANs. The 802.11 MAC layer uses an 802.11 Physical (PHY) layer, such as 802.11a/b, to perform the tasks of carrier sensing, transmission, and receiving 802.11 frames.
Open the packet capture file 802.11-AUTH-Disabled.pcap in Wireshark and set the display filter to wlan.da==e8:de:27:59:72:06 to view how the data is carried using 802.11 as the transport medium.
The 802.11 QoS data frames shows that the LLC header follows IEEE 802.11; this is what is expected in the monitor mode.
The captured 802.11 looks like an Ethernet packet as the 802.11 adapter will often try to transform data packets into fake Ethernet packets and then supply them to the host.
