Wireless Packets Analysis

Microchip TCP/IP Stack

Microchip TCP/IP Stack Help
Wireless Packets Analysis

This section is applicable to any wireless 802.11 products and describes the client device in an infrastructure network type. The approach remains similar when analyzing other network types.

Hardware

Wireless sniffer hardware, such as AirPcap USB adaptor by Riverbed Technology, is needed to capture the wireless packets. Here it is assumed the user has knowledge of setting up the wireless sniffer hardware for packets capture.

Software

Software such as Wireshark is needed to analyse the wireless packets captured. 

 

Even if you do not have the hardware and only have the wireshark capture file (with file extension *.pcapng), this software is still needed to view and analyze the wireless packets capture file. 

To capture 802.11 wireless packets, a sniffer hardware such as the AirPcap is required. Certain configurations will not allow you to capture 802.11 wireless packets. 

• A laptop/PC that has wireless network capabilities or wireless adaptor with an AP connected to this laptop/PC via wired Ethernet cable is not sufficient as this environment is likely to be in non-promiscuous mode. . This means that many packets will be filtered and not shown on the wireshark trace. If using wired ethernet or the built-in PC NIC, generally only packets meant for the PC are displayed. The AirPcap allows selecting a promiscuous NIC that will display all traffic in the air. 

• A laptop/PC that has wireless network capabilities or wireless adaptor and only plugged into wired Ethernet. This will only allow monitoring of Ethernet traffic and specifically traffic that is targeted to the PC, even though this laptop/PC is 802.11 wireless connected to some wireless devices. Also this method will prevent seeing packets that are attempting to make it to the PC or anywhere else but are not getting through due to any misconfigurations. 

Below figure shows the recommended configuration for wireless packets capture. 

 

802.11 Protocols

Below figure shows the 802.11 exchange protocol for a client device in an infrastructure network. 

Authentication and association frame types are unidirectional. For example, the client device will be the one transmitting the association request frame and likewise the AP/router will be the one to respond back with the association response frame. 

 

Display Filter

Use the Wireshark display filter to filter down to the traces of interest. Refer to Wireshark website for more information on display filter settings. 

 

As an example, enter into the display filter 

(wlan.bssid == Cisco-Li_27:5a:a0 && wlan.da == Broadcast) || wlan.addr == Microchi_02:75:7e 

In our example, Cisco-Li_27:5a:a0 represents the AP/router and Microchi_02:75:7e represents the wireless client. 

 

• More examples of display filter 

Wlan.fc.type == 0 Management frames 

Wlan.fc.type == 1 Control frames 

Wlan.fc.type == 2 Data frames 

Wlan.fc.type_subtype == 0 Association request 

Wlan.fc.type_subtype == 1 Association response 

Wlan.fc.type_subtype == 2 Reassociation request 

Wlan.fc.type_subtype == 3 Reassociation response 

Wlan.fc.type_subtype == 4 Probe request 

Wlan.fc.type_subtype == 5 Probe response 

Wlan.fc.type_subtype == 8 Beacon 

Wlan.fc.type_subtype == 10 Disassociation 

Wlan.fc.type_subtype == 11 Authentication 

Wlan.fc.type_subtype == 12 Deauthentication 

 

Information you are likely to need for the display filter 

• BSSID of AP/router 

BSSID is unique and identifies a specific AP/router eg Cisco-Li_27:5a:a0 

If you can unable to determine the BSSID, an alternative is to review the list of beacons in the wireless packets capture and use this list to narrow down the BSSID. 

This will translate to “wlan.bssid == Cisco-Li_27:5a:a0” in the display filter. 

• MAC Address of client device eg MRF24W 

This will identify the client device’s hardware address. 

As an example, the console terminal when using the MRF24W will display a MAC address field. 

See below figure where the MAC address is 00:1e:c0:02:75:7e. 

 

“00:1e:c0:02:75:7e” is translated to “Microchi_02:75:7e”. 

Enter “wlan.addr == Microchi_02:75:7e” in the display filter. 

• Source Address or Destination address 

This could be the following; BSSID field, address field or “Broadcast” or “Multicast”. 

Beacons are broadcast frames and the destination address is set as “Broadcast”. 

As an example, to display beacons transmitted by a particular AP/router, this will translate to “(wlan.bssid == Cisco-Li_27:5a:a0 && wlan.da == Broadcast) “ in the display filter. 

 

Procedures To Analyze 802.11 wireless packets traces

Step 1 : Open the wireless packets capture traces / file. 

Step 2: Use the display filter to filter down to the traces of interest. 

Step 3 : Active or Passive Scanning 

Before wireless connection is established, a client device needs to locate the specific AP/router that it wishes to join by either passive or active scanning. 

 

Passive Scanning 

Every “unhidden” AP/router will be transmitting beacons almost every beacon interval (BI). The client device is likely to receive multiple beacons from different AP/routers. A scan list result will be generated showing wireless devices or AP/routers that is present in the wireless network. 

 

Each beacon frame will contain information about the infrastructure network such as 

o Transmission rate of beacon (Based on 802.11-2007 specifications, transmitted at 1-2Mbps) 

o BSSID, source address, destination address 

Destination address is often of Broadcast type. 

o SSID of infrastructure network 

o AP/Router supported rates 

 

 

Active Scanning 

This involves transmission of broadcast probe request frames by the wireless client device and the AP/routers responding back with a directed (unicast) probe response frames (destination is the same client device that transmits the probe request frames). Likewise, a scan list result will be generated from the probe response frames received. 

 

“Hidden” AP/router 

In the case of a “hidden” AP/router, only active scan is used and the wireless client knows the SSID of the wireless network it desires to connect to. The wireless client will transmit a directed probe request frame to this “hidden” AP/router and the “hidden” AP/router will respond back with the corresponding probe response frames. 

 

Refer to the figure below. 

 

Once the wireless client knows the particular infrastructure network it wishes to join, the authentication and association process will be initiated. 

 

 

Step 4 : Authentication 

To initiate wirelss connection to the AP/router, authentication process will have to first take place. 

The wireless client device will transmit a directed authentication frame to the desired AP/router. The AP/Router will respond by transmitting a directed authentication to the same wireless client device to indicate the authentication status. 

Within the authentication frame from the AP/router, it will contain 

o BSSID, source address, destination address 

Destination address will be the wireless device which has transmitted the authentication (directed). 

o Authentication Algorithm 

This contained the authentication algorithm used, such as Open System. 

o Status Code 

Status Code will indicate whether authentication is a success or failure. 

 

 

Step 5 : Association 

When the authentication process is completed, this will be followed by the association process. 

The wireless client device will transmit a directed association request frame to the desired AP/router. The AP/Router will respond by transmitting a directed association response frame to the same wireless device to indicate the association status. 

Within the association response frame from the AP/router, it will contain 

o BSSID, source address, destination address 

Destination address will be the wireless device which has transmitted the association request (directed). 

o Status Code and Association ID (AID) 

Status Code will indicate whether association is a success or failure. If association is successful, an unique AID will be assigned. 

 

 

Integration of WPS into 802.11 joining operation 

Below lists the overall sequences 

• Scanning, Authentication, Association 

• WPS Frame Exchanges (EAP protocol) 

• Deauthentication or Disassociation 

o Some APs are found to transmit disassociation instead of deauthentication frame. 

Provision needs to be made to handle receipt of disassociation frame. 

Authentication, Association 

• EAPOL 4-way handshake or 802.1X-authentication 

 

Disconnection from a wireless network 

If the device is disconnected according to the 802.11 specifications, either of the following procedures will take place. 

• Disassociation 

• Deauthentication 

Or 

• Deauthentication 

When an AP sends a deauthentication notice to an associated STA, the association shall also be terminated 

 

Module
Microchip TCP/IP Stack 5.42.08 - June 15, 2013
Copyright © 2012 Microchip Technology, Inc.  All rights reserved.