Wireless Frame Analysis Practical Examples

Figure 8-15 shows an example of a probe request frame, viewed using Wireshark (ex-Ethereal), a packet analyzer and sniffer. You can see that the frame belongs to the management family and that the wireless station broadcasting this frame is looking for any AP bearing the SSID Mitzmarall and saying that the station supports a basic speed set of up to 11 Mbps (i.e., 802.11b-capable).

In response to this probe request, an AP bearing the same SSID as that sought by the station (STA) replies as shown in Figure 8-16. Here, you see the AP say, in essence, "Yes, I hear you. Now if you want to connect to me, I don't use any form of frame-payload-

No. • J T ¡me

1 Source 1 Destination

I 'rotocol I Info

O 0.010432

Z Com 13:b1:09 Intel 59^9:04

Prci» riej Probe nesponse.Gfl-547.rM-0.tH-10<

Ï. OUID: "HitxmereH"

[;■ Fran* 7 (42 btft«

on wire. 42 bytes capti**d)

" IEEC 002.11

Typ« ■ Prob* (4) V Own* Control: 0x1040 Cllormatt

VuBtyp* 4 7 Fligi QilO

Bs status Not leaving US or netuwlr is operating in W-Wt

mode (ro Lib V t-rom i/S- U> (UkUI)

QJ ■ Jtetry lr*m* is not being retransmitted > . • ou.fi MOT STfc will go to sleep .0. . - Hot* Data: Jfc data buffo-ad (I. . . .. a Protected flag- Data is not protected 0 . . . - Or dar flag: Hot strictly ordered Duration O

rintariatian KkVvM. fVi>ak-n1

fcowree Mt'tsi IntelJV>- +'J(H <uaUc;+-T:W +y:(W)

hregnvant riumbar: u f<m<t m rurfn Ttt.7


" Tagged pir »meters OS bytes)

" OCID parameter set: "Hitxmaral 1"

Tag lUnbar 0 (SSID parameter tat ) Tag length: 10

Tag interpret atiwi Hitimaral 1 V Gworted Hates 1.0(0) 2.040} 5 5C0) 11.0ID> rag Hbimbar : 1 \ ¡Supported Kates) Tag langth 4

rag interpretation Supported rates: 1 U(B) i!.U(tl>

i.üiü) [n>iv**c]

Figure 8-15 Wireless packet capture showing probe request from client to any AP configured with the SSID Mitzmara11

encryption (e.g., WEP or WPA). I am on Channel 3 (2422 MHz) and I support 802.11g rates. By the way, my transmit power is 20 dBm and I support the additional channels allowed by the European Union, Asia, and Japan of 12 and 13."

The STA then responds as shown in Figure 8-17: "I hear you and would like to authenticate with you using Open System authentication." Note that Authentication Seq: 0x0001 denotes from the station to the AP. The corresponding reply from the AP with Authentication Seq 0x0 0 02, which denotes from the AP to the STA, is shown in Figure 8-18.

Now that the STA has been successfully authenticated by the AP, the STA sends an association request, as shown in Figure 8-19. As you can see, the AP didn't get the first association request frame that the STA sent out, so this particular frame is a retransmitted frame. You can also see that the client is only 802.11b-capable and will not be able to run at 802.11g speeds, even though the AP does support 802.11g.

The AP then responds with the association response shown in Figure 8-20. Since all authentication requests and other fields (SSID, capability, encryption setting, etc.) correspond with and are within the limits of the AP's configuration and capabilities, it allows the association and the STA can start sending data.

No. -

I Tim«


I Dubliruliun

I 'rotocul J Info

7 Û.01WÎ3

lnt»l_M « oa

Proba Bec Probe Beq

|U*rtr5Ha207, FM

0, SSI0 "Mitunirill"

Type/Cubtyp*: Proie IVrporiï* {5! ■w Frime Cootrol 0*00» (Hcrmat) Version : 0

IK Statu«: Mot leavirtg LTà or rwtuwrH is operating in AU-HUL mode (lo LK U M'ont I»: U> {UxUO>

. 0. - Hore Fragments Thix n the I est f r*jment . . . . O.. ■ Retry Frimt ¡i not being retrarnmitted .0 . - PU»! HGT: OTA uiill stay up 0 ■ CW* rut* IVl (UtA t-irfferart

.0 - ItOKcttd +laij [Ut* is not protected n - n>[U> flmj. rfail »Irictly iriWnl

Duration: 411

Destination «Unii: Intel S9 PS: 04 Oc: f1 59 041 Socrce ad(Tui I-tom.tî bl M (M M H 'î bl M) 005 ld: Z-Cwn,1ï=bl:09 <00:60 t>3:15 bt:09>

x»d parameter* (12 but«) Times tamp: O*OOOOOOOOCA4OC015 BtKon interval 0.102400 [Seconds] ' Capability Information. 0x0021

O. - Itftï status: rrawmitter belw-oi to a UtiH 00 - rFP fMÉr 1 îi'ipjl n»1 i-^uliililin. Nu point Imilirialir at AP {OiOUR) U . - Privacy: «VïiA cannot support UU1

a PGCC PBCC modulation not allowed ■ Charnel Agility Chtrml agi I ity not in us*

« Spectrun Mmaçement dotllSpectrisnHinegementRociuired FALSE - Short Glot Time Short slot time not in um

- Auliaiialii- Pi Hilar 1m™ fWlivarg. afrad ml inçi lavtiari I «S

- rWImjml Rfn-4< Ai I: iloi mjm\ lilnrli —H< m( inqilaritad a Irrmediate Bloch Ack immedi ate block Kk not implanted toged parameters (42 bytes) ' S5I0 pirametar set" *Mit2mare1l"

Tag Number: 0 {CCI0 parameter set) Tay lailglh 10

rag interpretation: Witznwrall ■ Rat«. I H(R) f 0{B) 3 3(R> 11 ü{6)

Tag Hunbar' 1 <Supported Rate«) Tag length: 4

Ta? interpretation Supported rate« t 0(B) £.0(9) 3-3(6) 11.0(B) [Mbit/se«] ' OG Parameter set : Current Charnel : S

Fag length : 1

' fcW Information no tvon-tH1 blAs, do not use protection, rang preanttiles Tag Humber: 42 '.DIP' Information} Tag length 1

Tag interpretation: DIP info: 0x0 (no Hon DIP GTAi do not use protection, long prearrblesl ' Fa 1 araiaii Çk^aalacl FUI» A M (I 1? 11 It II H II VI D U II M II rag ttsnber: BO (Lxtended Supported Hates? Tag langlh. ft

Tag interpretation : Supported rat**: Ml 'JO lü.U ltf U im.u ».U IV U W. 0 [rait/sec] ' Country Information: Country Code: X. ftvj Cmwonment Tag Humber' 7 (Country Information) Tag length: 6

Tag interprétation: Tmsitry Code: C1F. Any Fnviri Charnel : 1, Lhanitelsi 1«, na» I* F

Figure 8-16 Probe response to the client from an AP with the SSID Mitzmarall

No. - ^^^ Source | Destination 'fotocol Into


m/ s avH/gy ¿-çon^iûfci:iw irvt«i_sy:«f-0,i Authantic Autharitication,af-Mü,»-H-o


hr*r.c W» {40 but« Ort mir», £<J but« capt^rad)

T tFFF flfl? 1t

AvVwitluttm (11) 7 Fi Mi, m fantrnl. fliOnfiO (hkrnul) Wjiw 0

Typ* Hansgamarvt fram* {01

05 rtrtuf Hot I«tving OS or natuorfc n epwrting in MHHût mod* (To OS- 0 From DS 0) <0*00>

O = Httfy Frama i« i»t being ratrwwmittad . 0 - PUJn MGTi STA util «ta« up

0 = Ordar flag' not strictly ordarad Du*at4on: 314

Dwtination ledrin Z-tom_13 b1 OQ <M'M M 1î &1») Source addrau: tntal 59:f«:04 (00:0c: ft:M: ffltCW] BSS Id' Z-C«n_15C> 00 <(J0 00 bî 1ï b1 09) Fraqmant njntov^ 0

» ruiriar . ?HL

V ittt UUi.11 LL'ireloss LiVf managamant «rama

Authentication Araorithm : Upen Kw*tun <l>) Authentication SFQ. O.flrtll status coda tuccass+ui (UWUWH)

Figure 8-17 Authentication request from station to AP

Figure 8-18 Authentication response from AP to station
Figure 8-19 Association request from station to AP

Using the filter function in Wireshark allows you to identify and isolate those frames that are "interesting." Simply click the Expression button and you can create a filter for every protocol and associated field recognized by libpcap. For 802.11-specific fields, you would be using the IEEE802.11 entry in the filter list predominantly. The best way to go about practicing 802.11 frame analysis is to download, compile, and install a copy of Wireshark from http://www.wireshark.org/download.html and open up the packet dumps obtained from a Kismet or Airodump-ng sniffing session. With a little help from the oracle (read: Google) whenever you run into a field you don't understand, you should be proficient at frame analysis in short order.

Figure 8-20 Association response from AP to station

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment