omnipeek

CTS 102: Capturing Wireless Frames

François and Rowell discuss their experiences capturing wireless frames for analysis and what tools they used to do it.

This episode is sponsored by Metageek

Sponsored by Metageek

Capturing Wireless Frames

It’s one of my favorite things to do. Capture wireless frames anywhere there’s a wireless network present. I know. I’m a boring guy. But I can’t help taking a look. In this episode on capturing wireless frames, we go over our favorite tools and apps which help us solve real world problems.

Why should you capture frames? If you want to learn how wireless works, then you need to start diving into frames. That’s how you’ll learn exactly what you need to know by seeing how it works. It’s perfect for learning any of the CWNP certifications and especially for the CWAP. By looking at wireless frames, you’ll begin seeing how wireless devices and access points talk to each other and acquire the shared medium.

A beacon frame displayed from Wireshark.

A sample beacon frame from Wireshark

Another reason for capturing wireless frames is to perform analysis. There may be an issue that’s hard to solve and requires wireless frame analysis. This could be as simple as finding out a device does not negotiate the same parameters as the BSS. Or maybe you’re trying to find out what could be slowing down wireless for every other device.

It’s the old saying, packets never lie. But in this case, frames never lie!

Screenshot from Metageek Eye P.A.

An example of using Metageek Eye P.A.

You can capture wireless frames on any platform such as MacOS, Windows, and Linux. When it comes to the platform of choice, we prefer to use MacOS. By default, you can place the MacOS wireless adapter in promiscuous mode. This mode is used to capture all frames, even those not destined to the host. By utilizing an app such as Airtool, it’s possible to fine tune a frame capture down to parameters such as the channel, channel width, payload or no payload, etc.

Then with Wireshark, the analysis can be performed.

Mojo Packets Analysis

A section of Mojo Packets analysis.

In the episode, François and I speak about our experiences in using frame analysis. I bring up a situation where Skype calls kept dropping but the issue was really a consumer level device trying to take up most of the airtime. There are other examples also described in the episode.

Here are some screenshots of different applications of frame capture and analysis.

Links and Resources

CTS 081: Wi-Fi Apps for Windows

We couldn’t do our work without the valuable apps used in the Windows operating system. That’s what we’ll discuss in this episode. Wi-Fi apps for Windows.

This episode is brought to you by

Sponsored by Metageek

Here are the Wi-Fi apps for Windows that Rowell and I use regularly when we are working at client sites or for any other Wi-Fi project. We certainly have our favorite apps and there are some we use on special cases but take a look at the list below and let us know what you think in the comments.

Metageek Chanalyzer

  • Spectrum Analysis software (For more, listen to CTS066, CTS039, CTS073)
    • Required a piece of hardware to feed spectrum information to the software
      • Wi-Fi Spy dBx
      • Cisco CleanAir AP (much better resolution)
  • Simple and user friendly interface
    • Different views
      • Waterfall view
      • Current spectrum view
  • Ability to record spectrum analysis
  • Can scan both 2.4GHz and 5GHz bands at the same time (if proper adapter is used)
  • Built-in Wi-Fi network scanner
  • Present channel utilization
  • Link to Chanalyzer

Screenshot from Metageek Chanalyzer

Metageek Eye P.A.

  • A different way to analyze a Wi-Fi network
    • Very visual
  • Ability to capture packets (if proper Wi-Fi adapter is used – Airpcap Nx) and display different valuable statistics
    • How much the airtime is used? By who? You will see how much your neighbours affect you!
    • Compare size of packets with amount of data transfered. Helps to visualize that Wi-Fi generate tons of management traffic
  • Ability to import packet capture taken from other programs (Wireshark, AirTool, CommView…)
  • Ability to see the packets
    • With filter capabilities
  • Great to visualize issue and present to customers
  • Geat to gather statistics on how a Wi-Fi network is performing
  • Side note: Great tool to use to learn more about Wi-Fi
  • Link to Metageek Eye P.A.

Screenshot from Metageek Eye P.A.

Ekahau Site Survey

  • Swiss Army knife of Wi-Fi (for more listen to CTS069, CTS009)
    • Site Survey tool (Design, validation, troubleshooting)
    • Wi-Fi scanner
    • Spectrum Analyzer
    • Complete solution meeting the needs of Wi-Fi Engineers
    • Updated on a regular basis
    • Take advantage of the Wi-Fi community to improve the tool (#ESSRequest)
    • Reference in terms of Wi-Fi design and site survey tool today
  • Looks way way way better than AirMagnet
  • Complete set of features
    • 3D Wi-Fi design
    • Reporting and Reporting customization
    • Spectrum Analyzer
    • macOS version (beta)
  • Link to Ekahau Site Survey

Viewing channel overlap in Ekahau Site Survey

Metageek InSSIDer Office

  • Wireless network scanner
  • See what channels are used by other networks
  • RSSI
  • Data rates
  • Protocol
  • Plug in WiSpy dBx for Chanalyzer lite
  • Link To Metageek InSSIDer Office

Screenshot of Metageek InSSIDer

Savvius Omnipeek

  • Heavy Duty Network Analyzer
    • Use to troubleshoot Wi-Fi networks
  • Capture packets and provide insight on the quality of the network (more than just Wi-Fi)
  • Ability to drill down into the packets
  • Ability to use multiple adapters to captures on multiple channels to analyzer things like roaming behaviours
  • Can be overwhelming at first but very powerful
  • Link to website
  • Video from WLPC2016

Screenshot of Omnipeek

Netsh Tool

Screenshot of Netsh

Some other programs worth talking about

What apps are you using in Windows? Did we miss any?

CTS 047: Troubleshooting WiFi With Wireshark

It’s that time, a new episode about WiFi! Our main topic is Troubleshooting WiFi with Wireshark.

I saw this get shared on Twitter which is an article from The Guardian. Apparently, AirBnb WiFi is a security threat for travelers. This shouldn’t be a surprise to anyone but it is possible that the owner could be spying on your traffic, collecting information on you or even stealing your passwords. The best thing to do is not use the WiFi. I know, hard to do. From another perspective, a maliciuos hacker could break into your access point and install a backdoor and have his/her way with your WiFi. Now that’s a scarier thought.

I noticed Keith Parsons shared an interesting photo on social media. He displayed what he carries every day as part of his WLAN Professional toolkit. My toolkit is a lot lighter than that only because I hate carrying a lot of gear. Here’s a look into my toolkit:

For software I use:

What’s in your toolkit? Leave a comment below. I’m very curious what other professionals carry.

A WiFi Question from Lee Badman caught my attention, #WIFIQ 8/10/16 Have you ever had to deal with someone spoofing/copying your residential or business SSID? Circumstances, course of action?

On campus I know I’d find that rogue access point and shut it down after finding it.

But if it’s a neighboring tenant, what options do you have? The only thing I can think of is to simply ask them to change their SSID.

Troubleshooting WiFi with Wireshark

Download this sample pcap file to follow along.

My primary computer is a Macbook Pro. You can perform the same troubleshooting steps on a PC.

First step is to download the application at wireshark.org.

Before capturing wireless frames, there are a few things to take note. If you’re using a Macbook Pro/Air then you should be okay capturing frames using your built-in wireless adapter. I highly recommend using Airtool to assist in capturing frames on specific channels and channel widths. Airtool will conveniently save that capture for you on your desktop and open it right up in Wireshark.

If you’re using a PC, capturing wireless frames may not be that easy. Normally, the wireless adapter in Windows doesn’t allow you to capture frames in promiscuous mode. You’ll want to capture all the wireless frame details. Those frames I am referring to, not just the data frames, but also the frames used for management and control of the wireless medium.

On a Windows PC I have used the AirPcap adapter from Riverbed.

Once you’ve captured enough wireless frames, go ahead and stop it. Now we should be looking at Wireshark. The window is divided into three sections:

  • List of frames captured at the top pane
  • Middle pane shows the details of the frame selected at the top pane
  • Bottom pane shows the frame bytes of the selected frame.

Wireshark Window

We can see details such as the source mac address, destination mac address, and the details of the frame.

On the Info column, you can see what kind of frame is captured. For example, the first frame is a probe request from a device. What’s awesome about diving into wireless frames is being able to see so many details. Expand the Radiotap Header and we can see what data rate this frame was sent out on, which frequency, the signal, etc.

Expand IEEE 802.11 Probe Request and we can identify what kind of frame this is. It’s a Management frame with a subtype of 4 which is a Probe Request.

Now the meat of this specific frame is where you will expand IEEE 802.11 wireless LAN management frame. Here we will find the details of this probe request from the client device. It is probing for a specific SSID called test and has included all of the client’s capabilities.

Details within a frame.

We’re already seeing how powerful it is to analyze wireless frames when troubleshooting client devices.

So that’s looking at wireless frames. Let’s add more functionality to Wireshark. We can add columns to the frame list pane in order to see more details.

A few columns I like to have visible are:

  • Duration
  • Channel
  • Data rate
  • MCS Index

To add a column, right click on an existing column and select Column Preferences. Click on the Plus icon to add a new column. So for example, to add a Duration column, give the title of this column Duration, change the type to Custom and the in the field Name we will use what’s called a filter. For duration it is wlan.duration.

Column Preferences in Wireshark.

Display filters are your best friend. Display filters are used to find specific types of frames or packets. For example, if I wanted to see frames from a specific source MAC address, I would type in wlan.addr == mac_address in the display filter bar.

It is possible to filter from almost any type of frame.

Typically when capturing wireless frames, I capture everything without any filters. In Wireshark, it is possible to apply a capture filter. I don’t like this approach because you may miss a frame that may be required for troubleshooting. Instead, I capture everything and filter down from that capture. Sure it takes up a lot of hard disk space but that’s the life of a protocol analyzer. I know, I need a hobby.

But if you really want to conserve on space, Airtool has an option to not save layer 3-7 payloads. A neat little feature.

Download a PDF of display filters to use here.

So how is this useful? Let’s say an client is unable to join the wireless network and all you are able to do is perform wireless captures. So if it were me and this was my only option, I’d go to where the client is having issues. Assuming the client drivers are good and the SSID can be seen by the client and the only issue is it never connects to the SSID, we need to find out what channel to start capturing on.

We could use another useful tool such as WiFi Explorer, same author of Airtool, to find out what the strongest signal is on what channel. That’s where I would start capturing wireless frames, then while capturing frames, have the client try to connect. After the process fails, I would stop the capture.

Assuming we captured on the correct channel, we should be able to see the probe request coming from the MAC address of the client which you can obtain from the computer itself. After looking at the capture we should be able to see the 802.11 State Machine. If we don’t see successful authentication and association then that’s when we need to look closely at the capture. Maybe it’s because the client doesn’t support the requirements of the BSS such as a mandatory rate the client doesn’t support.

If you’re more of a visual person, Wireshark does have the capability to display the capture in a graph. What if we wanted to see how many retransmissions are occurring. In Wireshark, navigate to the Statistics menu and select I/O Graph. In the graph window, we will add a new data point by clicking on the plus icon. Rename it to Retries. The display filter to show retries is “wlan.fc.retry == 1”. Since this is bad we will color it as red. Next we modify the Y Axis to display Packets per second and also display All Packets so we can compare retries to all packets captured. That graph shows you the amount of retry frames compared to all frames captured.

There we have some basic Wireshark troubleshooting. That should be enough to get you going and it will take some practice. We went over installing Wireshark and how to capture wireless frames. Then we went over the different panes within Wireshark and how to add additional columns for easier viewing of frames. Next I went over how I use Wireshark to capture frames and troubleshoot an example issue. Also I provided two tool that will assist you in capturing frames, Airtool and WiFi Explorer.

In the news we talked about how insecure it is to use WiFi at an AirBnb. I know I wouldn’t.. The list of tools Keith Parsons has in his bag which is quite impressive. What’s in your bag? and a discussion of how to deal with someone spoofing your SSID.