wireshark

CTS 121: Capturing Wireless Frames with a Mac

Capturing wireless frames is a must know skill for any Wi-Fi network engineer.

Capturing Wireless Frames with a Mac

The Macbook Pro is an excellent tool for capturing wireless frames. The built-in wireless adapter can be used to sniff wireless frames in the air. As I like to say, the best troubleshooting tool you can have is the one that’s with you. Since I have my Mac with me all the time I tend to capture frames wherever I go.

There are many pros with capturing frames. It’s a great way to learn how Wi-Fi works. This is how I got started. Understanding how Wi-Fi communication works through frame captures gives you an upper-hand. One example is learning about the 802.11 State Machine.

When it comes to troubleshooting complicated issues, frames don’t lie. Not too long ago, my laptop had a difficult time connecting to public Wi-Fi. It frustrated me so much I decided to capture some frames. Within minutes I found out why. Just take a look at the screenshot below.

Frame capture of an association response

Tools

How To Capture Frames

  1. Install Wireshark
  2. Install the Metageek Profile
    1. Unzip the file
    2. Copy directory to /Users/user/.config/wireshark/profiles/
    3. Enable the profile in Wireshark by clicking on the bottom right of the open application. See screenshot below.
  3. Install Airtool
  4. Select channel & channel width to capture on
    1. Capturing frames with Airtool
  5. Start the capture and stop after a short time
  6. Analyze with Wireshark or Mojo Packets

Links and Resources

CTS 102: Capturing Wireless Frames

François and Rowell discuss their experiences capturing wireless frames for analysis and what tools they used to do it.

This episode is sponsored by Metageek

Sponsored by Metageek

Capturing Wireless Frames

It’s one of my favorite things to do. Capture wireless frames anywhere there’s a wireless network present. I know. I’m a boring guy. But I can’t help taking a look. In this episode on capturing wireless frames, we go over our favorite tools and apps which help us solve real world problems.

Why should you capture frames? If you want to learn how wireless works, then you need to start diving into frames. That’s how you’ll learn exactly what you need to know by seeing how it works. It’s perfect for learning any of the CWNP certifications and especially for the CWAP. By looking at wireless frames, you’ll begin seeing how wireless devices and access points talk to each other and acquire the shared medium.

A beacon frame displayed from Wireshark.

A sample beacon frame from Wireshark

Another reason for capturing wireless frames is to perform analysis. There may be an issue that’s hard to solve and requires wireless frame analysis. This could be as simple as finding out a device does not negotiate the same parameters as the BSS. Or maybe you’re trying to find out what could be slowing down wireless for every other device.

It’s the old saying, packets never lie. But in this case, frames never lie!

Screenshot from Metageek Eye P.A.

An example of using Metageek Eye P.A.

You can capture wireless frames on any platform such as MacOS, Windows, and Linux. When it comes to the platform of choice, we prefer to use MacOS. By default, you can place the MacOS wireless adapter in promiscuous mode. This mode is used to capture all frames, even those not destined to the host. By utilizing an app such as Airtool, it’s possible to fine tune a frame capture down to parameters such as the channel, channel width, payload or no payload, etc.

Then with Wireshark, the analysis can be performed.

Mojo Packets Analysis

A section of Mojo Packets analysis.

In the episode, François and I speak about our experiences in using frame analysis. I bring up a situation where Skype calls kept dropping but the issue was really a consumer level device trying to take up most of the airtime. There are other examples also described in the episode.

Here are some screenshots of different applications of frame capture and analysis.

Links and Resources

CTS 090: Don’t Contain Me, Bro!

Containment of a WLAN is the act of shutting it down! We discuss how you can find out if you’re being contained.

This episode is sponsored by Metageek

Sponsored by Metageek

WLAN containment is not a situation you want to deal with. The symptom you’ll see are devices dropping from your WLAN. When they are disconnected, they often stay disconnected. Sometimes those devices won’t be able to connect at all to your WLAN.

What is happening? Another network is containing your WLAN. This happens by sending deauthentication frames to devices connected to your WLAN or by sending broadcasted deauthetication frames.

You can troubleshoot this issue using the following tools:

Troubleshooting WLAN Containment

How do you know if containment is happening? Using Airtool, capture frames on your operating channels. After 5 minutes of capturing, open up the pcap in Wireshark.

Use this filter to show all deauthentication frames:

wlan.fc.type_subtype == 0x000c

Take note of the source BSSID. You may get lucky and find out who is containing your WLAN. Copy the BSSID and paste it into WiFi Explorer. If that same BSSID is broadcasting beacons for its own WLAN you will see it.

That’s how I used Airtool, Wireshark, and WiFi Explorer to find the source of containment. By looking at the RSSI within the frames in Wireshark, you can get close to the source AP of the offending frames.

Another option is to plug the BSSID into the AirCheck G2 and use the Locate feature to find the AP.

Here are some screenshots from my lab performing containment on one of my APs. Remember your regulatory laws regarding containment!

Rogue security policies

Cisco WLC Wireless Protection Policies for Rogues

Containing a BSSID

Containing an SSID

A status page of the BSSID contained

Rogue AP Detail

 

A list of deauthentication frames captured using Airtool and Wireshark

Deauthentication Capture

This Week In Wireless

CTS 081: Wi-Fi Apps for Windows

We couldn’t do our work without the valuable apps used in the Windows operating system. That’s what we’ll discuss in this episode. Wi-Fi apps for Windows.

This episode is brought to you by

Sponsored by Metageek

Here are the Wi-Fi apps for Windows that Rowell and I use regularly when we are working at client sites or for any other Wi-Fi project. We certainly have our favorite apps and there are some we use on special cases but take a look at the list below and let us know what you think in the comments.

Metageek Chanalyzer

  • Spectrum Analysis software (For more, listen to CTS066, CTS039, CTS073)
    • Required a piece of hardware to feed spectrum information to the software
      • Wi-Fi Spy dBx
      • Cisco CleanAir AP (much better resolution)
  • Simple and user friendly interface
    • Different views
      • Waterfall view
      • Current spectrum view
  • Ability to record spectrum analysis
  • Can scan both 2.4GHz and 5GHz bands at the same time (if proper adapter is used)
  • Built-in Wi-Fi network scanner
  • Present channel utilization
  • Link to Chanalyzer

Screenshot from Metageek Chanalyzer

Metageek Eye P.A.

  • A different way to analyze a Wi-Fi network
    • Very visual
  • Ability to capture packets (if proper Wi-Fi adapter is used – Airpcap Nx) and display different valuable statistics
    • How much the airtime is used? By who? You will see how much your neighbours affect you!
    • Compare size of packets with amount of data transfered. Helps to visualize that Wi-Fi generate tons of management traffic
  • Ability to import packet capture taken from other programs (Wireshark, AirTool, CommView…)
  • Ability to see the packets
    • With filter capabilities
  • Great to visualize issue and present to customers
  • Geat to gather statistics on how a Wi-Fi network is performing
  • Side note: Great tool to use to learn more about Wi-Fi
  • Link to Metageek Eye P.A.

Screenshot from Metageek Eye P.A.

Ekahau Site Survey

  • Swiss Army knife of Wi-Fi (for more listen to CTS069, CTS009)
    • Site Survey tool (Design, validation, troubleshooting)
    • Wi-Fi scanner
    • Spectrum Analyzer
    • Complete solution meeting the needs of Wi-Fi Engineers
    • Updated on a regular basis
    • Take advantage of the Wi-Fi community to improve the tool (#ESSRequest)
    • Reference in terms of Wi-Fi design and site survey tool today
  • Looks way way way better than AirMagnet
  • Complete set of features
    • 3D Wi-Fi design
    • Reporting and Reporting customization
    • Spectrum Analyzer
    • macOS version (beta)
  • Link to Ekahau Site Survey

Viewing channel overlap in Ekahau Site Survey

Metageek InSSIDer Office

  • Wireless network scanner
  • See what channels are used by other networks
  • RSSI
  • Data rates
  • Protocol
  • Plug in WiSpy dBx for Chanalyzer lite
  • Link To Metageek InSSIDer Office

Screenshot of Metageek InSSIDer

Savvius Omnipeek

  • Heavy Duty Network Analyzer
    • Use to troubleshoot Wi-Fi networks
  • Capture packets and provide insight on the quality of the network (more than just Wi-Fi)
  • Ability to drill down into the packets
  • Ability to use multiple adapters to captures on multiple channels to analyzer things like roaming behaviours
  • Can be overwhelming at first but very powerful
  • Link to website
  • Video from WLPC2016

Screenshot of Omnipeek

Netsh Tool

Screenshot of Netsh

Some other programs worth talking about

What apps are you using in Windows? Did we miss any?

CTS 070: Wi-Fi Troubleshooting with Debookee

We welcome Thomas Baudelet from France. Together, we talk about network and Wi-Fi troubleshooting in general and we go over the Mac OS application called Debookee that Thomas created which could be use to troubleshoot a Wi-Fi network.

Thomas Baudelet works as an independent Network Engineer and specializes in troubleshooting. He has been involved in the Wireshark community and he created a network analyzer application for MacOS called Debookee. Feel free to follow him on Twitter @debookee.

Content

  • Presentation of the Debookee tool, Thomas gave us a little bit of history on how he decided to create the tool
  • Presentation of the different modules (including the Wi-Fi Monitoring module)
  • Presentation of what is coming next (New SSL decrypt module)
  • Thomas explains how he studied Wi-Fi in order to be able to create a tool that would be used by WLAN professionals
  • Troubleshoot methodologies
  • What tools does Thomas uses on the field

Screenshots of Debokee

Displaying channel statistics

A look at channel statistics

 

Devices using Wi-Fi

Scanning devices using Wi-Fi

Resources

Here are some useful links related to this week episode:

Upcoming Episode on Wi-Fi Issue

Want to participiate in a future episode? Here is the link to the Wi-Fi issues submission form for one of our upcoming episode:

Wi-Fi Issue Submission

This Week in Wireless

  • WikiLeaks says it has obtained trove of CIA hacking tools
    • WikiLeaks has gained access to CIA hacking arsenal.
    • The document shows that the CIA turn devices into collection devices (iPhones, iPad, Smart TV…).
  • Additional unlicensed spectrum needed to deliver future Wi-Fi® connectivity
    • The “Wi-Fi Alliance® commissioned the Wi-Fi Spectrum Needs Study to assess whether available spectrum resources will be sufficient to support Wi-Fi connectivity in the future. The study indicates that by 2020, Wi-Fi networks around the world will need access to significantly more mid-band spectrum than is currently available in the 5 GHz range to satisfy expected growth in Wi-Fi data traffic.”
    • Download the study: http://www.wi-fi.org/file/wi-fi-spectrum-needs-study
  • New CWNEs!!
    • Tom Van Driessche from Belgium is now CWNE #219
    • Aren Gates, who I believe works for Aerohive, is now CWNE #220
  • CWTS Discontinued (Certified Wireless Technology Specialist)
    • It has been announced by the CWNP this week, the CWTS will retire at the end of the year.
    • This certification is a lifetime certification and you can still write the exam if you would like before the end of the year. CWNP is offering a $50 discount and free access to eLearning and practice tests material.
    • Twitter announcement
    • State of the CWNP program
  • PacketPushers
    • We’ve been interviewed by the PacketPushers podcast team about 2 months ago and they released our interview last week in an episode entitled “Wireless networking and where it’s going”. Weekly show episode 331.
  • Carrier Wave
    • As always, the great Carrier Wave from Omar Vazquez to keep in touch with all the amazing Wi-Fi blog articles being published.