CTS 047: Troubleshooting WiFi With Wireshark

It’s that time, a new episode about WiFi! Our main topic is Troubleshooting WiFi with Wireshark.

I saw this get shared on Twitter which is an article from The Guardian. Apparently, AirBnb WiFi is a security threat for travelers. This shouldn’t be a surprise to anyone but it is possible that the owner could be spying on your traffic, collecting information on you or even stealing your passwords. The best thing to do is not use the WiFi. I know, hard to do. From another perspective, a maliciuos hacker could break into your access point and install a backdoor and have his/her way with your WiFi. Now that’s a scarier thought.

I noticed Keith Parsons shared an interesting photo on social media. He displayed what he carries every day as part of his WLAN Professional toolkit. My toolkit is a lot lighter than that only because I hate carrying a lot of gear. Here’s a look into my toolkit:

For software I use:

What’s in your toolkit? Leave a comment below. I’m very curious what other professionals carry.

A WiFi Question from Lee Badman caught my attention, #WIFIQ 8/10/16 Have you ever had to deal with someone spoofing/copying your residential or business SSID? Circumstances, course of action?

On campus I know I’d find that rogue access point and shut it down after finding it.

But if it’s a neighboring tenant, what options do you have? The only thing I can think of is to simply ask them to change their SSID.

Troubleshooting WiFi with Wireshark

Download this sample pcap file to follow along.

My primary computer is a Macbook Pro. You can perform the same troubleshooting steps on a PC.

First step is to download the application at wireshark.org.

Before capturing wireless frames, there are a few things to take note. If you’re using a Macbook Pro/Air then you should be okay capturing frames using your built-in wireless adapter. I highly recommend using Airtool to assist in capturing frames on specific channels and channel widths. Airtool will conveniently save that capture for you on your desktop and open it right up in Wireshark.

If you’re using a PC, capturing wireless frames may not be that easy. Normally, the wireless adapter in Windows doesn’t allow you to capture frames in promiscuous mode. You’ll want to capture all the wireless frame details. Those frames I am referring to, not just the data frames, but also the frames used for management and control of the wireless medium.

On a Windows PC I have used the AirPcap adapter from Riverbed.

Once you’ve captured enough wireless frames, go ahead and stop it. Now we should be looking at Wireshark. The window is divided into three sections:

  • List of frames captured at the top pane
  • Middle pane shows the details of the frame selected at the top pane
  • Bottom pane shows the frame bytes of the selected frame.

Wireshark Window

We can see details such as the source mac address, destination mac address, and the details of the frame.

On the Info column, you can see what kind of frame is captured. For example, the first frame is a probe request from a device. What’s awesome about diving into wireless frames is being able to see so many details. Expand the Radiotap Header and we can see what data rate this frame was sent out on, which frequency, the signal, etc.

Expand IEEE 802.11 Probe Request and we can identify what kind of frame this is. It’s a Management frame with a subtype of 4 which is a Probe Request.

Now the meat of this specific frame is where you will expand IEEE 802.11 wireless LAN management frame. Here we will find the details of this probe request from the client device. It is probing for a specific SSID called test and has included all of the client’s capabilities.

Details within a frame.

We’re already seeing how powerful it is to analyze wireless frames when troubleshooting client devices.

So that’s looking at wireless frames. Let’s add more functionality to Wireshark. We can add columns to the frame list pane in order to see more details.

A few columns I like to have visible are:

  • Duration
  • Channel
  • Data rate
  • MCS Index

To add a column, right click on an existing column and select Column Preferences. Click on the Plus icon to add a new column. So for example, to add a Duration column, give the title of this column Duration, change the type to Custom and the in the field Name we will use what’s called a filter. For duration it is wlan.duration.

Column Preferences in Wireshark.

Display filters are your best friend. Display filters are used to find specific types of frames or packets. For example, if I wanted to see frames from a specific source MAC address, I would type in wlan.addr == mac_address in the display filter bar.

It is possible to filter from almost any type of frame.

Typically when capturing wireless frames, I capture everything without any filters. In Wireshark, it is possible to apply a capture filter. I don’t like this approach because you may miss a frame that may be required for troubleshooting. Instead, I capture everything and filter down from that capture. Sure it takes up a lot of hard disk space but that’s the life of a protocol analyzer. I know, I need a hobby.

But if you really want to conserve on space, Airtool has an option to not save layer 3-7 payloads. A neat little feature.

Download a PDF of display filters to use here.

So how is this useful? Let’s say an client is unable to join the wireless network and all you are able to do is perform wireless captures. So if it were me and this was my only option, I’d go to where the client is having issues. Assuming the client drivers are good and the SSID can be seen by the client and the only issue is it never connects to the SSID, we need to find out what channel to start capturing on.

We could use another useful tool such as WiFi Explorer, same author of Airtool, to find out what the strongest signal is on what channel. That’s where I would start capturing wireless frames, then while capturing frames, have the client try to connect. After the process fails, I would stop the capture.

Assuming we captured on the correct channel, we should be able to see the probe request coming from the MAC address of the client which you can obtain from the computer itself. After looking at the capture we should be able to see the 802.11 State Machine. If we don’t see successful authentication and association then that’s when we need to look closely at the capture. Maybe it’s because the client doesn’t support the requirements of the BSS such as a mandatory rate the client doesn’t support.

If you’re more of a visual person, Wireshark does have the capability to display the capture in a graph. What if we wanted to see how many retransmissions are occurring. In Wireshark, navigate to the Statistics menu and select I/O Graph. In the graph window, we will add a new data point by clicking on the plus icon. Rename it to Retries. The display filter to show retries is “wlan.fc.retry == 1”. Since this is bad we will color it as red. Next we modify the Y Axis to display Packets per second and also display All Packets so we can compare retries to all packets captured. That graph shows you the amount of retry frames compared to all frames captured.

There we have some basic Wireshark troubleshooting. That should be enough to get you going and it will take some practice. We went over installing Wireshark and how to capture wireless frames. Then we went over the different panes within Wireshark and how to add additional columns for easier viewing of frames. Next I went over how I use Wireshark to capture frames and troubleshoot an example issue. Also I provided two tool that will assist you in capturing frames, Airtool and WiFi Explorer.

In the news we talked about how insecure it is to use WiFi at an AirBnb. I know I wouldn’t.. The list of tools Keith Parsons has in his bag which is quite impressive. What’s in your bag? and a discussion of how to deal with someone spoofing your SSID.

CTS 046: CWAP-402 Study Guide Released

Hey what’s up everyone. In today’s episode we talk about TP-Link discovering what it’s like to ignore DFS, Google Fiber going Wireless?, Data frame slicing with Airtool, and CWAP exam gets updated and so does the study guide.

TP-Link Settles $200k with FCC for ignoring DFS and power limits

FCC reaches settlement of $200k with TP-Link for selling Wifi routers that ignore DFS requirements and power limits. This sounds very careless for a networking company. Is this what we accept now as hardware from these companies. Maybe TP-Link thought they could get away from it, or maybe an engineer wasn’t aware of the FCC regulations. But is this what we expect with inexpensive hardware? I don’t think so. Along with the fine, TP-Link has agreed to work with the open-source community to allow consumers to install third-party firmware on TP-Link routers.

This is a good move in my opinion but unprecedented from the FCC. This is a great way to move our wireless industry into embracing open-source.

Google Plans to Extend Fiber Into Wireless

CFO, Ruth Porat, said that Google Fiber would be exploring wireless due to the acquisition of Webpass. This was mentioned in Alphabet’s 2nd quarter earnings call. Why in the world would Google Fiber go into wireless? The main obvious reason I can think of is cost. It’s much cheaper to use hardware that costs a fraction of the cost of digging up fiber. Not to mention the labor costs of doing the work.

I think this is an interesting turn of events as Google Fiber now becomes fiber over the air. I can see the marketing lingo now….

Latest Airtool Update Gives Us Data Frame Slicing

Airtool is one of my favorite apps on OSX. It allows me to capture wireless frames using my built-in wireless adapter. But in doing so, some of these captures can take up precious hard disk space.

What Adrian Granados has done is enabled a feature to just grab the beginning of the frame and discarding the rest. What you have left is the 802.11 MAC headers.

Check out the latest update.

CWAP-402 Exam Released

The latest update to CWAP from CWNP is CWAP-402. It is 90 minutes and contains 60 questions. It is available now to test and has been available since June 28 2016.

Certified Wireless Analysis Professional

CWAP-402 brings changes to 5 subject areas.

Tom Carpenter has hinted that Troubleshooting is a big part of the exam from the CWAP update webinar.

These are the objectives.

5% – Troubleshooting Processes
25% – 802.11 Communications
15% – WLAN hardware
35% – Protocol and Spectrum Analysis
20% – Troubleshooting Common Problems

Troubleshooting processes is a very small chunk of the exam at 5%.

Focuses on a troubleshooting methodology. Mentions of industry and vendor recommended processes. Not sure how vendor neutral this sounds.
But with any troubleshooting process, OSI Model is mentioned. Just remember that Wireless is at the Data Link and Physical Layer.
May mention of Wireshark and Omnipeek as well as the tools baked into OS such as command line using ping and traceroute.

At 25% is 802.11 Communications.

This sounds like the MAC Layer Frame Formats and Technologies AND 802.11 Operation and Frame Exchanges from the previous exam. Looking at 802.11 communications from a troubleshooting perspective. Understand the frame exchanges when a device tries to join a BSS. Getting as detailed as finding out why a device would fail to join a BSS. Learn the different frame formats – management, control, and data. Learn the PHY header and preamble and why a device would have issues on a BSS because of the header and preamble.

15% is WLAN hardware.

Troubleshooting client devices and their issues connecting to wifi which includes dealing with drivers, security settings, and other configuration settings available on different drivers. There’s troubleshooting via protocol analysis using a tool such as wireshark. Do you know how to set up that application and look at wireless frames. There’s troubleshooting the spectrum using a spectrum analyzer. Do you know how to identify common interference sources. Other troubleshooting aspects include why APs can’t power up so we’re looking at PoE.

35% for Protocol and Spectrum Analysis.

Beginning with the basics of hardware and software protocol analysis, features of protocol analyzers, how to install and configure them, capture traffic and analyze them. On the spectrum analyzer side, again going over hardware and software spectrum analyzers, terminology that is used amongst different spectrum analyzers, features included in applications such as Spectrum XT and Chanalyzer, creating reports from your findings, and how spectrum analyzers integrate with your wifi adapter. Of course you should know how to use a spectrum analyzer by finding different forms of interference.

20% reserved for Troubleshooting Common Problems

This one is new for the CWAP. An obvious focus on troubleshooting. It may sound funny on a wireless analysis exam but you will need to know some wired issues with DNS, DHCP, switch configurations and WLAN controller access. These issues relate to services wireless clients use. Other common issues tackled are co-channel and adjacent channel interference, noise, hidden nodes, and more.

Just reading through the objectives it sounds like this may be an easier exam than the previous version but we’ll see how people react. Version 2 objectives are a lot more shorter than the previous.

CWNP Releases New CWAP Material

With the latest revision of the CWAP exam now comes the latest study guide. The author is Tom Carpenter of CWNP. The technical review is Lee Badman who I interviewed on the podcast back on Episode 13.

It’s available on Amazon in print and on Kindle. If you’d like to support the podcast, you can purchase this book on Amazon.

There’s a total of 8 chapters:

  • Troubleshooting Processes
  • 802.11 Communications
  • 802.11 Frames
  • WLAN Hardware
  • Protocol Analysis
  • Spectrum Analysis
  • Wired Issues
  • Common WLAN Issues

It would be beneficial to do a lot of packet captures with wireshark to help follow along with the book and get hands on. If you can, get ahold of a spectrum analyzer as well.

I use the Metageek Chanalyzer with the dBx dual-band adapter. Another popular spectrum analyzer that can be used alongside this study guide is AirMagnet Spectrum XT.

CTS 045: Wrap Up of Cisco Live 2016

Wow what a conference. Cisco Live 2016 met my expectations and more. With over 28,000 attendees we filled Las Vegas throughout the strip. At the Cisco Live, we collectively used about 40 TB of traffic! Impressive numbers. I have to give props to those who help set up the conference, especially WiFi. There were times it was slow but it worked very well for me for the rest of the conference.

With so many sessions available for us to wrap our heads around, there were a few that stuck out the most. In this episode, I provide some of my notes from the following sessions:

  • BRKEWN-2000 – Design and Deployment of Wireless LANs for Real Time Applications
  • BRKEWN-2017 – Understanding RF Fundamentals and the Radio Design of 802.11n/ac Networks
  • BRKEWN-2019 – 7 Ways To Fail As A Wireless Expert
  • BRKEWN-3000 – Analyzing and Fixing Wi-Fi Issues with Cisco WLC tools and Packet Capture Analysis
  • BRKEWN-3011 – Advanced Troubleshooting of Wireless LANs

One of my favorite sessions was the Meet the Engineer with Matt Swartz and surprisingly, Jim Florwick. To have some of Cisco’s finest WiFi experts was a great honor. The knowledge bombs they dropped were gold. Thank you to both for meeting with me.

And of course, the community. It was great to see my friend Robert Boardman again. Someone give him an alarm clock! It was great meeting Mitch Dickey, Brennan, Scott McDermitt, and Jerry Olla in person.

Till next year!

CTS 044: Cisco Live 2016

Cisco Live 2016 is here and I am attending for the first time. I am excited to meet many of the listeners of the Clear To Send podcast and to also get together with the folks I chat with all the time on social media. And of course I am looking forward to meeting new people.

In this episode, I talk about the sessions I am going to be sitting in on and what they are about. If you are not attending Cisco Live, you can view these presentations after the conference is over. Cisco usually publishes the presentations and the videos which you could see with a free account over at ciscolive.com.

** News

I will be taking a 4 week vacation after Cisco Live which means there won’t be any new episodes published. You will get a fresh new episode on August 7th. Don’t miss me too much!

** Sessions

  • Design and Deployment of Wireless LANs for real time Applications – BRKEWN-2000
  • Cisco Catalyst 3850 and 3650 Series Switching Architecture – BRKARC-3438 7
  • Ways to Fail as a Wireless Expert – BRKEWN-2019
  • Understanding RF Fundamentals and the Radio Design for 11ac Wireless Networks – BRKEWN-2017
  • WiFI Considerations for the Open Workspace – PSOEWN-2000
  • Best practices to deploy high-availability in Wireless LAN Architectures – BRKEWN-3014
  • Analyzing and fixing WiFi issues – Cisco WLC tools and packet capture analysis techniques – BRKEWN-3000CCNA Wireless, master the 802.11 protocols! – BRKCRT-1100
  • Wireless Best Practices – BRKEWN-2670
  • Improve enterprise WLAN spectrum quality with Cisco’s advanced RF capacities (RRM, CleanAir, ClientLink, etc) – BRKEWN-3010
  • Advanced Enterprise Campus Design: Converged Access -BRKCRS-2888
  • Design and Deployment of Wireless LANs for real time Applications – BRKEWN-2000

CTS 043: Don’t Skip On Planning


This past week I’ve been busy with my colleagues setting up WiFi for a large event on campus. What I learned out of this was planning should always be a requirement. Would you start building a house without any plans?

Little was known about what the requirements were. What we did know was we should build wireless for 1-2 Mbps per person.

What people really needed was much more. Why was this? Because the application usage of users was never provided to us. While some people did not know what that application was, I think we should have pushed for more information.

Additionally, we did not know of how the rooms would be laid out on the floor. We were left in the dark of where users would be congregating but we had less than 3 days to install our access points and antennas. So with directional antennas we decided to cover the areas from the sides and shoot signal through the middle. Later on, we needed to realign those antennas.

Another thing we missed was the amount of hotspots on the same spectrum as our access points. We had to mitigate the overlap by not propagating 2.4 GHz in some areas and providing only 5 GHz wireless connectivity. I saw a boost in usage with going with this method. But there’s a risk of having 2.4 GHz only devices stranded. I took that risk.

With my trusty spectrum analyzer in hand, I was able to identify a persistent interferer on channels 1-6. We decided not to use those channels and only use channel 11 but on a lower transmit power compared to the 5 GHz channels.

Planning is a critical step in wireless deployment. Without it, you’re purely guessing. Sure you could overdo it by installing way more than what’s required but that’s a waste of time and money. We spent a lot of time post-installation optimizing the wireless network as the event changed over time. Lots of time and resources got put into making changes.

Links and Resources

  • Equipment used for the event:
    • Cisco 3702E
    • Cisco AIR-ANT2566D4M-R
    • Metageek Chanalyzer
    • Ekahau Site Survey
    • WiFi Explorer
    • Savvius Omnipeek
    • Wireshark
  • CWAP PW0-270 expires June 27th, 2016. Replaced by CWAP-402.