Follow me:

Don’t Contain Me, Bro!

A list of deauthentication frames captured using Airtool and Wireshark

Containment of a WLAN is the act of shutting it down! We discuss how you can find out if you’re being contained.

This episode is sponsored by Metageek

Sponsored by Metageek

WLAN containment is not a situation you want to deal with. The symptom you’ll see are devices dropping from your WLAN. When they are disconnected, they often stay disconnected. Sometimes those devices won’t be able to connect at all to your WLAN.

What is happening? Another network is containing your WLAN. This happens by sending deauthentication frames to devices connected to your WLAN or by sending broadcasted deauthetication frames.

You can troubleshoot this issue using the following tools:

Troubleshooting WLAN Containment

How do you know if containment is happening? Using Airtool, capture frames on your operating channels. After 5 minutes of capturing, open up the pcap in Wireshark.

Use this filter to show all deauthentication frames:

wlan.fc.type_subtype == 0x000c

Take note of the source BSSID. You may get lucky and find out who is containing your WLAN. Copy the BSSID and paste it into WiFi Explorer. If that same BSSID is broadcasting beacons for its own WLAN you will see it.

That’s how I used Airtool, Wireshark, and WiFi Explorer to find the source of containment. By looking at the RSSI within the frames in Wireshark, you can get close to the source AP of the offending frames.

Another option is to plug the BSSID into the AirCheck G2 and use the Locate feature to find the AP.

Here are some screenshots from my lab performing containment on one of my APs. Remember your regulatory laws regarding containment!

Rogue security policies
Cisco WLC Wireless Protection Policies for Rogues
Containing a BSSID
Containing an SSID
A status page of the BSSID contained
Rogue AP Detail

 

A list of deauthentication frames captured using Airtool and Wireshark
Deauthentication Capture

This Week In Wireless

Hosted by
Rowell

Rowell, CWNE #210, is a network engineer in Higher-Ed. He enjoys working with wireless networking technologies and loves to share and engage with the community. You can connect with him on Twitter, LinkedIn, and Facebook.

Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 comment
  • Hi Rowell / Francois,

    Always a great content, another practical and useful trick to troulbleshoot using wireshark filters. I faced this issue few times, and I was checking the source of the problem, you provided the right steps to check where the issue comes from, using wireshark filters wlan.fc.type_subtype == 0x000c , I was checking the logs/mgmt frames from my Aruba controller to figure out what’s happening, this helps a lot.

    Thanks

More from this show

Episode 90