WLAN traffic capture [1] – General

Published by joe on

There are tons of “HowTos” out there how to capture wireless traffic. I plan to collect some of these methods and write a little how to on my own.

This post focuses on general considerations for wireless capturing, independend of the used tool. The different methods to actually caputure 802.11 frames will be covered in later posts.

First of all. WLAN capturing is not as easy (at least – not yet) as capturing traffic in a wired Ethernet network. First of all, if you capture natively with Windows and WinPcap / Wireshark you will see a normal Ethernet header – not an 802.11 frame. There are ways to capture 802.11 with Windows, but we come to that later.

In general there are always the following guidelines when capturing wireless traffic:

Multiple APsSet the channel
It is very important to set the correct channel before starting the capture. Otherwise your wireless adapter will eventually scan through all the available channels and this needs time. So if you don’t set the channel you will either lose packets or you won’t capture anything at all because you are statically on the wrong channel.

Wireless NICSet your card to monitor / promiscuous mode
Per default your network card only processes frames, which are intended for the current station. So without monitor mode you’ll see

  • Frame from and to your actual workstation
  • Broad- and Multicast frames

For a lot of use cases this is enough – but in most cases you want to see frames from and to other stations. Therefore, you must set your adapter in monitor mode.

Lock Encryption
Wireless networks are typically encrypted with AES. So in a wireless capture you can only decode the layer-2 information in clear text. Everything below the frame (layer-3 to 7) is encrypted. So you won’t even see the IP addresses.

However, in most cases this is enough. Everything below layer-2 is not relevant for analyzing wireless networks. Typically you need management and control frames to understand how a SSID works and troubleshoot most of client connectivity issues.

Sometimes layer-3 information would be helpful for better packet filtering based on IP addresses or for QoS related analysis (ToS / DSCP value).

In general, Wireshark is able to decode encrypted wireless frames for WPA2 PERSONAL (pre-shared key). But the initial 4-way handshake between AP and the client in question must be in the capture file as well.

 

Image of a filterFiltering

Wireless is chatty. The management and control frames can be overwhelming if looking for a tiny piece of information.
So know how you can filter effectively in two ways:

  • Capture filter that only relevant frames are contained in your capture
  • Display filter to find the information you’re searching for.

There will be a separate post on filtering.

 

Have fun with this upcoming series.

 

 

 

 

Categories: Uncategorized
Tags:

1 Comment

Cisco WLC: EDCA timers - NetGab - The daily networking madness · 05/12/2017 at 16:20

[…] you don’t know how to capture wirless frames, please check these posts: WLAN traffic capture [1] – General and WLAN traffic capture [2] – […]

Reply

Leave a Reply

Related Posts

Uncategorized

wesp9: Wireless Endpoint Statistics Ping

My weekend work was to create a successor or the wesp(1) tool. So the original wesp was designed to communicate with an AireOS WLC to get “ping alike” statistics for a single wireless client (via Read more…

Uncategorized

EAP TLS ciphers

In many projects regarding network access control are focussing on probably secure EAP methods, which rely on SSL/TLS. The most common examples are EAP-TLS or PEAP (simply because must supplicants support them). However, it’s not Read more…

Docker logo
Uncategorized

DHCP / DHCPv6 tests using Docker

Hi, today a colleague and myself wanted to test first hop security features in an ACI fabric. To be more precise DHCP policies (a.k.a DHCP snooping) for IPv4 (DHCP) and IPv6 (DHCPv6). Normally we’re testing Read more…