Analyzing Wireless Traffic
Some theory about WLAN traffic
WLAN Frame in Wireshark (Radiotap Header)
When inspecting WLAN packets in Wireshark. We can notice this Radiotap header. In fact, this header is not part of the WLAN frame. This header is added by the wireless adapter who captured the traffic and contains some additional information about when and how the packet was captured. For example, on the image below, we can observe that this packet was captured on channel 56 on the 5GHz bandwith.
WLAN Frame (WLAN Header)
The WLAN header is contained in the section IEEE 802.11 of the packet. The Header contains some interesting information such as the frame Type and Subtype and four addresses (Receiver, Destination, Transmitter and Source).
Frame types/subtypes
When analyzing Wi-Fi traffic three types of frames can be captured. Subtypes exist for each of these type. The frame type and subtype can be identified in the Header. We can analyze the type of captured packets by opening the Frame Control Field contained in the header.
Management
Management frames (00) are meant for advertisement, discovery and connection/disconnection. Subtypes for the management frames include (not exhaustive list):
Association/Reassociation/Dissociation requests
Probe requests
Beacon
Deauthentication
Association/Reassociation/Probe responses.
Control
Control frames (01) does not have a body. Their role is to help in the transmission of the Management and Data frames.
Data
The data frames (10) carry the information to be transmitted between device.
Beacon Frames
Beacon frames is an important subtype of management frame. Theses frames are sent at a specific interval (usually at a high frequency) by the access point (AP) and aim to give to others Wireless devices in the area some information about the presence of the wireless network and its capabilities (supported frequency and rate, SSID, etc). The information in beacons can be found in the body.
The image below distinguished between the Header and the Body parts of a 802.11 Beacon Frame. We can look more closely the body part which give information about the WLAN network.
Probe Request
Another subtype (4) of management frames that are commonly seen are probe requests. Probe requests are sent by the wireless client devices in search of an already known network to connected to. For example, if yesterday I connected to my network with the SSID "MyNetwok", my device will send probe requests in an attempt to look and re-connect to this network. We can identify the SSID the wireless device is looking to in the body of the probe frame. A device can probe for a specific network or for any available known network (Wildcard SSID).
Probe Response
In response to probe requests, WI-FI access points sends probe response to alert devices searching for connection their existence on the network.
Authentication Frames
Authentication Request frames are sent from my client to the AP to establish a connection. On the others hands, Authentication Response frames are sent from the AP to the client's devices. These type of authentication frames do not perform any password validation. It is only an exchange between devices. Following the authentication packets exchanges, data can be transmitted between the client and the AP.
Dissociation/Deauthentication Frames
As the names said, Dissociation and Deauthentication packets are exchanged when a device wants to disconnect from the network. Some wireless attacks use deauthentication packets to force users to disconnect from the network.
Filter for different type of packets
Filter for Open network
Number of packets received and sent by a specific device
Check for the security scheme
Encryption with AES means it is the WPA2-PSK scheme.
Check if WPS in enabled on a wireless network
Check for enabled WPS SSID
Check for TSF Timestamp of a packet
Check for the country code of a Beacon Frame
Analyzing Association Requests can inform us about what devices tried to connect with a specific SSID
PDF cheatsheet for Wireshark Most Common 802.11 Filters
Last updated
