In A Brief Introduction to Wireshark as a Security Tool I showed a few features of Wireshark that might be useful for the security administrator. In this next installment we will look at some more Wireshark features.
One of the tools Wireshark has is the ability to look at wireless management and control frames (although not all computers and software support it) in addition to the actual. Learning Tree loaned me a MacBook Pro for another project so I thought I’d use that for this post. It does support capturing control information and I want to make it clear that I’m not focusing strictly on Windows. To capture these frames I had to turn on “Monitor mode” as described in the Wireshark WLAN Capture Setup document.
There are three basic types of frames used in 802.11 (Wi-Fi) networks: Management, Control and Data. The basic functions of these are:
In this post I’d like to talk about just two types of frames: the beacon and the data frame.
First, we’ll look at the beacon –
The beacon is sent by the Wireless Access Point (WAP or sometimes just AP). Note that this frame contains the name of the wireless network the access point is serving called the SSID or Service Set Identifier. This is where an operating system (e.g. Windows) gets the information about what access points are available.
As you can see in the trace output it also includes the channel on which the AP is operating (channel 6 here) and the Beacon Interval. The latter is how often it sends beacon frames. Here it is every .1024 seconds which roughly corresponds to the capture times in the top pane of the Wireshark window.
This information can be useful in documenting networks, for example.
Now let’s look at the data:
The data are not decoded in Wireshark’s usual way. In fact, no data frames are! This is because the data are all encrypted. There are tools to capture that data, though, but that’s for another post.
What more do you want to learn about Wireshark? Let us know in the comments below.
To your safe computing,
PS – If you are new to the world of Cyber Security (or have colleagues who are!), have a look at our new 1-day, online course – Cyber Security: Key Elements to Success