Wireshark as a Security Tool – Part 2

In A Brief Introduction to Wireshark as a Security Tool I showed a few features of Wireshark that might be useful for the security administrator. In this next installment we will look at some more Wireshark features.

One of the tools Wireshark has is the ability to look at wireless management and control frames (although not all computers and software support it) in addition to the actual. Learning Tree loaned me a MacBook Pro for another project so I thought I’d use that for this post. It does support capturing control information and I want to make it clear that I’m not focusing strictly on Windows. To capture these frames I had to turn on “Monitor mode” as described in the Wireshark WLAN Capture Setup document.

There are three basic types of frames used in 802.11 (Wi-Fi) networks: Management, Control and Data. The basic functions of these are:

  • Data – transmit data
  • Management – connect to and disconnect from access points, send authentication information and announce the presence of the access point (beacon)
  • Control – manage access to the medium, in particular the collision avoidance part of the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) protocol

In this post I’d like to talk about just two types of frames: the beacon and the data frame.

First, we’ll look at the beacon –

Wireshark 802.11 Beacon Decode

The beacon is sent by the Wireless Access Point (WAP or sometimes just AP). Note that this frame contains the name of the wireless network the access point is serving called the SSID or Service Set Identifier. This is where an operating system (e.g. Windows) gets the information about what access points are available.

Windows Wireless network list

As you can see in the trace output it also includes the channel on which the AP is operating (channel 6 here) and the Beacon Interval. The latter is how often it sends beacon frames. Here it is every .1024 seconds which roughly corresponds to the capture times in the top pane of the Wireshark window.

This information can be useful in documenting networks, for example.

Now let’s look at the data:

Wireshark 802.11 data capture

The data are not decoded in Wireshark’s usual way. In fact, no data frames are! This is because the data are all encrypted. There are tools to capture that data, though, but that’s for another post.

What more do you want to learn about Wireshark? Let us know in the comments below.

To your safe computing,
John McDermott

PS – If you are new to the world of Cyber Security (or have colleagues who are!), have a look at our new 1-day, online course – Cyber Security: Key Elements to Success

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.