802.11 Sniffer Capture Analysis - Management Frames and Open Auth
Trying to analyze or troubleshoot a wireless LAN, network using 802.11 packet analyzer will require us to have a thorough understanding of different 802.11 frame types as a basis for finding pointers to localize the causes of the problem area in a wlan network . Taking wlan sniffer traces using tools like omnipeek and or wireshark one can monitor the communications between radio network interface cards (NICs) and access points. We will need to comprehend each frame type occurring in the operation of a wireless LAN and solving network problems. In a wlan RF environment the radio transmission conditions can change so dynamically, coordination becomes a large issue in WLANs. Management and control packets are dedicated to these coordination functions.
To find cause of the wlan problems occurring in the wlan network relating to RF environment it would be best to test the wlan network using open authentication without any security. By taking this approach the RF connectivity issues surface and can be corrected before we can move to stronger encryption and higher layers of the OSI layer.
Authentication in the 802.11 specification is based on authenticating a wireless station or device instead of authenticating a user.
As per the 802.11 specification client authentication process consists of the following transactions as mentioned below
There are 3 types of frames used in the 802.11 MAC layer 2 communications happening over the air which manages and controls the wireless link.
They are Management Frames, Control Frames and Data frames. Let’s take a peek at what those frames consist of in little details to help us in analyze the wlan problems better while working with wlan sniffer traces.
802.11 management frames enable stations to establish and maintain communications. Management packets are used to support authentication, association, and synchronization.
The following are common 802.11 management frame subtypes:
wlan.fc.type_subtype == 0x0b
The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). There is an associated authentication ID associated which is the name under which the current station is authenticated itself on joining the network.
wlan.fc.type_subtype == 0x0c
wlan.fc.type_subtype == 0x0
wlan.fc.type_subtype == 0x01
wlan.fc.type_subtype == 0x02
The filter used to apply and find only the Disassociation packets is “wlan.fc.type_subtype == 0x0a”
The filter used to apply and find only the Beacon packets is
“wlan.fc.type_subtype == 0x08”
The filter used to apply and find only the Probe request packets is
The filter used to apply and find only the Probe request packets is “wlan.fc.type_subtype ==0x05”
802.11 control frames assist in the delivery of data frames between stations. The following are common 802.11 control frame subtypes:
wlan.fc.type_subtype == 0x1B
wlan.fc.type_subtype == 0x1D
These at the frames which come later in the game after the basic wlan communication is already established between the Mobile station and the Access point. We will always reach to this 802.11 data frame for analysis typically to verify and analyze over the air if the protocols and data from higher layers within the frame body is getting through to the wire. These frames transport data packets from higher layers, such as web pages, printer control data, etc., within the body of the frame.
wlan.fc.type_subtype == 0x20
On a packet analyzer we observe the contents of the frame body within 802.11 data frames for interesting traffic in question.