cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1076
Views
0
Helpful
6
Replies

How to determine which message in an 802.11 frame is an ICMP packet

HI Everyone,

 

I have captured a wireless file,it can be opened by wireshark.I want to confirm which packets are the icmp packets.But i just can find out the QoS Data Frame.Could you please help me to filter the ICMP packets in wireless capture packtes.

 

Thanks a lot !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
6 Replies 6

ammahend
VIP
VIP

In Wireless capture everything above L2 is encrypted if using WPA2 Personal or Enterprise, for WPA2 Personal you have to capture a 4 way handshake and save the Password in Wireshark IEEE802.11 protocol setting to even see anything beyond L2,

Considering you have done all that, in the display filter just type icmp and search.

-hope this helps-

Thanks for your response!
I can see "Probe packets"、“authentication packets” and “association packets”,but i didn't find out icmp packets by typing icmp and search. In addition, whether it's normal that i cannot find out EAPOL in WPA2-PSK wireless capture?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

All those messages are L2, what kind of security are you using on your wireless ? and from you are capturing from PC or AP (sniffer mode) ? do you have monitor and Promiscuous both mode enabled on the wireshark adapter you are capturing from if capturing from pc or mac ? are you capturing the same channel the AP is operating on ? there are some basic questions to get right capture, so let me know the answer to these question and I will answer based on that.
a typical PSK capture and 4 way key exchange will look something like below.

 

Also what are you trying to achieve with this capture ?

-hope this helps-

the security for wireless is WPA2+AES(PSK),i capture the packets by sniffer ap.I confirm the channel is same.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Then the packet content is encrypted and can't be decrypted by the sniffer. So you don't see if it's ICMP or TCP or anything else. You only see the management frames content, which you have realized yourself.

OK,this symptom is match mine
thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
Review Cisco Networking for a $25 gift card