Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
0
Helpful
6
Replies

How to determine which message in an 802.11 frame is an ICMP packet

Rps-Cheers
VIP
VIP

‎06-25-2019 07:12 AM - edited ‎07-05-2021 10:36 AM

HI Everyone,

 

I have captured a wireless file,it can be opened by wireshark.I want to confirm which packets are the icmp packets.But i just can find out the QoS Data Frame.Could you please help me to filter the ICMP packets in wireless capture packtes.

 

Thanks a lot !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
Labels:
0 Helpful
6 Replies 6

ammahend
VIP
VIP

‎06-25-2019 01:34 PM

In Wireless capture everything above L2 is encrypted if using WPA2 Personal or Enterprise, for WPA2 Personal you have to capture a 4 way handshake and save the Password in Wireshark IEEE802.11 protocol setting to even see anything beyond L2,

Considering you have done all that, in the display filter just type icmp and search.

-hope this helps-
0 Helpful

Rps-Cheers
VIP
VIP
In response to ammahend

‎06-25-2019 05:53 PM

Thanks for your response!
I can see "Probe packets"、“authentication packets” and “association packets”,but i didn't find out icmp packets by typing icmp and search. In addition, whether it's normal that i cannot find out EAPOL in WPA2-PSK wireless capture?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

ammahend
VIP
VIP
In response to Rps-Cheers

‎06-25-2019 08:23 PM - edited ‎06-25-2019 08:26 PM

All those messages are L2, what kind of security are you using on your wireless ? and from you are capturing from PC or AP (sniffer mode) ? do you have monitor and Promiscuous both mode enabled on the wireshark adapter you are capturing from if capturing from pc or mac ? are you capturing the same channel the AP is operating on ? there are some basic questions to get right capture, so let me know the answer to these question and I will answer based on that.
a typical PSK capture and 4 way key exchange will look something like below.

 

Also what are you trying to achieve with this capture ?

-hope this helps-
Preview file
140 KB
0 Helpful

Rps-Cheers
VIP
VIP
In response to ammahend

‎06-25-2019 11:39 PM

the security for wireless is WPA2+AES(PSK),i capture the packets by sniffer ap.I confirm the channel is same.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Rps-Cheers

‎06-26-2019 06:52 AM

Then the packet content is encrypted and can't be decrypted by the sniffer. So you don't see if it's ICMP or TCP or anything else. You only see the management frames content, which you have realized yourself.
0 Helpful

Rps-Cheers
VIP
VIP
In response to patoberli

‎06-26-2019 10:06 PM

OK,this symptom is match mine
thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card