Transcription

Lab Exercise – 802.11ObjectiveTo explore the physical layer, link layer, and management functions of 802.11. IEEE 802.11 is a setof media access control (MAC) and physical layer (PHY) specifications for implementing wireless local area network (WLAN) computer communication in the 900 MHz and 2.4, 3.6, 5, and 60 GHz frequencybands. They are the most widely used wireless computer networking standards used in most home andoffice networks to allow laptops, printers, and smartphones to talk to each other and access the Internetwithout connecting wires. They are created and maintained by the Institute of Electrical and ElectronicsEngineers (IEEE) LAN/MAN Standards Committee (IEEE 802). The base version of the standard was released in 1997 and has had subsequent amendments. The standard and amendments provide the basisfor wireless network products using the Wi-Fi brand. While each amendment is officially revoked whenit is incorporated in the latest version of the standard, the corporate world tends to market to the revisions because they concisely denote capabilities of their products. As a result, in the marketplace, eachrevision tends to become its own standardBackground on capturing Wireless trafficUnlike for the other labs, it may be difficult to gather your own trace, for several reasons. The main issueis that Windows lacks driver support to gather 802.11 frames for most wireless NICs. When we capturedtraffic previously, the operating system made it appear to come via a wired Ethernet (even if it actuallycame via a wireless network) and discarded any 802.11 frames without a higher layer data payload (suchas Acknowledgements).On some systems, typically Mac and Linux, it is possible to tell the operating system to gather 802.11frames directly, without this conversion. This is called “Monitor mode”. If your system supports it, thenthe Wireshark capture options for your wireless interface will allow you to select Monitor mode, and toset the format of captured traffic to “802.11 plus radiotap header” rather than Ethernet. An example isshown below. If there is no way to select Monitor mode then your system likely cannot capture 802.11.A second difficulty is that when an interface captures wireless traffic in monitor mode, it is often notavailable for regular use. This means that you need at least two computers: one computer to send testtraffic and a second monitor computer to capture a trace of wireless activity.Finally, note that capturing a trace in monitor mode will record all wireless activity in the vicinity. Since802.11 wireless devices are pervasive, it is likely that your trace will capture unwanted traffic from othernearby computers. This behavior makes it difficult to cleanly observe your own traffic.1

Step 1: Inspect a Trace1. Open the sample trace at: e-80211.pcapYou should see a screen as follows.Figure 1: 802.11 sample traceWe will look at the format of an 802.11 frame. There are many kinds of 802.11 frames that will be captured in a trace; the Info field describes the type, such as Beacon, Data, and Acknowledgement.2. Inspect the #16 Data frame, which carries packets across 802.11 networks.Figure 2: Inspecting an 802.11 Data frame2

3. Inspect the protocol layers recorded with the frame for these protocols by looking in middle panel. Frame is a record added by Wireshark with information about the time and length of the frame;it does not capture bits that were sent “over the air”. Radiotap is also a record created by Wireshark to capture physical layer parameters, such as thestrength of the signal and the modulation. Skip this record for now; we will investigate it later.3

IEEE 802.11 is the bits of the 802.11 Data frame. This is the record we are looking for, and wewill go into its details shortly. It is selected and expanded in the next figure so that you can seethe internal fields (in the middle panel) and the portion of the frame it occupies (highlighted inthe lower panel and identified at bottom as 28 bytes long). Data is a record containing the frame payload data, i.e., that has higher-layer protocols such asLLC, IP packets, etc. Alternatively, you may see the higher-layer protocols themselves.Note that If Wireshark can understand the contents of the Data frame payload, then it will create protocol records for them. However, in many wireless settings (such as the sample trace) the payload contentsare encrypted and simply appear as one record. All frames are then listed as protocol 802.11, rather thanhigher layer protocols such as TCP. It is possible to tell Wireshark the wireless network key and have itdecrypt the payloads. However, we will skip that step since our interest is the 802.11 headers.4

4. Expand the IEEE 802.11 record of the Data frame & inspect the details of the various header fields.You can expand this block using the “ ” expander or icon. The fields in Wireshark are: Frame Control. It encodes the frame Type and Subtype, e.g., Data, as well as various flags. Wewill look at these fields in more detail shortly.Duration. This field tells computers how much time is needed on the wireless medium for additional packets that are part of this exchange.BSS identifier, source address, and destination address, in an order that depends on the specificsof the Data frame. These address fields identify who transmitted the packet and who should receive it. The BSS identifier is the address of the wireless access point.Fragment and sequence number. These fields number the frame for reassembly and retransmission, if needed. The sequence number is incremented with each new transmission.Frame check sequence. This is a CRC over the frame. It comes at the end (click it and you will seeits position in the frame) but is listed with the other 802.11 header fields for convenience.There may also be a WEP or WPA2 field with security parameters in the case that the frame payload is encrypted. We are not delving into wireless security here, so you can ignore that field.5. Expand the Frame Control field and look at it in detail. You find within it.All 802.11 frames begin with a Frame Control field, and the details of the subfields and flags determinethe format of the rest of the message; it may be like the Data frame we explored above or very differentsuch as an Ack frame we will look at later. The subfields are: Version, with a value of zero for the current version.Type and Subtype specify the type of frame, e.g., Data or Ack.5

6. Expand the Flags field and look at it in detail. You find within it. To DS. This flag is set if the frame is sent from a computer to the wired network via the AP.From DS. This flag is set if the frame is sent from the wired network to a computer via the AP.More fragments. Set if there are more frames in this message.Retry. Set if the frame is a retransmission.Power management. Set if the sender will go into power-save sleep after transmission.More data. Set if the sender has more frames to send.Protected. Set if the frame is encrypted with WEP/WPA2.Order. Set if the receiver must keep the frames in order.Different computers may use these flags differently depending on how they implement 802.11. For example, some computers may make heavy use of power-save or encryption features while others maynot. Combined with the fact that there are dozens of different types of frames, this means that you willsee all sorts of wireless traffic in most traces. Explore a bit if you are curious.6

Step 2: 802.11 Physical LayerWe will take a closer look at different parts of the wireless system, starting with the physical layer. Atthe lowest layer, sending and receiving messages is all about the frequency band, modulation, the signal-to-noise ratio with which the signal is received. We can look at all these factors using information inthe Radiotap header. The frequency or channel is the same for all frames in the trace, since the wirelessnetwork interface is set to listen on a fixed frequency.7. Find the frequency by expanding the Radiotap header of any frame & look for Channel frequency.As you’ll see, the Channel frequency is 2462 MHz, or 2.462 GHz. It is known as “802.11b/g channel 11”.To look at the modulation we can observe the Data Rate value, and to look at the SNR we can observethe SSI Signal value (combined with the SSI Noise value). The SSI Signal value is more commonly knownas the RSSI (Received Signal Strength Indication). These fields will vary with different frames. To seethem, first we must add new columns to the main display.7

8. Add two new display columns for the TX Rate (or Data Rate) and RSSI (or SSI Signal value) by goingto the Preferences panel (under the Edit menu) and selecting Columns (by expanding the User Interface block).Click the to add a new column. Change the title to RSSI and in the dropdown menu in the Type field,choose IEEE 802.11 RSSI.Next, click the button again, and add a new column with the title Rate and the Type IEEE 802.11 TXrate.The columns in our figure are called Rate, with a field of type IEEE 802.11 TX Rate, and RSSI, with a fieldtype of IEEE 802.11 RSSI. You may reorder the columns so that these columns are to the left of Info forvisibility. When you return to the main display you will have Rate and RSSI information for each frame.Wireless trace showing Rate and RSSI for each frame8

You should see a variety of rates. That is, unlike wired Ethernet for which frames are sent at a fixed rate(after negotiation of the kind of Ethernet), wireless rates vary depending on the conditions and capabilities of the computers. The rates are 1, 6, 12, 18, 24, 38, 48, and 54 Mbps. This is most of the possible802.11b/g rates.You should also see a variety of RSSI values, such as “-60 dBm”. RSSI is measured on a log scale in which0 dBm means 1 milliWatt of power and each 10 means a factor of 10 larger and each -10 means a factor of 10 smaller. Thus -60 dBm means one million-th of 1 mW, or 10-9 Watts, a tiny amount of power.The SNR is the signal level relative to the noise level, a roughly fixed value given in the Radiotap headerto be -90 dBm. These values add or subtract on the logarithmic scale. Thus a signal level of -60 dBm is 30dB or a factor of 1000 larger than the noise level of -90 dBm. This means a frame with an RSSI of -60dBm has an SNR of 30 dB. RSSIs may vary greatly, which means that some frames will have a muchweaker or stronger signal than other frames. Variations of 40 dB are common, meaning that one framemay be 10,000 times weaker or stronger than another frame received by the same network interface.Note also how the RSSIs range from -44 dBm (strongest) to -69 dBm (weakest signal). This is a variationof 25 dB or around a factor of 300 in the SNR.9

Step 3: 802.11 Link Layer9. Under the Statistics menu, select Conversations. You will see a blank screen as follows.10. In bottom right, select the Conversation Types button and select 802.11This will pull up a window like that of the figure below which lists each pair of communicating computers. You can sort this list by size by clicking on the Packets or Bytes column headings. This view will helpus further explore the trace, starting with a summary of the link layer activity.10

Most of the activity is in a relatively small fraction of the conversations. The low activity conversationsare due to background traffic from idle computers, and from a small number of packets that are occasionally captured from adjacent wireless networks.A BSS ID value identifies an AP. To find the BSS ID used by the most active wireless conversations we cansort on the source or destination address by clicking on the column heading. If you do this, you will findthe most active AP has a BSS ID of 00:16:b6:e3:e9:8f.We can also look to see the amounts we have of different types of traffic. 802.11 frames are either Data,Control, or Management frames. These frames are distinguished by the value in the Type subfield of theFrame Control field. You can inspect different packets to see the values for different types of frames.To Filter to see only Data frames, we can enter the expression “wlan.fc.type 2” into the Filterbox above the list of frames in the top panel. Do this by returning to main menu and entering the filter asshown below.Clicking on the Type subfield tells us in the status display at bottom that Wireshark knows this field bythe name wlan.fc.type. Thus, the expression to filter for Data frames with Type value 2 is“wlan.fc.type ”data frame”” or “wlan.fc.type 2”.After you apply this filter, the status line at bottom will tell you how many of the trace packets are displayed. This tells you how many Data frames there are in the trace. There may be several different kindsof Data frames depending on the value of the Subtype sub-field, as indicated in the Info column. You canclick on this column heading to sort by frame type to see what kinds are prevalent.11

We can now see how many Data frames are in the trace, and what is the most common subtype of Dataframe. We do this by performing the same exercise for Control (Type 1) and Management (Type 0)frames by changing the filter expression to search for a different Type value. i.e wlan.fc.type ”dataframe”.This will let you find out how many of these frames are in the trace, and their most prevalent kinds.Filtering the wireless trace for Data framesWe can see there are 1783 Data frames, or 48% of the total (3731) frames. The most common Dataframe is simply called “Data” with subtype 0. The fraction of Data frames will depend heavily on whether there are active data transfers during the trace; there is a small transfer during this trace.There are 1391 Control frames or 37% of the total. The most common Control frame is the Acknowledgement frame with subtype 13. The fraction of Control frames should be comparable but likely lowerthan the fraction of Data frames due to Acknowledgements (as each non