Lab.3 Part.3 – 802.11–Wireshark LabObjectiveTo explore the physical layer, link layer, and management functions of 802.11. It is widely used to wire-less connect mobile devices to the Internet.The trace is here: ementsWireshark: This lab uses the Wireshark software tool to capture and examine a packet trace. A packettrace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits thatpassed across a particular wire. The packet trace records a timestamp for each packet, along with thebits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark runson most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows thesequence of packets and the meaning of the bits when interpreted as protocol headers and data. It color-codes packets by their type, and has various ways to filter and analyze packets to let you investigatethe behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can download it from if it is not already installed on your computer. We highly recommendthat you watch the short, 5 minute video “Introduction to Wireshark” that is on the site.Step 1: Fetch a TraceWe provide a trace that you can use by starting Wireshark and selecting Open from the File menu. OnWindows/Mac, you may locate the trace file and open it directly to launch Wireshark with the trace. Youcan now proceed to Step 2; the rest of this section is informational.Unlike for the other labs, it may be difficult to gather your own trace, for several reasons. The main issueis that Windows lacks driver support to gather 802.11 frames for most wireless NICs. When we capturedtraffic previously, the operating system made it appear to come via a wired Ethernet (even if it actuallycame via a wireless network) and discarded any 802.11 frames without a higher layer data payload (suchas Acknowledgements). On some systems, typically Mac and Linux, it is possible to tell the operatingsystem to gather 802.11 frames directly, without this conversion. This is called “Monitor mode”. If yoursystem supports it, then the Wireshark capture options for your wireless interface will allow you to select Monitor mode, and to set the format of captured traffic to “802.11 plus radiotap header” ratherthan Ethernet. An example is shown below. If there is no way to select Monitor mode then your systemlikely cannot capture 802.11.1

Figure 1: Capturing a wireless trace with Monitor mode (Mac)A second difficulty is that when an interface captures wireless traffic in monitor mode, it is often notavailable for regular use. This means that you need at least two computers: one computer to send testtraffic and a second monitor computer to capture a trace of wireless activity.Finally, note that capturing a trace in monitor mode will record all wireless activity in the vicinity. Since802.11 wireless devices are pervasive, it is likely that your trace will capture unwanted traffic from othernearby computers. This behavior makes it difficult to cleanly observe your own traffic.If you can handle these difficulties, you can gather your own wireless trace to do this lab.2

Step 2: Inspect the TraceTo begin, we will take a look at the format of an 802.11 frame. There are many different kinds of 802.11frames that will be captured in a trace; the Info field describes the type, such as Beacon, Data, andAcknowledgement. We will inspect a Data frame, which carries packets across 802.11 networks.Find a Data frame in the trace and select it. Wireshark will let us select a frame (from the top panel) andview its protocol layers, in terms of both header fields (in the middle panel) and the bytes that make upthe frame (in the bottom panel). You can do this simply by scrolling down until you find one, or by clicking on the Info column to sort by that key and then scrolling to the Data portion of the trace. We haveselected a Data frame in the figure below.Figure 2: Inspecting an 802.11 Data frame3

Inspect the protocol layers recorded with the frame for these protocols. Look in the middle panel. Frame is a record added by Wireshark with information about the time and length of the frame;it does not capture bits that were sent “over the air”.Radiotap is also a record created by Wireshark to capture physical layer parameters, such as thestrength of the signal and the modulation. Skip this record for now; we will investigate it later.IEEE 802.11 is the bits of the 802.11 Data frame. This is the record we are looking for, and wewill go into its details shortly. It is selected and expanded in the figure so that you can see the internal fields (in the middle panel) and the portion of the frame it occupies (highlighted in thelower panel, and identified at bottom as 28 bytes long).Data is a record containing the frame payload data, i.e., that has higher-layer protocols such asLLC, IP packets, etc. Alternatively you may see the higher-layer protocols themselves.If Wireshark can understand the contents of the Data frame payload then it will create protocol recordsfor them. However, in many wireless settings (such as the sample trace) the payload contents are encrypted and simply appear as one record. All frames are then listed as protocol 802.11, rather thanhigher layer protocols such as TCP. It is possible to tell Wireshark the wireless network key and have itdecrypt the payloads. However, we will skip that step since our interest is the 802.11 headers.Expand the IEEE 802.11 record of the Data frame and inspect the details of the various header fields. Youcan expand this block using the “ ” expander or icon; it is shown expanded in our figure. To inspect thefields, you may compare them with Fig. 4-29. The fields in Wireshark are: Frame Control . It encodes the frame Type and Subtype, e.g., Data, as well as various flags. Wewill look at these fields in more detail shortly.Duration. This field tells computers how much time is needed on the wireless medium for additional packets that are part of this exchange.BSS identifier, source address, and destination address, in an order that depends on the specificsof the Data frame. These address fields identify who transmitted the packet and who should receive it. The BSS identifier is the address of the wireless access point.Fragment and sequence number. These fields number the frame for reassembly and retransmission, if needed. The sequence number is incremented with each new transmission.Frame check sequence. This is a CRC over the frame. It comes at the end (click it and you will seeits position in the frame) but is listed with the other 802.11 header fields for convenience.There may also be a WEP or WPA2 field with security parameters in the case that the frame payload is encrypted. We are not delving into wireless security here, so you can ignore that field.Finally, expand the Frame Control field and look at it in detail, including the Flags that you find within it.All 802.11 frames begin with a Frame Control field, and the details of the subfields and flags determinethe format of the rest of the message; it may be like the Data frame we explored above or very differentsuch as an Ack frame we will look at later. The subfields are: Version, with a value of zero for the current version.Type and Subtype specify the type of frame, e.g., Data or Ack.To DS. This flag is set if the frame is sent from a computer to the wired network via the AP.From DS. This flag is set if the frame is sent from the wired network to a computer via the AP.4

More fragments. Set if there are more frames in this message.Retry. Set if the frame is a retransmission.Power management. Set if the sender will go into power-save sleep after transmission.More data. Set if the sender has more frames to send.Protected. Set if the frame is encrypted with WEP/WPA2.Order. Set if the receiver must keep the frames in order.Figure3: Expanded view of the Frame Control fields and FlagsDifferent computers may use these flags differently depending on how they implement 802.11. For example, some computers may make heavy use of power-save or encryption features while others maynot. Combined with the fact that there are dozens of different types of frames, this means that you willsee all sorts of wireless traffic in most traces. Explore a bit if you are curious.5

Step 3: 802.11 Physical LayerNow that we have some familiarity with 802.11 Data frames, we will take a closer look at different partsof the wireless system, starting with the physical layer. At the lowest layer, sending and receiving messages is all about the frequency band, modulation, the signal-to-noise ratio with which the signal is received. We can look at all of these factors using information in the Radiotap header!Answer the numbered questions in this step to explore the physical layer aspects, beginning with frequency. The frequency or channel is the same for all frames in the trace, since the wireless network interface is set to listen on a fixed frequency.1. What is the channel frequency? To find the frequency, expand the Radiotap header of any frameand look for the Channel frequency.To look at the modulation we can observe the Data Rate value, and to look at the SNR we can observethe SSI Signal value (combined with the SSI Noise value). The SSI Signal value is more commonly knownas the RSSI (Received Signal Strength Indication). These fields will vary with different frames. To seethem, first we must add new columns to the main display.Figure 2: Adding columns for RSSI and RateAdd two new display columns for the TX Rate (or Data Rate) and RSSI (or SSI Signal value) by going to thePreferences panel (under the Edit menu) and selecting Columns (by expanding the User Interface block).The columns in our figure are called Rate, with a field of type IEEE 802.11 TX Rate, and RSSI, with a field6

type of IEEE 802.11 RSSI. You may reorder the columns so that these columns are to the left of Info forvisibility. When you return to the main display you will have Rate and RSSI information for each frame.Figure 3: Wireless trace showing Rate and RSSI for each frameYou should see a variety of rates. That is, unlike wired Ethernet for which frames are sent at a fixed rate(after negotiation of the kind of Ethernet), wireless rates vary depending on the conditions and capabilities of the computers.2. What rates are used? Give an ordered list of rates from lowest to highest. Hint: you can click theRate column to sort by that value.7

You should also see a variety of RSSI values, such as “-60 dBm”. RSSI is measured on a log scale in which0 dBm means 1 milliWatt of power and each 10 means a factor of 10 larger and each -10 means a factor of 10 smaller. Thus -60 dBm means one million-th of 1 mW, or 10-9 Watts, a tiny amount of power!The SNR is the signal level relative to the noise level, a roughly fixed value given in the Radiotap headerto be -90 dBm. These values add or subtract on the logarithmic scale. Thus a signal level of -60 dBm is 30dB or a factor of 1000 larger than the noise level of -90 dBm. This means a frame with an RSSI of -60dBm has an SNR of 30 dB. RSSIs may vary greatly, which means that some frames will have a muchweaker or stronger signal than other frames. Variations of 40 dB are common, meaning that one framemay be 10,000 times weaker or stronger than another frame received by the same network interface.You should be gaining an appreciation for wireless technology!3. What is the range of RSSI and hence variation in SNRs in the trace? Give this as the strongest andweakest RSSI and the dB difference between them.8

Step 4: 802.11 Link LayerUnder the Statistics menu, select Conversations and WLAN (for wireless LAN, i.e., 802.11). This will pullup a window like that of the figure below which lists each pair of communicating computers. You cansort this list by size by clicking on the Packets or Bytes column headings. This view will help us furtherexplore the trace, starting with a summary of the link layer activity.Figure 4: 802.11 conversations ordered by sizeIn our trace, and likely yours, most of the activity is in a relatively small fraction of the conversations.The low activity conversations are due to background traffic from idle computers, and from a smallnumber of packets that are occasionally captured from adjacent wireless networks.Answer the numbered questions in this step to explore the link layer aspects of 802.11:1. What is the BSS ID used by the most active wireless conversations? A BSS ID value identifies anAP, so this BSS ID identifies the most active AP, presumably the AP we are monitoring. To helpfind it, you can sort on the source or destination address by clicking on the column heading.We can also look to see the amounts we have of different types of traffic. 802.11 frames are either Data,Control, or Management frames. These frames are distinguished by the value in the Type subfield of theFrame Control field. You can inspect different packets to see the values for different types of frames.9

Filter to see only Data frames by entering the expression “wlan.fc.type 2” into the Filter boxabove the list of frames in the top panel. Clicking on the Type subfield tells us in the status display at bottom that Wireshark knows this field by the name wlan.fc.type. Thus, the expression to filter for Dataframes with Type value 2 is “wlan.fc.type ”data frame”” or “wlan.fc.type 2”. Whenyou enter this expression into your Filter box the display should resemble the figure below. After youapply this filter, the status line at bottom will tell you how many of the trace packets are displayed. Thistells you how many Data frames there are in the trace. There may be several different kinds of Dataframes depending on the value of the Subtype sub-field, as indicated in the Info column