Fundamentals of 802.11 Wireless SniffingContentsIntroductionChecklist for a successful captureMac OS X Wireless Sniffing Toolsairportdairport utilitytcpdumpWi-Fi DiagnosticAirtoolWireless Sniffing using Windows 7 with Netmon 3.4 (deprecated method)IntroductionWireless Sniffing using Cisco Lightweight Access Point (LAP) in Sniffer modeIntroductionConfiguration steps1) WLC / AP side2) Sniffer side: Wireshark3) Sniffer side: OmniPeekWireless Sniffing using Cisco Autonomous (IOS) AP802.11 Sniffer Capture Analysis - Physical LayerIntro: physical layer info in wireless packet capturesWireless packet headers – examplesMac OS X 10.7 Wireless Diagnostics (Broadcom adapter?)OmniPeek 6.8 (Ralink USB adapter)Netmon 3.4Applying wireless files as Wireshark columns802.11 Sniffer Capture Analysis -Wireshark filteringIntroductionWireshark Filtering-wlanObjectivePrerequisitesWhy do we need to capture wireless sniffer trace?Why do we need to use wireless sniffer capture filter?When to use DISPLAY FILTERS and CAPTURE FILTERS?How to filter?MENU BARThe Main TOOL BARThe "Filter" toolbarThe "Packet List" paneThe "Packet Details" paneThe "Packet Bytes" paneThe Statusbar

The initial StatusbarUsing Capture filtersDisplay FilterUsing Coloring filter rule802.11 Sniffer Capture Analysis - Management Frames and Open AuthIntroduction802.11 – Frames and open authentication802.11 Client Authentication ProcessManagement FramesControl FramesData FramesReferences802.11 Sniffer Capture Analysis - WPA/WPA2 with PSK or EAPWPA-PSK(TKIP)WPA2-PSK(AES/TKIP)How to decrypt WPA2 AES data on Over the Air Packet Captures with WiresharkRequirements:ProcessWPA/WPA2 EnterpriseWPA(TKIP)/WPA2(AES) with dot1x (EAP-TLS)802.11 Sniffer Capture Analysis – MulticastIntroductionSolutionIGMP Snooping on WLCGuidelines for Using Multicast ModeConfiguring Multicast (Using Multicast-Multicast Mode)On Wireless LAN ControllerMulticast configuration on Wired networkPacket CapturesTopologyMCAST Traffic Generator ToolWired Wireshark packet capture on the MCAST generatorWindows Netmon Capture on the Mcast packet generatorWireshark Captures on the Wireless interface of the Wireless clientNetmon Capture on the Wireless interface of the Wireless Client802.11 Sniffer Capture Analysis – Web AuthenticationIntroductionConfiguration WebauthConfiguration on the WLCHere is the client Debug when the the client tried connectingIntroductionThe process of collecting a good wireless sniffer trace, in order to analyze and troubleshoot802.11 behavior, can be a difficult and time consuming operation. But there are a few things to

bear in mind that will help simplify and speed up this process. With Wireless sniffing it helps tohave an idea of what you are really trying to do - you are trying to capture the raw wireless framesfrom over the air, as seen by the wireless sniffing device itself.Checklist for a successful captureStep 1: Since the sniffing device, client device and AP are all using RF generating radios fortransmission or reception, it helps to have your wireless sniffer close to your target device (theclient machine). This will allow your sniffing device to capture a good approximation of what yourclient device is hearing over the air.Step 2: Use a separate device to act as your wireless sniffer - you cannot take a good wirelesssniffer trace if it is running on the device under test (the client machine you are trying to get awireless trace of).Step 3: Understand exactly what 802.11 Channel and Band your client device is using beforesetting up your capture. Lock your sniffer to the channel of interest - do not use the sniffer's "scanchannels" mode! (With "scan channels", the sniffer will cycle from channel to channel everysecond or so - useful for a site survey or to find "rogues", but not when attempting to capture an802.11 problem.)Also bear in mind that your client device may roam to another AP which is on a different RFchannel or Band, so you need to plan accordingly. Typically in the 802.11b/g (2.4GHz)environment, using a three channel sniffer may be required. This involves using 3 Wirelessadapters on your sniffing device, with each one set to channel 1, 6 and 11. Using USB wirelessadapters works best for this type of setup.Step 4: If you are troubleshooting 5GHz, then the number of channels will dramatically increase.Since you might not have enough cards to capture all channels, it is a good practice for the test, tooperate on not more than 4 channels on your surrounding Access Points.Step 5: If you can reproduce the problem when a client roams from one channel to another, thena 2-channel sniff should suffice. If you have only a single channel sniffer available, then have itsniff the roamed-to channel.Step 6: Always NTP sync your sniffers. The packet capture will need to be collated with debugcaptures, and with other wired and/or wireless captures. Having your timestamps even onesecond off will make the collation much more difficult.Step 7: If you are capturing for a long period of time (hours), then configure your sniffer to cut anew capture file every 30MB or so. In order to avoid filling up your hard drive, you will want to putan upper limit on the number of files written.Note: The Linksys USB600N does not reliably collect 11n packets with short guard interval.Missing 20% to 30% of short guard interval packets. If necessary the WLC configuration can bechanged to only use the slower long guard interval. This should be only a temporary configurationchange. The command is: config 802.11 {a b}11nsupport guard-interval {any long}Sniffer Tools

Wireless Sniffing using a Mac with OS X 10.6 and aboveWireless sniffing on the Mac works well, as Mac OS X has built in tools to capture a wirelesstrace. However, depending on what versions of OS X you are running, the commands may vary.This document covers OS X 10.6 through the latest version. Wi-Fi diagnostics is the preferredmethod in the latest macbooks. It is always good to remember that your macbook sniffer needs tobe at least as capable as the client you are sniffing (sniffing an 802.11ac smartphone with an802.11n macbook is not optimal)Mac OS X Wireless Sniffing Tools airportd (10.6-10.8)airport utility (10.6 - 10.8)tcpdump (10.8)Wi-Fi Diagnostics (10.7- 10.12)Wireshark (10.6 - 10.8)3rd party tool : AirtoolairportdIf you are running OS X 10.6 (Snow Leopard) or above, then you can easily use the command lineutility “airportd”. Use the following steps:Use the “command” “Space bar” key combo to bring up the search diaglog box in the upperright top of the screen and type in the word “terminal”, this will search for the terminalapplication, select this application to run it. A terminal window will appear.Once you have a terminal window open, you can run the follow command to capture aWireless sniffer trace on RF channel 11 (802.11b/g):“sudo /usr/libexec/airportd en1 sniff 11” Some things to note:You will be prompted to enter in your account password for verification.You cannot specify the name of the capture file or where you will place the output.You will lose any wireless connectivity to your network while the capture is occurring.If you are using an Air, the wireless adapter is en0 rather than en1Once you are finished with the trace, hit “Cntl-C” to stop the trace and the utility will display thename and location of the capture file. The file format is your standard wireshark PCAP file thatcan be read on the MAC or Windows via Wireshark. airport utilityThe airport utility is is not a sniffer program; however, it can provide interesting information aboutthe wireless LAN. Also, it has the ability to set the default wireless channel - which is crucial forsniffer programs (tcpdump, Wireshark) that are themselves unable to set the channelNote: because the path to the airport utility is so ugly, it may be a good idea to set a symbolic link

to it from a directory in the path, e.g.# sudo ln /airportset the wireless channel# ramework/Versions/Current/Resources/airport -channel 48dump out info on the SSIDs/BSSIDs seen:# ramework/Versions/Current/Resources/airport -sSSIDBSSIDRSSI CHANNEL HT CC SECURITY (auth/unicast/group)Test 00:24:97:89:cb:41WPA2(PSK/AES/TKIP)-5311Y --WPA(PSK/TKIP/TKIP)Test2 00:24:97:89:cb:40-5311N --WPA(PSK/TKIP/TKIP)-646,-1Y --WPA(PSK/AES,TKIP/TKIP)Guest 00:22:75:e6:73:dfWPA2(PSK/AES,TKIP/TKIP)detailed information on the current association:# ramework/Versions/Current/Resources/airport tNoise:0state:runningop us:0802.11 auth:openlink auth:wpa2-psk

6,1tcpdumpTcpdump is a command line utility shipped with OS X that can perform packet capture. (Thetshark utility bundled with Wireshark is very similar.) To perform a wireless packet capture usingtcpdump:first set the channel using the airport utility as shown abovethen perform a wireless packet capture, saving to a file. When done, type Control/C to exit.Example: bash-3.2# tcpdump -I -P -i en1 -w /tmp/channel-11.pcaptcpdump: WARNING: en1: no IPv4 address assignedtcpdump: listening on en1, link-type IEEE802 11 RADIO (802.11 plus radiotap header), capturesize 65535 bytes C897 packets captured968 packets received by filter0 packets dropped by kernelbash-3.2#Wi-Fi DiagnosticThe easiest capture method is to use the graphical program called Wi-Fi Diagnostics.It can be accessed by holding the ALT key and clicking on the top-right wifi icon (the one whereyou typically select the SSID you want to connect to)

Click on the "Open Wireless diagnostics" option in the list.It will bring a window that will run a default report on troubleshooting. This is typically NOT whatyou are interested in.Keep that window opened and go on the menu bar on top of the screen. click "Window". You willsee a list of other interesting tools (useful for site survey or signal analysis). In the scope of

wireless sniffer capture, we are interested in the "Sniffer" option, click on it.You then simply have to chose the primary channel as well as channel width.The sniffer capture will be saved either on the Desktop or in /var/tmp/ as of Mac Os Sierra.AirtoolSome 3rd party tools also exist that will support many mac os x versions and will enhance theembedded sniffing features with easier options to chose channels. One example is Airtool ss Sniffing using Windows 7 with Netmon 3.4(deprecated method)IntroductionWith Microsoft Network Monitor (Netmon) 3.4, you can now perform some decent 802.11a/b/g

(and maybe 11n) wireless sniffing in Windows 7, using your standard wireless adapter. The filesaved from Netmon can be read by latest (1.5 and above) Wireshark, though not in OmniPeek. Itis important to note that Netmon is not supported by Microsoft anymore and will most often notwork properly on 11n and 11ac adapters (most frames missing).Netmon 3.4 is supported with XP SP3; however, it does not support wireless sniffing when runningXP. As to Vista, experience is mixed; a reliable source reports that wireless sniffing does work in64-bit Vista on a Macbook with BCM43xx 1.0 adapter.We have removed the Netmon detailed section of this document since it is deprecated and will notreliably capture 802.11ac frames.You can still view details at : tmon-3-4/ta-p/3115844Wireless Sniffing using Cisco Lightweight Access Point(LAP) in Sniffer modeIntroductionYou can use the Cisco WLC and LAPs in sniffer mode, in conjunction with a wired sniffer (bestresults with Wireshark. Omnipeek decrypts the protocol differently as of version 10).A single wired sniffer can collect packets from multiple APs, so this method is very useful to runmulti-channel traces. For static scenarios, if it’s possible to move the sniffer AP, this can be usedas an effective alternative to other sniffing options.For roaming scenarios, the sniffer APs are usually installed in the proximity of the APs the clientroams through, and this will report the “point of view” of the static APs rather than the client.In order to see the RF from the point of view of the client while roaming, a multi-channel wirelesstrace should be captured using a laptop with multiple Wireless NICs that will follow the test client.Configuration steps1) WLC / AP sideHere are the steps in order to collect a trace using a sniffer mode LAP Configure the AP in Sniffer mode:

The AP will reboot and it will not be able to serve clients. Once the AP has re-joined the WLC, configure the radio of the AP (802.11b/g/n or802.11a/n):specify the sniffer IP addressselect the channelenable sniffingThe sniffer will receive the 802.11 traffic encapsulated using the airopeek protocol, from theWLC management IP address with source port UDP/5555 and destination UDP/50002) Sniffer side: WiresharkIf using Wireskark to receive the traffic, follow the steps below:Set the capture options to receive only traffic coming from the sniffing AP. If you set the filteronly for port UDP 5000, you will miss IP fragments in the capture if the AP has to fragment thepacket (which will happen if it sniffed a 1500 bytes long frame to which it needs to addPEEKREMOTE encapsulation):This filter is optional but strongly recommended as it excludes all the non-wireless related trafficfrom the capture. Consider that the WLC sends traffic to a UDP port there’s no applicationlistening on the sniffer side; this results in having a ICMP port-unreachable response for eachpacket received from the WLC.

Although this is expected, the filter above helps to exclude also this traffic whic