1. Starting Packet capture
a. Configuring filter
1) Open the filter window by clicking view > Filters
2) Click insert button
3) Make filter to capture the traffic from or to your PC
b. Create new capture
1) Go to File and click
2) Choose channel number of your SSID or Choose the scan mode if you want to scan multiple channel.
[ one channel monitoring ]
[multiple channel
scan]
3) Chose the filter you have crated on a-3. ( optional )
You can filter the traffic while you are capturing the traffic or you can
capture all the traffic over the air first, and can filter later with the basic
or costomized filter.
4) Click “ok” button.
5) Click start capture button
6) Connect SSID you are testing.
7) Click stop button
2. 802.11 MAC frame format
There are three IEEE 802.11 MAC frames types: management, control, and data
frames. The combination of these frame types establishes an overall means for
carrying data between 802.11 stations.
a. Frame structure.
The 802.11 standard specifies an overall MAC frame (MPDU – Mac Protocol
Data Unit ) format, as shown in below figure. This frame structure is found in
all frames that stations send, regardless of frame type. Not all parts of the
frame are used by all frame types, but the overall
frame structure remains the same across all frames.
- Frame control fieldEach of the subfields within the frame control field is defined below.
- Protocol version
- Type
- Sub type
- To DS
- From DS
- More flag
- Retry
- Power mgmt
- More data
- Protected frame field
- Order field
- DurationThe duration/ID field is 16 bits in length. It alternately contains duration information for updating the NAV or a short ID, called the association identifier (AID), used by a power save station to retrieve frames that are buffered for it at the access point.
- Address fieldAddress fields contain different types of 48-bit MAC addresses, depending on the type of frame being sent. These address types may include the basic service set identification (BSSID), source address,destination address, transmitting station address, and receiving station address.
- Sequence control fieldThe sequence control field is a 16-bit field comprising two fields. The fields are a 4-bit fragment number and a 12-bit sequence number. As a whole, this field is used by a receiving station to eliminate duplicatereceived frames and to reassemble fragments. Figure 5.28 shows the positioning of the Sequence Control field in the MPDU.
- Frame bodyThis field has a variable length and carries information that pertains to the specific frame being sent. The maximum MSDU length is 2304 bytes when encryption is not in use.
- FCSThe MAC layer at the transmitting station calculates a 32-bit frame check sequence (FCS) using a cyclic redundancy code (CRC) over all the fields of the MAC header and the frame body and places the result in this field.
3. Authentication & Association Process
a. Authentication
Authentication is the first of two steps
required to connect to the 802.11 network. Both authentication
and association must occur, in that order, before an 802.11 client can pass
traffic through the access point to another device on the network.Authentication is a process that is often misunderstood. When many people think of authentication,
they think of what is commonly referred to as network authentication, entering a username and password in order to get access to the network. But 802.11 authentication is different from common concept of network authentication. When an 802.3 device needs to communicate with other devices, the first step is to plug the Ethernet cable into the wall jack. When this cable is plugged in, the client creates a physical link to the wired switch and is now able to start transmitting frames. When an 802.11 device needs to communicate, it must first authenticate with the access point or with the other stations if it is configured for Ad-Hoc mode. This authentication is not much more of a task than plugging the Ethernet cable into the wall jack. The 802.11 authentication merely establishes an initial connection between the client and the access point.
1) In the first step, the client station sends an authentication frame to
the access point. (Frame 763)
2) The access point then replies to the client station with an ACK. (Frame
764)3) The access point then sends an authentication frame to the client station, confirming the authentication. (Frame 765)
4) The client station then replies to the access point with an ACK. (Frame 766)
[Figure 3-1]
b. Association
After the station has authenticated with the access point, the next step is
for it to associate with the access point. When a client station associates, it
becomes a member of a basic service set (BSS). Association means that the
client station can send data through the access point and on to the distribution
system medium. Association occurs after the station and the access point have
exchanged four frames, as described in the following list and seen in Figure 3-2.
Figure 3-2 shows a packet capture of the four frames that are exchanged between
the client and the access point:
1) In the first step, the station sends an association request frame to the
access point. (Frame774)
2) The access point then replies to the client station with an ACK. (Frame
775)3) The access point now sends an association response frame to the station. (Frame 777)
4) The client station then replies to the access point with an ACK. (Frame 778)
[Figure 3-2]
The 802.11 station keeps two variables for tracking the authentication
state and the association
state. The states that are tracked are as follows:- Authentication state, unauthenticated or authenticated
- Association state, unassociated or associated[Figure 3-3]
4. Management Frame
There is basic filter you can use to see only
management frame or certain type of frame. ( ex. Beacon )
a. Beacon frame
An access point (or mobile station in an Ad Hoc network) periodically sends
a beacon frame at a rate based on a Beacon Period parameter in the MIB. The
beacon provides synchronization among stations of a BSS, and includes a
timestamp that all stations within its BSS use to update what 802.11 defines as
a timing synchronization function (TSF) timer.
b. Association request frame
A station will send an Association Request frame to an access point if it wants
to associate with that access point. This frame exchange sequence ends
successfully with an acknowledgement. A station becomes associated with an
access point after the access point responds with an acceptance.
c. Association response frame
After an access point receives an Association Request frame and acknowledges
it, the access point will send an Association Response frame to indicate
whether or not it is accepting the association with the
requesting station. This second frame exchange sequence ends successfully
with an acknowledgment. The Association Response frame provides the status
(acceptance or rejection) and an AID (if the association was accepted).
d. Probe request frame
A station sends a Probe Request frame to obtain information from another station
or access point. For example, a station may send a Probe Request frame to
determine whether a certain access point is available. Mobile stations use
Probe Request frames as part of the active scanning process.
e. Probe response frame
If a station or access point receives a Probe Request frame, the station
will respond to the requesting station with a Probe Response frame containing specific
parameters about itself. All access points and the station which last generated
the beacon frame (if operating as an IBSS) can respond to probe requests with
Probe Response frames.
5. Control Frame
a. Request-to-Send (RTS) and Clear-to-Send (CTS) Frame
RTS/CTS is a method of reserving the medium.
The transmitting node announces its intent to transmit data by sending an RTS.
The receiving station repeats the transmitting stations announcement by sending
a CTS. Then the data frame is sent and hopefully an ACK reply is returned.
[Figure 5-1]
Figure 5-2 shows the order of the RTS/CTS, Data, and ACK frames. The
station that is transmitting the data sends the RTS and Data frames. The
station that is receiving the data sends the CTS and the ACK frames. If any
station did not hear the RTS, it should hear the CTS. When a station hears
either the RTS or the CTS, it will set its NAV to the value provided. At this
point, all stations in the basic service set should have their NAV set and the
station should wait until the data exchange is complete.
[Figure 5-2]
The RTS frame is a 20-byte frame used to reserve the medium. The Duration
field, measured in microseconds, in a RTS frame is the amount of time the
medium should be reserved to encompass
a Clear-to-Send (CTS) frame, a data frame, an ACK frame, and three short
interframe space (SIFS) intervals. In the correct order, this calculation would
be SIFS-CTS-SIFS-DATA-SIFS-ACK.
After receiving a RTS, a station sends a 14-byte CTS frame back to the originating
station. The CTS frame’s duration field informs those stations in its immediate
area to set their NAV for a value
equal to SIFS+DATA+SIFS+ACK.
b. Ack frame
A station receiving an error-free directed data or directed management frame
must send a 14-byte ACK frame to the transmitting station to acknowledge
successful reception.
No comments:
Post a Comment