The main purpose of the document is to give an understanding of the 802.11 packet structure and how to analyze wireless packet captures. Wireless packet captures are an important part of troubleshooting complex wireless connectivity issues. This document can be a good tool to reference if you have acquired wireless packet captures and need to analyze them.
There are multiple considerations in wireless communication which make it different as compared to wired packet captures. There are several important considerations, like the ever-evolving 802.11 wireless protocol, wireless signal interference, and the continuous sniffing for wireless packets in your radio environment. This document will discuss the analysis of wireless packets and challenges in analyzing them, with the help of packet capture examples.
There are different wireless card modes like managed, ad-hoc, master, and monitor to obtain a packet capture. Monitor mode for packet captures is the most important mode for our purpose as it can be used to capture all traffic between a wireless client and AP. A client running Wireshark in monitor mode would listen to all packets it can hear in the air and the device will stop transmitting and receiving any of its own data.
For more information on how to take monitor mode packet captures please refer Capturing Wireless Traffic from a Client Machine
The main difference between wired and wireless packets is the addition of an 802.11 header. There are three major 802.11 frame types.
This monitor mode packet capture has a client who has successfully connected to the AP. It can be used as a reference for the subtopics below for analyzing the wireless packets.
Unlike wired packet analysis, the wireless physical layer is more complex. It is important to get an understanding of the physical layer of the capture before diving into the capture to analyze the upper layers. Some important physical layer values you need to be aware of are channel, data rate, and signal strength.
| Signal strength | Expected Quality |
| -90dBm | Chances of connecting are very low at this level |
| -80dBm | Unreliable signal strength |
| -67dBm | Reliable signal strength– the edge of what Cisco considers to be adequate to support Voice over WLAN |
| -55dBm | Anything down to this level can be considered excellent signal strength. |
| -30dBm | Maximum signal strength, you are probably standing right next to the access point. |
Based on 802.11 specifications, the client authentication process consists of the following:
Here is an example of a complete client authentication process from the above packet capture.
The packet capture is shown here in Wireshark. The display filter used was "wlan.addr == 00:21:6b:f7:3a:d2 and (wlan.fc.type == 0x00 or eapol)"
As mentioned above in the 802.11 packet structure section, there are 3 types of frames used in 802.11 MAC layer communications happening over the air which manage and control the wireless link. The management, control, and data frames. The sections below investigate those frames with the help of packet capture given above.
The beacon frame is one of the most information-dense wireless packets. The access point sends a beacon frame as a broadcast to announce its presence to any wireless clients. It relays information about the parameters that must be set on the client side in order to connect to it. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point has the best signal and availability to associate with.
The Wireshark display filter for Beacon packets is “wlan.fc.type_subtype == 0x08”
SSID parameter set: The SSID (network name) broadcasted by the access point
Supported rates: The data transfer rates supported by the access point
DS parameter set: The channel on which access point is broadcasting
802.11 management frames enable stations to establish and maintain communications. Management packets are used for authentication, association, and synchronization.
The Wireshark display filter for Management packets is “wlan.fc.type == 0”
The wireless client begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). Authentication is handled by a request/response exchange of management packets. The number of packets exchanged depends on the authentication method employed.
The Wireshark display filter for Authentication packets is “wlan.fc.type_subtype == 0x0b”
Association frames are also request/response type frames. The association process enables the access point to allocate resources for and synchronize with the wireless client. These frames carry information about the NIC of wireless clients (e.g., supported data rates) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating with the client. If accepted, it reserves memory space, establishes an association ID, and sends an association response back to the client.
The Wireshark display filter for association request frames is “wlan.fc.type_subtype == 0x00” and Response frames is "wlan.fc.type_subtype == 0x01"
The reassociation request frame is similar to an association request but has a different purpose. It is mainly useful in client roaming situations. If a client roams away from the currently associated access point and finds another access point with a stronger beacon signal, the client will send a reassociation frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point, waiting for transmission to the radio NIC. The sender must already be authenticated in order to gain a successful association.
The RTS/CTS function is optional and reduces frame collisions present when hidden stations have associations with the same access point. ACK is sent from one station to another after receiving a data frame and no errors are found in the data frame. If ACK is not received by the sending station then it will retransmit the frame.
The Wireshark display filter for control frames is wlan.fc.type == 1
Data frames come later in the communication process, when the WLAN communication has already been established between client and AP. In the packet capture, observe the contents of the frame body within 802.11 data frames for interesting/relevant traffic.
The Wireshark display filter for data frames is "wlan.fc.type_subtype == 0x20"
Use this link to download an example packet capture file that can be referenced for subtopics like deauthentication, disassociation, and failed WPA Authentication.
This is an announcement by a station that sends a deauthentication frame to another station if it wishes to terminate secure communications. Deauthentication frames can be sent for multiple reasons in order to end a connection. If an AP receives any frame other than an authentication or probe request from a mobile station that is not authenticated it will respond with a deauthentication frame placing the mobile into an unauthenticated an unassociated state. Deauthentication frames are also used by Meraki Access Points as part of the process for containing rogue access points when using the Air Marshal feature.
The Wireshark display filter for deauthentication frames is “wlan.fc.type_subtype == 0x0C”
Dissociation frames are sent to terminate the connection. For example, a wireless client that is shut down normally can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association table. Disassociation is a simple declaration from either an access point or a device.
The Wireshark display filter for Disassociation packets is "wlan.fc.type_subtype == 0x0a"
EAPOL stands for Extensible Authentication Protocol (EAP) over LAN. It is described as a 4-way handshake. The 4-way handshake is used in PSK (WPA-Personal) or 802.1x (WPA2-Enterprise) configured SSIDs. It is a process of exchanging 4 packets between an access point and a wireless client. This process is responsible for generating encryption keys which can be used to encrypt data over the wireless medium. The key exchange process happens after a client is authenticated and associated. After the completion of key exchange, the control frames will take over.
The Wireshark display filter for 4-way handshakes is "eapol"
The WPA handshake consists of the WPA challenge and response as shown in the screenshot below. There are two challenges and responses and each can be matched with the other based on Replay counter field under the 802.1x authentication header. After the WPA handshake is completed and authentication is successful, data begins transferring between the wireless client and the access point.
In this case, the challenge text the client sends back to the AP is incorrect. As a result, the sequence is repeated. Once the handshake process has been attempted and failed four times, the communication is aborted.
If permitted, it is recommended to troubleshoot WLAN problems in the RF environment using open authentication, in order to reduce potential connection issues. A test SSID for troubleshooting purposes can be created as this approach would surface RF connectivity issues, and those can be corrected before moving to stronger encryption and higher layers of the OSI layer.
NOTE: For more information about decrypting 802.11 traffic in Wireshark, please refer to this link.
The filtering of wireless packets is different as compared to wired filters on wireshark. Below are some examples of wlan filters.
Probe request
Probe response
