THE UNIVERSITY OF THE WEST INDIES ST. AUGUSTINE, TRINIDAD & TOBAGO, WEST INDIES FACULTY OF ENGINEERING Department of Electrical & Computer Engineering BSc. in Electrical & Computer Engineering
ECNG 3002 Data Communication Systems
Wireshark Lab #1- 802.11
813001122 Ronald Ramsaroop
Course Lecturer: Dr. Tricia Ragoobar-Prescod
Date Performed: September 19, 2015 Date Submitted: October 2nd,2015
Wireshark Lab #1 802.11
Wireshark Lab Exercise #1 1.4.2.1 Beacon Frames The two access points issuing the majority of the beacon frames are: 1. 30 Munroe St 2. linksys_ses_24086
1.4.2.2a The beacon intervals for the access points linksys_ses_24086 and 30 Munroe St. are given in the respective beacon frames themselves. Both intervals are 102.4 milliseconds.
1.4.2.3 The source address on the beacon frame from 30 Munroe St. is: 00:16:b6:f7:1d:51
Figure 1: Source MAC address for beacon frame from 30 Munroe St.
1.4.2.4 The destination MAC address on the beacon frame from 30 Munroe St. is: ff: ff: ff: ff: ff: ff
Figure 2: Destination MAC address on beacon frame
2
Wireshark Lab #1 802.11
1.4.2.5 The MAC BSS Id on the beacon frame from 30 Munroe St. is: 00:16:b6:f7:1d:51
Figure 3: MAC BSS id on beacon frame
1.4.2.6 The four data rates supported by the 30 Munroe St. Access point are as follows: 1(B), 2(B), 5.5(B), 11(B). These rates are given in Mbit/sec. The eight additional "extended supported rates" are as follows: 6(B), 9, 12(B), 18, 24(B), 36, 48, 54. These rates are given in Mbit/sec. Both sets of rates are shown in the screenshot below.
Figure 4: Data rates supported by the beacon frame from access point 30 Munroe St.
1.4.3 Data Transfer
1.4.3.7
The 802.11 frame containing a SYN TCP segment for the first TCP session is shown highlighted in blue in the screenshot below. This TCP SYN segment was sent at 24.811093 seconds.
3
Wireshark Lab #1 802.11
Figure 5: TCP SYN segment
This segment is known to be the SYN TCP segment because the SYN flag has been set to 1, as shown in the screenshot below.
Figure 6: SYN flag set to 1 for a SYN TCP segment
1.4.3.7a The three MAC address fields are the BSSid, the source address and the destination address. These are the standard three addresses in an 802.11 frame.
1.4.3.7b The MAC address corresponding to the host is given by the source address (00:13:02:d1:b6:4f)
Figure 7: MAC address for wireless host
1.4.3.7c The MAC address corresponding to the access point is given by the BSSID: (00:16:b6:f7:1d:51)
Figure 8: MAC address for access point
4
Wireshark Lab #1 802.11
1.4.3.7d The MAC address corresponding to the first -hop router is given by the destination address (00:16:b6:f4:eb:a8)
Figure 9: MAC address corresponding to first-hop router
1.4.3.7e IP address of wireless host is as follows: 192.168.1.109.
1.4.3.7f Destination IP address is as follows: 128.199.245.12
1.4.3.7g The destination address corresponds to that of the server gaia.cs.umass.edu. This corresponds to the first-hop router (00:16:b6:f4:eb:a8).
1.4.3.8 The 802.11 frame with the SYNACK segment for this session was received at 24.827751 seconds into the trace. It is highlighted in blue in the screenshot below.
Figure 10: 802.11 frame containing SYNACK segment
1.4.3.8a The three MAC address fields are as follows: BSSid: 00:16:b6:f7:1d:51 Destination address: 91:2a:b0:49:b6:4f Source address: 00:16:b6:f4:eb:a8
5
Wireshark Lab #1 802.11
Figure 11: MAC address fields for the SYN ACK 802.11 frame
1.4.3.8b The MAC address corresponding to the host is given by the destination address: 91:2a:b0:49:b6:4f
1.4.3.8c The MAC address corresponding to the access point is given by the BSS id: 00:16:b6:f7:1d:51
1.4.3.8d The MAC address corresponding to the first-hop router is given by the source address: 00:16:b6:f4:eb:a8
1.4.3.8e No, the sender MAC address for this SYNACK frame is different to that of the SYN frame previously explored. The sender address of the frame is 128.119.245.12 (which was the destination address previously). The destination address is given by 192.168.1.109 (which was the source address previously)
6
Wireshark Lab #1 802.11
1.4.4 Association/Disassociation
1.4.4.9 The two frames sent by the host to end the association with 30 Munroe St. are 1. The DHCP release frame sent to the DHCP serve with address 192.168.1.1 (sent at 49.583615 s)
Figure 12: DHCP release frame
2. The Deauthentication frame sent at 49.609617.
Figure 13: Deauthentication frame
1.4.4.10 A disassociation request was expected to be seen.
1.4.4.11 The host sends three authentication frames to the AP links_ses_24806, starting from 49.638857. The remaining requests are shown in the screenshot below.
Figure 14: Authentication frame requests
1.4.4.12 The host wants that open access be given by the AP linkys_ses_24806.
7
Wireshark Lab #1 802.11
1.4.4.13 The host receives acknowledgement frames from linksys_ses_24806, but is not given authentication at any point in time. No authentication frame is sent from linksys_ses_24806 to the host.
1.4.4.14 The host sends an authentication frame to the AP 30 Munroe St. at 63.168087 seconds. An authentication reply is sent from the AP back to the host at 63.169071 seconds.
1.4.4.15 The associate request from the host to the AP 30 Munroe St. is sent at 63.169910. The corresponding associate reply is sent from the AP back to the host at 63.192101. Both of the aforementioned frames are shown in the screenshot below.
Figure 15: Association request and corresponding association response frame
1.4.4.16 The transmission rates are as follows: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 32, 48 Mb/second. This set of rates is supported by both the host and the AP.
Figure 16: Transmission rates for both t he host and AP
8
Wireshark Lab #1 802.11
1.4.5 Other frame types
1.4.5.17a An example of a Probe Request/Response frames is shown in t he screenshot below.
Figure 17: Probe request and response frames
The sender, receiver and BSS id MAC addresses are as follows:
For the Probe Request Frame: Source or Sender Address:00:13:02:d1:b6:4f Destination or Receiver Address: ff:ff:ff:ff:ff:ff BSS id:ff:ff:ff:ff:ff:ff
Figure 18: Probe request frame MAC addresses
For the Probe Response Frame: Source or Sender Address:00:16:b6:f7:1d:51 Destination or Receiver Address: 00:13:02:d1:b6:4f BSS id: 00:16:b6:f7:1d:51
Figure 19: Probe response frame MAC addresses
1.4.5.17b
9
Wireshark Lab #1 802.11 Probe request frames are used in scanning an area to discover available networks. In the probe request frame, there are two particularly important pieces of information (SSID and supported rates). The AP receiving these probe requests then decides whether the host sending the probe request can join its network. The rates supported by the host should be compatible with the rates supported by the AP it wishes to connect to. The AP then sends a probe response frame back to the host if both host and AP are compatible. If a probe response is received, the host can then continue the process by sending an authentication request.
1.5 Summary and Conclusion
Summary This lab covered the topic of 802.11 wireless connection. It provided an opportunity for further research into the protocols involved within 802.11. It also aimed to enlighten the student on the different MAC specifications. A Packet Sniffer application (Wireshark) was used to detect the various frames sent and received by the host during activities that were very familiar to any WiFi user. These activities were downloading information from a webpage, disconnecting from a network, attempting to connect to another network (unsuccessfully), and reconnecting to the previous network.
Conclusion This lab exercise assisted me in understanding all the processes involved in using 802.11. The use of Wireshark for viewing the individual frames assisted in breaking up the process, and greatly improved my understanding of how a WiFi connection is accessed. Some initial diffi culty was faced in absorbing all of the information provided on 802.11, but this was overcome by personally browsing WebPages, connecting to networks,
downloading files, and then
inspecting the relevant packets on Wireshark.
10
Wireshark Lab #1 802.11
References
Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer (PHY) Specifications .
1999. Ebook. 1st ed. http://gaia.cs.umass.edu/wireshark-labs/802.11-1999.pdf.
Rfwireless-world.com,. 2015. 'WLAN Probe Request Frame | Probe Response Frame'. http://www.rfwireless-world.com/Terminology/WLAN-probe-request-and-responseframe.html.
Technet.microsoft.com,. 2015. 'What Is DHCP?'. https://technet.microsoft.com/enus/library/dd145320(v=ws.10).aspx.
Wi-fiplanet.com,. 2002. 'Understanding 802.11 Frame Types'. http://www.wifiplanet.com/tutorials/article.php/1447501.
11