Analyzing WLAN

(1)

Analyzing WLAN

In this exercise you will learn to use a frame analyzer in a 802.11b WLAN. We use a Cisco Aironet 350 Access Point and mostly WLAN adapters from Cisco and D-Link. We also use the Airopeek WLAN Analyzer for frame analyses.

Part I - WLAN 802.11b Analyses Examples

Protocol Overview

Physical layer 802.11b MAC-Layer Beacon frame Authentication Association Probe Request Data frames

PROTOCOL OVERVIEW

This is the protocol layer architecture use in 802.11 Wireless LAN.

1) DATA FRAMING

DATA

MAC DATA FCS

PLCP MAC DATA FCS

(2)

The DATA frame from upper layers (Transport Layer and above) is encapsulated in MAC Layer 802.11.

Additional to the MAC framing the Physical Layer adds so named Physical Layer Convergence Protocol information.

2) MAC CONTROL FRAMING

MAC FCS

PLCP MAC FCS

The MAC Layer needs to do a lot of management and control activities. Several frame types with additional information are defined for these actions.

PHYSICAL LAYER

The Physical Layer of the WLAN 802.11b has also a lot of options which are influence and are managed in the MAC layer. We talkt about the Physical Layer Convergence Protocol (PLCP).

TYPE 1: LONG PLCP PREABMLE

3) Permit negotiation of transmission rates for each session 4) PLCP Frame format:

5) SYNC: Gain setting, energy detection, antenna selection, frequency offset compensation, 128 Bits long

6) SFD: Start Frame Delimiter 7) SIGNAL: 0x0A 1 mbps

0x14 2 mbps(Values in 100 kb/s quantities) 0x37 5,5 mbps

0x6E 11 mbps

8) SERVICE: indicated PSDU coding (CCK or PBCC, see next page) MPDU: MAC Protocol Data Unit, this is the rest of the frame

LENGTH: time in µsec it will take to transmit the PSDU

TYPE 2: SHORT PLCP PREAMBLE

(3)

9) SYNC: Gain setting, energy detection, antenna selection, frequency offset compensation, 56 Bits long

SERVICE

CHANNEL AGILITY (OPTIONAL) 10) Allows hopping through a set of channels

11) Two sets of channels are defined, depends on the country where it is used.

MAC FRAME HEADER

FRAME CONTROL

DLC: Frame Control Field #1 = 08

DLC: .... ..00 = 0x0 Protocol Version DLC: .... 10.. = 0x2 Data Frame

DLC: 0000 .... = 0x0 Data (Subtype) DLC: Frame Control Field #2 = 01

DLC: .... ...1 = To Distribution System

DLC: .... ..0. = Not from Distribution System DLC: .... .0.. = Last fragment

DLC: .... 0... = Not retry DLC: ...0 .... = Active Mode

(4)

DLC: ..0. .... = No more data

DLC: .0.. .... = Wired Equivalent Privacy is off DLC: 0... .... = Not ordered

DURATION ID

DLC: Duration = 117 (in microseconds)

ADDRESS 1

DLC: Basic Service Set ID = Station Airont584FEC

ADDRESS 2

DLC: Source Address = Station 0009B7F1171F

ADDRESS 3

DLC: Destination Address = Station Airont584FEC

SEQUENCE CONTROL

DLC: Sequence Control = 0x1E60 DLC: ...Sequence Number = 0x1E6 (486) DLC: ...Fragment Number = 0x0 (0)

(5)

12) The frame type is Data Frame.

13) This is he MAC header of a frame who is sent from the WLAN out to the Network (Distribution System DS). In This case, Address 1 holds the SSID which is the MAC address of the Access point.

14) Each frame that is sent has an unique identifier. It is important for retransmission.

BEACON FRAME

MAC HEADER

DLC: Signal level = 33 % DLC: Channel = 7

DLC: Data rate = 2 ( 1.0 Megabits per sec.) DLC:

DLC: .... ..00 = 0x0 Protocol Version DLC: .... 00.. = 0x0 Management Frame DLC: 1000 .... = 0x8 Beacon (Subtype) DLC: Frame Control Field #2 = 00

DLC: .... ...0 = Not to Distribution System DLC: .... ..0. = Not from Distribution System DLC: .... .0.. = Last fragment

DLC: .... 0... = Not retry DLC: ...0 .... = Active Mode DLC: ..0. .... = No more data

DLC: .0.. .... = Wired Equivalent Privacy is off DLC: 0... .... = Not ordered

DLC: Duration = 0 (in microseconds) DLC: Destination Address = BROADCAST FFFFFFFFFFFF, DLC: Source Address = Station Airont584FEC DLC: Basic Service Set ID = Airont584FEC

DLC: Sequence Control = 0x4CE0

DLC: ...Sequence Number = 0x4CE (1230) DLC: ...Fragment Number = 0x0 (0)

TIMESTAMP

DLC: Timestamp = 1991075533288 (in ms)

BEACON INTERVAL

DLC: Beacon Interval = 100

CAPABILITY INFORMATON

DLC: Capability information field #1 = 21

DLC: .... ...1 = Extended Service Set is on DLC: .... ..0. = Independent Basic Service Set

is off

DLC: .... 00.. = No point coordinator at AP DLC: ...0 .... = No privacy

DLC: ..1. .... = Short Preamble option is allwd DLC: .0.. .... = Packet Binary Convolutional Coding Modulation mode option is not allowed DLC: 0... .... = Channel agility is not in use DLC: Capability information field #2 = 00

DLC: 0000 0000 = Reserved

SSID

DLC: Element ID = 0 (Service Set Identifier) DLC: ...Length = 9 octet(s)

DLC: ...Service Set Identity = "vhbWLAN21"

SUPPORTED RATES

(6)

DLC: Element ID = 1 (Supported Rates) DLC: ...Length = 4 octet(s)

DLC: ...Supported Rates information field = 82

DLC: 1... .... = Basic Service Set Basic

Rate

DLC: .000 0010 = 1.0 Megabits per second DLC: ...Supported Rates information field = 84

Rate

DLC: .000 0100 = 2.0 Megabits per second DLC: ...Supported Rates information field = 8B

Rate

DLC: .001 0110 = 11.0 Megabits per second

DS PARAMETER SET

DLC: Element ID = 3 (Direct Sequence Parameter set DLC: ...Length = 1 octet(s)

DLC: ...dot11CurrentChannelNumber = 7

TIM PARAMETER SET

DLC: Element ID = 5 (Traffic Indication Map) DLC: ...Length = 4 octet(s)

DLC: ...Delivery Traffic Indication Message Count = 1 DLC: ...Delivery Traffic Indication Message Period = 2 DLC: ...Bitmap control field = 00

DLC: .... ...0 = Traffic Indicator bit DLC: 0000 000. = 0 Bitmap offset

DLC: ...Partial Virtual Bitmap = 00

EXTENSION

DLC: Element ID = 133 (Unknown Information Field) DLC: ...Length = 30 octet(s)

DLC: ...[30 byte(s) of Unknown Information Field]

15) The Beacon frame is sent in fixed time intervals, usually 100 ms. It is needed to synchronize the clocks of the participants in the WLAN.

16) It also contains the name of the SSID in clear text.

17) The analyzer adds information about the signal strength and the used channel. It is not part of the MAC header specification.

AUTHENTICATION

There are two authentication systems possible:

• Open System Authentication (no check !!!)

• Shared Key Authentication Authentication Frames:

Authentication Request When a station wants to enter a BSS it sends an Authenticarion Request frame to the Access Point.

Authentication response The Accesss Point sends back an answer to the

authentication request.

(7)

Deauthentication This ends a current authentication in a BSS or IBSS

THE AUTENTICATION REQUEST IN DETAIL

MAC HEADER

DLC: Frame Control Field #1 = B0

DLC: .... ..00 = 0x0 Protocol Version DLC: .... 00.. = 0x0 Management Frame

DLC: 1011 .... = 0xB Authentication (Subtype)

• • •

AUTHENTICATION ALGORITHM NUMBER

DLC: Authentication algorithm number = 0 (Open System)

AUTHENTICATION TRANSACTION SEQUENCE NUMBER

DLC: Authentication transaction sequence number = 1

STATUS CODE

DLC: Status code = 0 (Reserved)

THE AUTENTICATION RESPONSE IN DETAIL

MAC HEADER

DLC: Frame Control Field #1 = B0

DLC: 1011 .... = 0xB Authentication (Subtype)

• • •

AUTHENTICATION ALGORITHM NUMBER

DLC: Authentication algorithm number = 0 (Open System)

AUTHENTICATION TRANSACTION SEQUENCE NUMBER

DLC: Authentication transaction sequence number = 2

STATUS CODE

DLC: Status code = 0 (Successful)

This is a frame used in an open system. No additional authentication information is used to join the WLAN (very insecure).

ASSOCIATION

THE ASSOCIATION REQUEST IN DETAIL

MAC HEADER

DLC: 0000 .... = 0x0 Association request (Subtype)

• • • CAPABILITY INFORMATION

(8)

DLC: .... ...1 = Extended Service Set is on DLC: .... ..0. = Independ Basic Service Set off DLC: .... 00.. = STA is not Cont. Free Pollable DLC: ...0 .... = No privacy

DLC: ..1. .... = Short Preamble option is

implemented

DLC: .0.. .... = Packet Binary Convolutional Coding Modulation mode option is not implemented DLC: 0... .... = Channel agility is not in use DLC: Capability information field #2 = 00

LISTEN INTERVAL

DLC: Listen interval = 200

SSID

DLC: ...Service Set Identity = "room1b611"

SUPPORTED RATES

DLC: 0... .... = Not Basic Service Set

Basic Rate

DLC: 0... .... = Not Basic Service Set

Basic Rate

DLC: 0... .... = Not Basic Service Set Basic Rate

DLC: 0... .... = Not B. S. S. Basic Rate DLC: .001 0110 = 11.0 Megabits per second

THE ASSOCIATION RESPONSE IN DETAIL

MAC HEADER

DLC: 0001 .... = 0x1 Association response (Subtype) DLC: Frame Control Field #2 = 00

• • • CAPABILITY INFORMATION

DLC: .... ...1 = Extended Service Set is on DLC: .... ..0. = Indepen. Basic Service Set off DLC: .... 00.. = No point coordinator at AP DLC: ...0 .... = No privacy

DLC: ..1. .... = Short Preamble option is

allowed

DLC: .0.. .... = Packet Binary Convolutional Coding Modulation mode option is not allowed DLC: 0... .... = Channel agility is not in use

(9)

Status Code

DLC: Status code = 0 (Successful)

AID

DLC: Association ID = 29

SUPPORTED RATES

Rate

18) After a host was authenticated, it can associate into a WLAN (ESS or BSS).

19) When a station is mobile and is leaving the area on one WLAN it can be Re-associated into the next WLAN without loosing data connection on higher protocol layers.

PROBE REQUEST

The Probe Request frame is sent, when a node wants to know immediately which Access Points are in reach. It can ask for any AP or for a specific one, depending on the SSID information. This method is used in Roaming environment.

THE PROBE REQUEST IN DETAIL

MAC HEADER

DLC: 0100 .... = 0x4 Probe request (Subtype)

• • • SSID

DLC: ...Service Set Identity = Broadcast Service Set Identity

SUPPORTED RATES

(10)

THE PROBE RESPONSE IN DETAIL

MAC HEADER

DLC: 0101 .... = 0x5 Probe response (Subtype)

• • • TIMESTAMP

DLC: Timestamp = 3754509374

BEACON INTERVAL

DLC: Beacon Interval = 100

CAPABILITY INFORMATION

DLC: .... ...1 = Extended Service Set is on

DLC: .... ..0. = Independent Basic Service Set is off DLC: .... 00.. = No point coordinator at Access Point

DLC: ...0 .... = No privacy

DLC: ..1. .... = Short Preamble option is allowed DLC: .0.. .... = Packet Binary Convolutional Coding

Modulation mode option is not allowed

DLC: 0... .... = Channel agility is not in use DLC: Capability information field #2 = 00

SSID

DLC: ...Service Set Identity = "rfhpci167"

SUPPORTED RATES

DLC: 1... .... = Basic Service Set Basic Rate DLC: .000 0010 = 1.0 Megabits per second DLC: ...Supported Rates information field = 84

DLC: 1... .... = Basic Service Set Basic Rate DLC: .000 0100 = 2.0 Megabits per second DLC: ...Supported Rates information field = 8B

• • •

The Probe Response is similar to a Beacon Frame.

(11)

DATA FRAME

A Data frame in detail MAC Header

Frame Control: 0x0208 (Normal) Version: 0

Type: Data frame (2) Subtype: 0

Flags: 0x2

DS status: Frame is exiting DS (To DS: 0 From DS: 1) (0x02) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up

..0. .... = More Data: No data buffered .0.. .... = WEP flag: WEP is disabled

0... .... = Order flag: Not strictly ordered Duration: 117

Destination address: 00:0d:88:c0:a6:61 BSS Id: 00:40:96:58:4f:ec

Source address: 00:0d:56:d3:8d:87 Fragment number: 0

Sequence number: 1190

LLC

Logical-Link Control DSAP: SNAP (0xaa) IG Bit: Individual SSAP: SNAP (0xaa) CR Bit: Command

Control field: U, func=UI (0x03)

000. 00.. = Command: Unnumbered Information (0x00) .... ..11 = Frame type: Unnumbered frame (0x03) Organization Code: Encapsulated Ethernet (0x000000) Type: IP (0x0800)

Higher Layers

Internet Protocol, SrcAddr: 192.168.20.100, Dst Addr:

192.168.20.159 Internet Control Message Protocol

Part II - Analyzing Live Frames

Introduction

Starting the Analyzer

Setup the probe to scan all channels Scanning all channels

Capturing specific nodes Printing Frames

Further exercises Questioner

(12)

INTRODUCTION

.

192.168.20.159 Analyzer Interface

Ethernet Interface 192.168.20.100

VHB23 is your exercise computer to which you are connected via the Windows Remote Console Interface.

The WLAN interface of the exercise computer is used for the Analyzer. It can not be used for networking access when the analyzer is started.

The exercise computer also has an Ethernet interface which is connected to the Ethernet interface of the Access Point AP 350. Through this interface, frames can be sent to the vhbWLAN21. The Access Point will forward them to the WLAN.

You have two possible WLAN clients: VHB12 and an Access Point which is connected to the Ethernet within the same IP subnet. VHB12 is another Windows computer with WLAN access.

Do not use the measurement to get unauthorized access to our virtual labor or our entire computer environment. Do not spy other systems and/or users.

STARTING THE ANALYZER

This exercise shows how to analyze frames in an 802.11b Wireless LAN.

vhbWLAN21 192.168.20.0

PC vhb12 PC vhb12

PC vhb23 WLAN

Cisco

AP 350

192.168. 20.20

(13)

20) Double click on the AiroPeek icon on the desktop of the exercise computer to start the analyzer.

21) Open the CAPTURE menu and select START CAPTURE. With the following windows you can setup the probe for measurement.

SETUP THE PROBE TO SCAN ALL CHANNELS

In the first measurement we want to scan all channels and see if there is activity. This mode is

not sinful when specific nodes or specific traffic should be analyzed.

(14)

22) Click on ADAPTER and continue setup.

(15)

23) Select the WIRELESS NETWORK CONNECTION and click on 802.11.

(16)

24) Select SCAN and click on EDIT SCANNING OPTIONS. The following window

will be displayed.

(17)

25) Select all channels (or the channels you want to spy) and click OK.

The selected channels cannot capture in parallel because the WLAN adapter has only one receiver unit. Instead the channels will be captured one after the other, each one for some seconds.

26) Click on FILTERS and check that no filter options are selected.

27) Click OK to leave the Capture Options.

SCANNING ALL CHANNELS

After the Capture Options are closed, the Capture window appears on the screen (see

following picture).

(18)

28) Click on START CAPTURE.

29) In the last line of the window you can open several registers. Each offers different information about the live captured data.

30) Fist click on PACKETS. It shows all single packets the analyzer has captured. When

you click on one of them, a new window comes up showing a detailed frame analysis

of the selected frame (We will do that later).

(19)

31) Open the NODES register. Here you can see a list sorted with WLAN (SSID and ESSID) and hosts associated to that WLAN. You get also the important information at which RF channel the WLAN operates. The Signal information can give you a hint how far the Access Points and Hosts are away from the analyzer.

32) Open the PROTOCOL register. It gives an overview of the used protocols.

(20)

33) Open the SUMMARY register. There is no more to say.

34) Open the CHANNELS register. You can see that each channel is captured for a short

time and then the next channel is selected. That is the reason why you can not follow

up a specific transmission all over the time when you use the scan mode.

(21)

35) Open the SIGNAL register. It shows the signal quality of each captured channel. This Diagram is a good help to decide at which channel a WLAN should operate. If you can find free channels take the one with the most distance to the other ones. If you can not find any free channel, take the one with the lowest signal strength.

36) Open the CONVERSATIONS register. It gives information about conversations that

take place in the WLAN.

(22)

37) Click on STOP CAPTURE and continue with the next exercise.

CAPTURING SPECIFIC NODES

Now we want to capture the traffic of a specific node. First we have to start the capture and make some settings in the Capture Options.

38) Start the capture again. Do not store any data if you are asked.

39) The Adapter is the same like last time.

40) Open the 802.11 register and select channel NUMBER 7. This is the channel, at which vhbWLAN21 is operating.

41) Click on EDIT KEY SETS… The following window is opened where you can

specify the WEP keys.

(23)

42) Click in INSERT. The next dialog box is opened.

(24)

(25)

43) Enter vhbWLAN21 as the name for the key.

44) Select 128-BIT SHARED KEY.

45) Enter the following WEP key. Use copy and paste to insert it because it will not work, when you make any mistyping.

WEP Key: 00491009418332000130900000

46) Click on OK and go back to the 802.11 register

47) Check that the WEP key is set.

48) Open the FILTERS register.

(26)

49) Select AA-VHB23 filter

50) Click OK to close the Capture Options.

51) Click on START CAPTURE.

52) Open the COMMAND PROMPT and enter: PING 192.168.20.159

(27)

53) You will see Ping packets sent from the exercise system (192.168.20.100) to the host vhb12 (192.168.20.159).

54) Click on one frame to view the details.

PRINTING FRAMES

You can store the results of your measurement on a local file at the exercise system and can

get the file to your local computer using copy and paste.

(28)

55) Select the frames that you want to store on a file.

56) Open the FILE menu and select SAVE SELECTED PACKETS.

57) Enter the path and file name to store the packets. Use TXT file format to store them as text.

58) Open an Editor on your local system and also open the stored file on the exercise system with an editor.

59) Select the contents of the file on the exercise system, use copy and paste and store it on a local file on your system.

FURTHER EXERCISES

Please do the following exercises now!

Capture only BEACON frames from any access point. Try to capture also one from vhbWLAN21.

Hint: take a good matching filter from the Capture Options.

Capture HTTP traffic. Open the web browser and enter the URL:

http://192.168.20.159/wlan.

Hint: choose a filter that accepts only traffic from and to AA-VHB23.

Remove the WEP key in the Capture Options and capture the same HTTP traffic again. How much of the frame can you interpret?

Capture only BEACON frames again without any WEP key. Is there any difference

from the first capture?

(29)