Sie sind auf Seite 1von 5

Version: SG-F2016

Harmit Jani 000386013 date: 11/23/2017

Objectives:
Use a protocol analyzer to determine the type of information contained in IEEE 802.11 beacons
Create a complex filter to only show beacons from a specific access point
Modify the Time column to better understand beacon frame behaviour
Analyze a previously created trace file with a protocol analyzer to extract information about a
specific Basic Service Sets configuration

Hardware/Software Requirements:
Access Point/Router (Professor only)
Special WLAN adapter: AirPcap
Wireshark
BeaconsLabTF.pcap trace file from this module on our eLearn page

Setup:
Youll be working in row-based teams for this lab, so select one team member to fill in this lab
document with your findings and observations
Wireless Router/Access Point
o The Professor will power up at least one Router or Access Point with the following configuration:
Not connected to the distribution system (i.e. no cabled-based connection)
Network Name (SSID): The Professor will write this on the board
Channel Number: The Professor will write this on the board
WLAN MAC Address: The Professor will write this on the board
All other settings will be the default settings which means:
Network Mode: Mixed
Radio Band: Auto
SSID Broadcast: Enabled
Security Mode: Disabled
Beacon Interval: 100 milliseconds
AirPcap adapter
o As a team, pick a workstation in your row and connect the AirPcap adapter to a front-
facing USB port (if possible, as you want to see the LED)
o Unplug that workstation from the LAN
Wireshark
o Start Wireshark on the workstation you have just prepared
o Test capturing and displaying 802.11 frames:
From the View menu, ensure that the Wireless Toolbar option is checked
In the new Wireless Toolbar pick the 802.11 Channel of the Professors router
Pick the AirPcap adapter from the list in the box in the Capture section
Click the green shark fin Start button to begin capturing frames
Hit the small red square Stop button to stop capturing frames
o The following lab procedures will be done within Wireshark, so ensure that all members
of the team are comfortable with what theyre seeing!

Page 1/5
Version: SG-F2016
Lab Procedure:
1. Select the WLAN adapter and capture frames for about 30 seconds then stop the capture.
Note: There will be a LOT of frames!
2. A large percentage of the frames will be beacon management frames but there will be many
other types of frames. In this step we want to only look at the beacon frames so we will set a
filter so that these are the only frames that will appear in the listing. Create an appropriate filter
following these steps:
1) Click on any one of the beacon frames with our SSID showing in the Info column; it
doesnt matter which one you choose
2) Expand the IEEE 802.11 Beacon Frame, Flags C section
3) Right click on Type/Subtype: Beacon frame (0x08) and select Apply as Filter / Selected
The Filter: box near the top of the screen should show wlan.fc.type_subtype == 0x08 and
now only beacon frames will be listed. NOTE: 0x08 is the hexadecimal identifier for a
beacon frame (1000 in binary). As with every WLAN frame type, each WLAN management
frame type has its own subtype identification number.
Its very likely that beacon frames associated with other SSIDs are visible. We can fix that!
Narrow the filter with the following:
1) Click on any one of the beacon frames with our SSID showing in the Info column; it
doesnt matter which one you choose
2) Expand the IEEE 802.11 Wireless LAN Management frame section
3) Expand the Tagged Parameters subsection
4) Right click on Tag: SSID Parameter set: XXXXX (XXXXX will be the SSID chosen by the
Professor) and select Apply as Filter / and Selected (make sure you pick and
Selected, not just Selected)
This filter now has two conditions: the first part indicates that only beacons are to be
displayed and the second part (after the &&) indicates that only frames with the
specified SSID are to be displayed!
3. If you look in the Source column you may see several different entries. One of those entries is
for beacons being transmitted by the access point that the Professor has activated. All other
entries in the Source column refer to beacons being transmitted by other access points within
range.
In this step we will filter out all of these other beacons. Look for a Source entry whose last 6
hexadecimal numbers match the last 6 hexadecimal numbers that the Professor wrote on the
board for the access points WLAN MAC address. If Wireshark knows the OUI (Organizationally
Unique Identifier) of the access points manufacturer it will substitute an appropriate name in
the first part of the wireless MAC address (e.g. Cisco_Li_ which means Cisco Linksys).

Page 2/5
Version: SG-F2016
Perform the following procedures to filter out all beacons except those from the access point
the Professor has activated:
1) Select any one of the beacon frames that has the matching MAC address we are looking
for in the Source field
2) If necessary, expand the IEEE 802.11 Beacon Frame, Flags C section
3) Right click on the Source address field (which should show the wireless MAC address
both with and without the OUI format) and select Apply as Filter / ... and Selected.
Now you should only see the beacons from the access point activated by the Professor.
The Filter: box now contains the following entry (the colon-separated parts WILL be different):
((wlan.fc.type_subtype == 0x08) && (frame[56:13] == 00:0b:4d:6f:68:61:77:6b:2d:57:69:46:69))
&& (wlan.sa == f8:4f:57:85:13:d1)
So, now this filter has three conditions: the first part indicates that only beacons are to
be displayed, the second part specifies our SSID and the third part (after the second pair
of ampersands) indicates that only frames with the specified source address are to be
displayed!
4. The default format for the Time column shows the number of seconds since the beginning of the
capture. Access points are configured to transmit beacons as very specific time intervals so we
will reconfigure the format of the Time column to show the number of seconds between
beacons. Modify the Time column format following these steps:
1) Select View / Time Display Format / Seconds Since Previous Captured Packet.
If you look at the Time column you should see that the time between listed beacon
frames is almost always around 100 milliseconds or an approximate multiple of this
value (e.g. 200, 300, 400, etc.). Of course, youll recall that beacons are sent by an
Access Point (or WLAN Router) at a specified interval.
2) Clear the filter (click on the Clear button to the right of the Filter: box) that was created
in the previous step then look for beacons whose Time entry is a multiple of 100 ms
(.1s) and record here why your group thinks the Time interval is sometimes an
approximate multiple of 0.1 s:

ANS: - it is depending on the time taken by the APs configuration and it is in the
multiple of 100 millisecond.

5. Next, explore the contents of a beacon frame and extract the information specified below.
Select on of our beacon frames (it doesnt matter which specific beacon frames) and explore
its fields to locate the following information:

Data Rate for the Beacon Transmission: 1.0 MB/s

Channel Frequency: 2422 BG 3

Channel Type (802.11a/b/g/n): 802.11b

Page 3/5
Version: SG-F2016

SSI (Signal Strength dBm): -25 dbm


Antenna #: 0

Frame Type (Management, Control, Data): Management

Destination MAC Address: Broadcast

Source MAC Address (Access Point MAC): 00:1d:7e:ca:f0:6c

Beacon Interval: 0.102400 seconds

SSID: Wireless

Current Channel: 3

Supported Rates: 1(B), 2(B), 5.5(B) ,11(B), 18, 24, 36 ,54


[Mbits/second]

Working with a pre-captured frame set


Next, well use the BeaconsLabTF.pcap file and examine a session your Professor recorded earlier. This
will help us see that the same information is visible regardless of what infrastructure is in use.

Setup:
Close Wireshark and remove the AirPcap device from your Workstation
Reconnect the Workstation to the classroom LAN
Place the USB connector cap back onto the AirPcap module and return it to your Professor
Open the BeaconsLabTF.pcap file (located on the eLearn homepage) within a new instance of
Wireshark (or simply double-click the file and Wireshark will start and load it automatically)

Page 4/5
Version: SG-F2016
Procedure:

1. Extract and record the following information from the BeaconsLabTF.pcap trace file.
Note: All of this information can be obtained from any beacon frame.

Data Rate for the Beacon Transmission: 1.0 Mb/s

Channel Frequency & Channel Number: 2462 [BG11]

Channel Type (802.11a/b/g/n): 802.11b

SSI (Signal Strength dBm): -32dbm

Noise Level (dBm): -97dbm

Destination MAC Address: broadcast

Source MAC Address (Access Point MAC): 00:1d:7e:ca:f0:8d

BSS Id: 00:1d:7e:ca:f0:8d

Beacon Interval: 0.153600 seconds

Does the transmitter belong to a BSS or IBSS? YES

SSID: Demo10021

Highest supported rate (Mbit/sec): 54

Frame Type (Management, Control, Data): Management

6. Create a display filter so only beacons from SSID Demo10021 are displayed then record the filter
in the space below:

(wlan_mgt.ssid == "Demo10021") && (wlan.fc.type_subtype == 0x08)

End of lab.

Page 5/5