1 / 41

Analysis of 802.11 Frames

Analysis of 802.11 Frames. Sniffed. 802.11 Frames. In this presentation, 802.11 frames are explained using actual traffic captured The frames are explained at field level. Management Frame. Authentication. Frame AUTHENTICATION.

kali
Download Presentation

Analysis of 802.11 Frames

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of 802.11 Frames Sniffed

  2. 802.11 Frames • In this presentation, 802.11 frames are explained using actual traffic captured • The frames are explained at field level

  3. Management Frame Authentication

  4. Frame AUTHENTICATION No. Time Source Destination Protocol Info 123 20.023071 Cisco-Li_47:91:6a IntelCor_54:9b:07 IEEE 802.11 Authentication, SN=44, FN=0, Flags=........Frame 123 (168 bytes on wire, 168 bytes captured) IEEE 802.11 Authentication, Flags: ........ Type/Subtype: Authentication (0x0b) Frame Control: 0x00B0 (Normal) Version: 0 Type: Management frame (0) Subtype: 11 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 314 Destination address: IntelCor_54:9b:07 (00:21:5c:54:9b:07) Source address: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) BSS Id: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Fragment number: 0 Sequence number: 44 IEEE 802.11 wireless LAN management frame Fixed parameters (6 bytes) Authentication Algorithm: Shared key (1) Authentication SEQ: 0x0002 Status code: Successful (0x0000) Tagged parameters (138 bytes) Challenge text Tag Number: 16 (Challenge text) Tag length: 128 Tag interpretation: Challenge text: C73FFDB3646E8AA9B62698C212926AAD6BA1F1718D69B0C0... Vendor Specific: Broadcom Tag Number: 221 (Vendor Specific) Tag length: 6 Vendor: Broadcom Tag interpretation: Not interpreted

  5. Frame AUTHENTICATION Authentication Frames are classified as Management Frames since its function is to coordinate the functioning of the access IEEE 802.11 Authentication, Flags: ........ Type/Subtype: Authentication (0x0b) Frame Control: 0x00B0 (Normal) Version: 0 Type: Management frame (0) Subtype: 11

  6. Frame AUTHENTICATION Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered An AD-HOC network is an Independent Basic Service Set IBSS made up of just client stations STA This is not such case since there is an Access Point 802.11 access points act as portal devices to a Distribution System DS which is the wired 802.3 Ethernet.

  7. Frame AUTHENTICATION Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Fragments of a frame would have the More Fragment flag activated. The last fragment has the flag down. The flag is also down if there is no fragmentation at all. The client stations STA will not go dormant to save power There is no data stored or buffered and none is protected There is no order strict

  8. Frame AUTHENTICATION Duration is set to 314 microseconds Destination address: (A client STA) Intel (00:21:5c:54:9b:07) • Source address: (An AP) Cisco (00:16:b6:47:91:6a) • BSS ID: (MAC of the AP) Cisco (00:16:b6:47:91:6a) Duration: 314 This transaction is between a wireless laptop (STA) and an Access Point (AP). The AP is not relaying this frame to any other device. That makes sense as Authentication is between STA and AP Fragment number: 0 Sequence number: 44 0 means that there is no frame fragmentation. There is only one frame for this message The sequence number identifies this frame

  9. Frame AUTHENTICATION STA should Authenticate with a Shared Key with the AP IEEE 802.11 wireless LAN management frame Fixed parameters (6 bytes) Authentication Algorithm: Shared key (1) Authentication SEQ: 0x0002 Status code: Successful (0x0000) Tagged parameters (138 bytes) Challenge text Tag Number: 16 (Challenge text) Tag length: 128 Tag interpretation: Challenge text: C73FFDB3646E8AA9B62698C212926AAD6BA1F1718D69B0C0... Vendor Specific: Broadcom Tag Number: 221 (Vendor Specific) Tag length: 6 Vendor: Broadcom Tag interpretation: Not interpreted The AP challenges the Client to resolve the crypto-message The client would resolve the crypto-challenge if it has the same shared key and the algorithm Otherwise, it can not continue with the authentication

  10. Management Frame Acknowledgement

  11. Acknowledgement • All Unicast data frames need to be ACKed Frame Control Duration 0 MAC Address Sender of original data frame Sequence Number Checksum

  12. Frame Acknowledgement Source Destination Protocol Info IntelCor_54:9b:07 (RA) IEEE 802.11 Acknowledgement, Flags=........Frame 124 (10 bytes on wire, 10 bytes captured) Frame Number: 124 IEEE 802.11 Acknowledgement, Flags: ........ Type/Subtype: Acknowledgement (0x1d) Frame Control: 0x00D4 (Normal) Version: 0 Type: Control frame (1) Subtype: 13 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 0 Receiver address: IntelCor_54:9b:07 (00:21:5c:54:9b:07)

  13. Frame Acknowledgement IEEE802.11 Acknowledgement, Flags: ........ Type/Subtype: Acknowledgement (0x1d) Frame Control: 0x00D4 (Normal) Version: 0 Type: Control frame (1) Subtype: 13 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 0 Receiver address: Intel (00:21:5c:54:9b:07) To DS from DS means “if there is translation between wireless 802.11 and wired interface 802.3” ACKs are of fixed size The only MAC address present in an ACK Frame is the destination address. There is no need for Source Address since who else could be sending the ACK but the AP?

  14. Management Frame Beacon

  15. Management Type Sub-type Beacon • Beacons announce the existence of 802.11 BSS at regular intervals • All stations must listen to beacons • Ad-hoc (IBSSS) send Beacons as well • In a WLAN (EBSSS) only the AP sends Beacons • In short, client stations learn the wireless network profile from beacons • Among other things the beacon announces: • AP capabilities • BSSID • Support for data bit rate • Support for encoding DSSS or OFDM

  16. Management Frames • Information elements are inside the payload in fixed fields Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Body FCS 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 2,312 Bytes Authentication data Beacon Association Etc.

  17. Beacon Announces • SSID or logical name • Timestamp: for synchronization • Spread spectrum parameter set: FHSS, DSS, ERP, OFDM • Channel information: Channel being used by AP • Data rates: basic and supported rates • Traffic indication map TIM • QoS • Security capabilities

  18. Frame Beacon IEEE 802.11 Beacon frame, Flags: ........ Type/Subtype: Beacon frame (0x08) Frame Control: 0x0080 (Normal) Version: 0 Type: Management frame (0) Subtype: 8 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 0 • Power management bit • Battery conservation mode (or not) • Buffering (or not) of data by Access Point • More Data bit • Data is (or not) buffered by AP • AP sends data to stations that awake • (Yes) Meaning: more data to come, do not go to sleep again • Protected data bit • The L2 frame is (or not) protected by security (WEP)

  19. Frame Beacon Everybody listen to this frame Destination address: Broadcast (ff:ff:ff:ff:ff:ff) Source address: Cisco (00:16:b6:47:91:6a) BSSID: Cisco (00:16:b6:47:91:6a) Fragment number: 0 Sequence number: 2731 I It is sent by the access point AP There are no fragments Identification of the frame

  20. Frame (continuation) Beacon For synchronization Sequence number: 2731 IEEE 802.11 wireless LAN management frame Fixed parameters (12 bytes) Timestamp: 0x0000004A58FD5183 Beacon Interval: 0.102400 [Seconds] Capability Information: 0x0411 .... .... .... ...1 = ESS capabilities: Transmitter is an AP .... .... .... ..0. = IBSS status: Transmitter belongs to a BSS .... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000) .... .... ...1 .... = Privacy: AP/STA can support WEP .... .... ..0. .... = Short Preamble: Short preamble not allowed .... .... .0.. .... = PBCC: PBCC modulation not allowed .... .... 0... .... = Channel Agility: Channel agility not in use .... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE .... .1.. .... .... = Short Slot Time: Short slot time in use .... 0... .... .... = Automatic Power Save Delivery: apsd not implemented ..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed .0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented 0... .... .... .... = Immediate Block Ack: immediate block ack not implemented Extended Service Set is possible Basic Service Set: an AP with clients Both AP and Clients support WEP privacy It is using short slot time

  21. Frame (continuation) Beacon The SSID is Caracas and it is being advertised by the AP Tagged parameters (48 bytes) SSID parameter set Tag Number: 0 (SSID parameter set) Tag length: 7 Tag interpretation: Caracas: "Caracas" Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 18.0 24.0 36.0 54.0 Tag Number: 1 (Supported Rates) Tag length: 8 Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 18.0 24.0 36.0 54.0 [Mbit/sec] DS Parameter set: Current Channel: 4 Tag Number: 3 (DS Parameter set) Tag length: 1 Tag interpretation: Current Channel: 4 Supported Data Bit Rates (Mbps) Supported DBR are: 1 Mbps, 2 Mbps 5.5 Mbps, 11 Mbps, 18 Mbps, 24 Mbps 36 Mbps, and 54 Mbps Channel being used is 4

  22. Frame (continuation) Beacon Traffic Indication Map (TIM): DTIM 0 of 1 bitmap empty Tag Number: 5 (Traffic Indication Map (TIM)) TIM length: 4 DTIM count: 0 DTIM period: 1 Bitmap Control: 0x00 (mcast:0, bitmap offset 0) • Some stations working with batteries require to save power • So they “sleep” when they are not transmitting • Access Points can store (buffer) frames for stations in sleeping mode • From time to time, APs advertise Beacon DTIM frames • DTIM frames explain what stations have buffered data waiting from delivery

  23. Frame (continuation) Beacon Traffic Indication Map (TIM): DTIM 0 of 1 bitmap empty Tag Number: 5 (Traffic Indication Map (TIM)) TIM length: 4 DTIM count: 0 DTIM period: 1 Bitmap Control: 0x00 (mcast:0, bitmap offset 0) ERP Information: no Non-ERP STAs, do not use protection, long preambles Tag Number: 42 (ERP Information) Tag length: 1 Tag interpretation: ERP info: 0x4 (no Non-ERP STAs, do not use protection, long preambles) ERP Information: no Non-ERP STAs, do not use protection, long preambles Tag Number: 47 (ERP Information) Tag length: 1 Tag interpretation: ERP info: 0x4 (no Non-ERP STAs, do not use protection, long preambles) Extended Supported Rates: 6.0 9.0 12.0 48.0 Tag Number: 50 (Extended Supported Rates) Tag length: 4 Tag interpretation: Supported rates: 6.0 9.0 12.0 48.0 [Mbit/sec] Vendor Specific: Broadcom Tag Number: 221 (Vendor Specific) Tag length: 6 Vendor: Broadcom Tag interpretation: Not interpreted

  24. (analysis of previous slide) • 802.11g defines the Extended Rate Physical Layer (ERP) • If a non-pure 802.11g is present (802.11b) then backward compatibility is required • In such case, the network line speed must go down. • That means going into protection mode to ensure the older devices can participate • If a non-ERP device is not present, there is no need for protection mode. That is the case in the data shown here ERP Information: no Non-ERP STAs, do not use protection, long preambles

  25. Data DATA

  26. Frame Data No. Time Source Destination Protocol Info 2 0.154614 HonHaiPr_41:be:09 Cisco-Li_47:91:68 IEEE 802.11 Data, SN=191, FN=0, Flags=.p.....T Frame 2 (1165 bytes on wire, 1165 bytes captured) [Protocols in frame: wlan:data] IEEE 802.11 Data, Flags: .p.....T Type/Subtype: Data (0x20) Frame Control: 0x4108 (Normal) Version: 0 Type: Data frame (2) Subtype: 0 Flags: 0x41 .... ..01 = DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .1.. .... = Protected flag: Data is protected 0... .... = Order flag: Not strictly ordered Duration: 44 BSS Id: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Source address: HonHaiPr_41:be:09 (00:1f:3a:41:be:09) Destination address: Cisco-Li_47:91:68 (00:16:b6:47:91:68) Fragment number: 0 Sequence number: 191 WEP parameters Initialization Vector: 0x001ee3 Key Index: 0 WEP ICV: 0x645da245 (not verified) Data (1133 bytes)

  27. Frame Data IEEE 802.11 Data, Flags: .p.....T Type/Subtype: Data (0x20) Frame Control: 0x4108 (Normal) Version: 0 Type: Data frame (2) Subtype: 0 Flags: 0x41 .... ..01 = DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .1.. .... = Protected flag: Data is protected 0... .... = Order flag: Not strictly ordered

  28. Frame Data Data is being sent by STA computer destined to the access point AP BSSID: Cisco (00:16:b6:47:91:6a) Source address: HonHaiPr (00:1f:3a:41:be:09) Destination address: Cisco (00:16:b6:47:91:68) Fragment number: 0 Sequence number: 191 WEP parameters Initialization Vector: 0x001ee3 Key Index: 0 WEP ICV: 0x645da245 (not verified) Data (1133 bytes) Initialisation Vector for WEP

  29. Management Frame De-authentication

  30. Frame DEAUTHENTICATION Type/Subtype: Deauthentication (0x0c) Frame Control: 0x00C0 (Normal) Version: 0 Type: Management frame (0) Subtype: 12 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 314 Destination address: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Source address: IntelCor_54:9b:07 (00:21:5c:54:9b:07) BSS ID: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Fragment number: 0 Sequence number: 2244 IEEE 802.11 wireless LAN management frame Fixed parameters (2 bytes) Reason code: Previous authentication no longer valid (0x0002) Destination address and BSSID are the same MAC , so DEAUTHENTICATION goes directly to the AP.

  31. Management Frame Probe Request

  32. Frame PROBE REQUEST IEEE 802.11 Probe Request, Flags: ........ Type/Subtype: Probe Request (0x04) Frame Control: 0x0040 (Normal) Version: 0 Type: Management frame (0) Subtype: 4 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 314 Destination address: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Source address: IntelCor_54:9b:07 (00:21:5c:54:9b:07) BSS Id: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Fragment number: 0 Sequence number: 2243 Destination address and BSSID are the same MAC . The Probe was sent from my laptop to the AP to query the capabilities of the AP.

  33. Frame PROBE REQUEST IEEE 802.11 wireless LAN management frame Tagged parameters (54 bytes) SSID parameter set Tag Number: 0 (SSID parameter set) Tag length: 7 Tag interpretation: Caracas: "Caracas" Supported Rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbps Tag Number: 1 (Supported Rates) Tag length: 8 Tag interpretation: Supported rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbps Extended Supported Rates: 24.0 36.0 48.0 54.0 60.0 Tag Number: 50 (Extended Supported Rates) Tag length: 5 Tag interpretation: Supported rates: 24.0 36.0 48.0 54.0 60.0 Mbps Standard rates Standard rates Extended rates

  34. Frame PROBE REQUEST HT Capabilities (802.11n D1.10) Tag Number: 45 (HT Capabilities (802.11n D1.10)) Tag length: 26 HT Capabilities Info: 0x083c .... .... .... ...0 = HT LDPC coding capability: Transmitter does not support receiving LDPC coded packets .... .... .... ..0. = HT Support channel width: Transmitter only supports 20MHz operation .... .... .... 11.. = HT SM Power Save: SM Power Save disabled (0x0003) .... .... ...1 .... = HT Green Field: Transmitter is able to receive PPDUs with Green Field (GF) preamble .... .... ..1. .... = HT Short GI for 20MHz: Supported .... .... .0.. .... = HT Short GI for 40MHz: Not supported .... .... 0... .... = HT Tx STBC: Not supported .... ..00 .... .... = HT Rx STBC: No Rx STBC support (0x0000) .... .0.. .... .... = HT Delayed Block ACK: Transmitter does not support HT-Delayed BlockAck .... 1... .... .... = HT Max A-MSDU length: 7935 bytes ...0 .... .... .... = HT DSSS/CCK mode in 40MHz: Won't/Can't use of DSSS/CCK in 40 MHz ..0. .... .... .... = HT PSMP Support: Won't/Can't support PSMP operation .0.. .... .... .... = HT Forty MHz Intolerant: Use of 40 MHz transmissions unrestricted/allowed 0... .... .... .... = HT L-SIG TXOP Protection support: Not supported

  35. Frame PROBE REQUEST .... ..11 = Maximum Rx A-MPDU Length: 65535 [Bytes] ...1 01.. = MPDU Density: 4 [usec] (0x05) 000. .... = Reserved: 0x00 Rx Supported Modulation and Coding Scheme Set: MCS Set Tag interpretation: Rx Modulation and Coding Scheme (One bit per modulation) .... .... .... .... .... .... 1111 1111 = Rx Bitmask Bits 0-7: 0x000000ff .... .... .... .... 1111 1111 .... .... = Rx Bitmask Bits 8-15: 0x000000ff .... .... 0000 0000 .... .... .... .... = Rx Bitmask Bits 16-23: 0x00000000 0000 0000 .... .... .... .... .... .... = Rx Bitmask Bits 24-31: 0x00000000 .... .... .... .... .... .... .... ...0 = Rx Bitmask Bit 32: 0x00000000 .... .... .... .... .... .... .000 000. = Rx Bitmask Bits 33-38: 0x00000000 .... .... ...0 0000 0000 0000 0... .... = Rx Bitmask Bits 39-52: 0x00000000 ...0 0000 0000 0000 0000 0000 000. .... = Rx Bitmask Bits 53-76: 0x00000000 Highest Supported Data Rate: 0x0090 .... .... .... ...1 = Tx Supported MCS Set: Defined .... .... .... ..0. = Tx and Rx MCS Set: Equal .... .... .... 00.. = Tx Maximum Number of Spatial Streams Supported: 1 spatial stream (0x0000) .... .... ...0 .... = Unequal Modulation: Not supported HT Extended Capabilities: 0x0000 .... .... .... ...0 = Transmitter supports PCO: Not supported .... .... .... .00. = Time needed to transition between 20MHz and 40MHz: No Transition (0x0000) .... ..00 .... .... = MCS Feedback capability: STA does not provide MCS feedback (0x0000) .... .0.. .... .... = High Throughput: Not supported .... 0... .... .... = Reverse Direction Responder: Not supported

  36. Frame PROBE REQUEST .... Transmit Beam Forming (TxBF) Capabilities: 0x0000 .... .... .... .... .... .... .... ...0 = Transmit Beamforming: Not supported .... .... .... .... .... .... .... ..0. = Receive Staggered Sounding: Not supported .... .... .... .... .... .... .... .0.. = Transmit Staggered Sounding: Not supported .... .... .... .... .... .... .... 0... = Receive Null Data packet (NDP): Not supported .... .... .... .... .... .... ...0 .... = Transmit Null Data packet (NDP): Not supported .... .... .... .... .... .... ..0. .... = Implicit TxBF capable: Not supported .... .... .... .... .... .... 00.. .... = Calibration: incapable (0x00000000) .... .... .... .... .... ...0 .... .... = STA can apply TxBF using CSI explicit feedback: Not supported .... .... .... .... .... ..0. .... .... = STA can apply TxBF using uncompressed beamforming feedback matrix: Not supported .... .... .... .... .... .0.. .... .... = STA can apply TxBF using compressed beamforming feedback matrix: Not supported .... .... .... .... ...0 0... .... .... = Receiver can return explicit CSI feedback: not supported (0x00000000) .... .... .... .... .00. .... .... .... = Receiver can return explicit uncompressed Beamforming Feedback Matrix: not supported (0x00000000) .... .... .... ...0 0... .... .... .... = STA can compress and use compressed Beamforming Feedback Matrix: not supported (0x00000000) .... .... .... .00. .... .... .... .... = Minimal grouping used for explicit feedback reports: No grouping supported (0x00000000) .... .... ...0 0... .... .... .... .... = Max antennae STA can support when CSI feedback required: 1 TX antenna sounding (0x00000000) .... .... .00. .... .... .... .... .... = Max antennae STA can support when uncompressed Beamforming feedback required: 1 TX antenna sounding (0x00000000) .... ...0 0... .... .... .... .... .... = Max antennae STA can support when compressed Beamforming feedback required: 1 TX antenna sounding (0x00000000) .... .00. .... .... .... .... .... .... = Maximum number of rows of CSI explicit feedback: 1 row of CSI (0x00000000) ...0 0... .... .... .... .... .... .... = Maximum number of space time streams for which channel dimensions can be simultaneously estimated: 1 space time stream (0x00000000) 000. .... .... .... .... .... .... .... = Reserved: 0x00000000 Antenna Selection (ASEL) Capabilities: 0x00 .... ...0 = Antenna Selection Capable: Not supported .... ..0. = Explicit CSI Feedback Based Tx ASEL: Not supported .... .0.. = Antenna Indices Feedback Based Tx ASEL: Not supported .... 0... = Explicit CSI Feedback: Not supported ...0 .... = Antenna Indices Feedback: Not supported ..0. .... = Rx ASEL: Not supported .0.. .... = Tx Sounding PPDUs: Not supported 0... .... = Reserved: 0x00

  37. Frame (Another) PROBE REQUEST Frame 23 (64 bytes on wire, 64 bytes captured) IEEE 802.11 Probe Request, Flags: ........ Type/Subtype: Probe Request (0x04) Frame Control: 0x0040 (Normal) Version: 0 Type: Management frame (0) Subtype: 4 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 0 Destination address: Broadcast (ff:ff:ff:ff:ff:ff) Source address: Intel_67:6c:74 (00:0c:f1:67:6c:74) BSS Id: Broadcast (ff:ff:ff:ff:ff:ff) Fragment number: 0 Sequence number: 91 IEEE 802.11 wireless LAN management frame Tagged parameters (40 bytes) SSID parameter set Tag Number: 0 (SSID parameter set) Tag length: 32 Tag interpretation: \033\n\034\037\r\f\v\017\005\030\005\030\031\020\001\003\021\031\021\n\016\037\v\005\031\017\027\a\023\a\033\b: "\033\n\034\037\r\f\v\017\005\030\005\030\031\020\001\003\021\031\021\n\016\037\v\005\031\017\027\a\023\a\0 Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) Tag Number: 1 (Supported Rates) Tag length: 4 Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) [Mbit/sec]

  38. Control Frame Probe Response

  39. Frame PROBE RESPONSE No. Time Source Destination Protocol Info 26 4.150559 Cisco-Li_47:91:6a IntelCor_54:9b:07 IEEE 802.11 Probe Response, SN=3891, FN=0, Flags=........, BI=100, SSID="Caracas" IEEE 802.11 Probe Response, Flags: ........ Type/Subtype: Probe Response (0x05) Frame Control: 0x0050 (Normal) Version: 0 Type: Management frame (0) Subtype: 5 Flags: 0x0 .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered Duration: 314 Destination address: IntelCor_54:9b:07 (00:21:5c:54:9b:07) Source address: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) BSS Id: Cisco-Li_47:91:6a (00:16:b6:47:91:6a) Fragment number: 0 Sequence number: 3891

  40. Frame PROBE RESPONSE Sequence number: 3891 IEEE 802.11 wireless LAN management frame Fixed parameters (12 bytes) Timestamp: 0x0000004A32285538 Beacon Interval: 0.102400 [Seconds] Capability Information: 0x0411 .... .... .... ...1 = ESS capabilities: Transmitter is an AP .... .... .... ..0. = IBSS status: Transmitter belongs to a BSS .... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000) .... .... ...1 .... = Privacy: AP/STA can support WEP .... .... ..0. .... = Short Preamble: Short preamble not allowed .... .... .0.. .... = PBCC: PBCC modulation not allowed .... .... 0... .... = Channel Agility: Channel agility not in use .... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE .... .1.. .... .... = Short Slot Time: Short slot time in use .... 0... .... .... = Automatic Power Save Delivery: apsd not implemented ..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed .0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented 0... .... .... .... = Immediate Block Ack: immediate block ack not implemented

  41. Frame PROBE RESPONSE Tagged parameters (42 bytes) SSID parameter set Tag Number: 0 (SSID parameter set) Tag length: 7 Tag interpretation: Caracas: "Caracas" Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 18.0 24.0 36.0 54.0 Tag Number: 1 (Supported Rates) Tag length: 8 Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 18.0 24.0 36.0 54.0 [Mbit/sec] DS Parameter set: Current Channel: 4 Tag Number: 3 (DS Parameter set) Tag length: 1 Tag interpretation: Current Channel: 4 ERP Information: no Non-ERP STAs, do not use protection, long preambles Tag Number: 42 (ERP Information) Tag length: 1 Tag interpretation: ERP info: 0x4 (no Non-ERP STAs, do not use protection, long preambles) ERP Information: no Non-ERP STAs, do not use protection, long preambles Tag Number: 47 (ERP Information) Tag length: 1 Tag interpretation: ERP info: 0x4 (no Non-ERP STAs, do not use protection, long preambles) Extended Supported Rates: 6.0 9.0 12.0 48.0 Tag Number: 50 (Extended Supported Rates) Tag length: 4 Tag interpretation: Supported rates: 6.0 9.0 12.0 48.0 [Mbit/sec] Vendor Specific: Broadcom Tag Number: 221 (Vendor Specific) Tag length: 6 Vendor: Broadcom Tag interpretation: Not interpreted

More Related