How Wifi Analyzers Work

How Do "Wifi Analyzers" Work?

Simple, they extract the info from Beacon frames. Beacons contain all the information about an SSID, the capabilities of the network devices and other information that helps clients connect, roam and gather info about its environment. Beacons are sent out roughly every 100 milliseconds (102.4 to be exact) and are not encrypted so everyone on the channel can decipher them. Most free analyzers will passively scan for beacons across all channels and extract the info into an easy to read GUI. See my notes from Chapter 9: MAC of the CWNA study guide which details some info about Passive and Active Scanning. 

Here a couple of screenshots the show the difference between the packet capture and GUI presentation. 

 Wireshark View



    Wifiman (for Android) View     

WinFi (for Windows) View

While the packet capture shows us all the details, the GUIs usually breakout the most important stuff like SSID, RSSI, Channel, etc. As a side note the last screen shot shows why I despise consumer grade  gear, a few weeks ago my neighbors were more even distributed across the spectrum.

We'll look at a capture and compare it to the image above to see where some of these details come from.

The SSID, basic supported rates and channel can be seen here. Notice how G3Net is advertising the lowest rate I have set for the SSID instead of the lowest capable. This lets the client know when it will need to disconnect or ideally roam to another AP or different band if it becomes unable to transmit at the minimum required rate.

 


Ever wonder how these gauge channel utilization? That info is part of the .11e amendment and is distributed from the network. We can see the current channel has almost no utilization currently. The next screen shot is from channel 11 which has much high utilization. You can also see the currently connected station count.


 

If you noticed the amendments column from Winfi, it gathers that info from various information elements found in the frame. Amendments r and k are almost required to assist devices with low latency applications (think voice) to roam effectively without interruption. Both of these can be deciphered when these elements are present. 

Mobility Domain refers to .11r which has improvements for fast roaming

RM (Radio Measurement) Capabilities will be present when .11k is supported

Theres a lot more info sent with each beacon but most of it (including whats already been said here) could have its own in depth post. I will end by noting that I did not go over RSSI, SNR and MAC addresses as those are not exclusive to beacon frames. RSSI is found in the PHY header, SNR is computed with data from the PHY header and local environment and MAC addresses can be found in every frame. 

Im working on making these shorter and more concise. Once the new CWAP-404 book arrives Ill try to make some short posts on the interesting bits of wireless frames.


Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more