There are three ways to do protocol analyzing.
The first one is the mobile category. Mobile is laptop based, or nowadays you can use tablets as well. The ‘problem’ is, knowing if the hardware and software is ready for protocol analysis. Does the operating system support the adapters that you are using? Apple tablets don’t support USB adapters. Does the adapter support the PHY. If the network is 802.11ac, you cannot do any analysis with an 802.11n adapter. If you have an adapter that only support 2 streams and your clients are transmitting with three streams, you will miss important data.
The other category is infrastructure. Access points have the ability to capture frames. It is not always the right solution for analyzing a problem. You have a view from the access point and not from the client.
The last category is distributed. This solution uses multiple devices distributed on your network. Those devices can be laptops, access points or dedicated devices in your environment.
Common features in protocol analyzing.
There are two ways to do a frame capture. The first one is non-promiscuous mode; in this mode, you capture only the frames from and to your device. The second one is promiscuous mode; in this mode, you can capture all the frames, and get a good view of the wireless network. You can capture only 1 channel at a time if you want a good view of that channel. There is a way to scan all the channels that you want, but in this situation the adapter scans one channel, moves on to the other and scans that one. You will get a good overall view, but you will miss data since you are not capturing on the other channels. If you want to capture frames on channel 36, 40, 44 and 48, you need 4 adapters.
Most wireless networks (should be) are secured, so also the frames are encrypted. When you know the PSK you can decrypt the data, so you can use it for troubleshooting.
You can also filter the frames. As you maybe can imagine, capturing in the air in an enterprise environment gives you a ton of frames. Not all the frames are necessary. You have display filters and ‘capture filters’. The capture filter makes the file smaller because it doesn’t capture all the frames. This can be a risky filter, since you will miss some data. That’s why you can better insert a display filter. You keep all the data and you filter after the capture only the data that you want to see, for example a specific client or specific frames. As you can read in the blog about the management, control and data frames, there are the wireshark filters mentioned.
Other filters that can be used are:
“radiotap.datarate” for filtering on data rates
“radiotap.channel.flags.2ghz == 1” for 2.4 GHz frames
“radiotap.channel.flags.5ghz == 1” for 5 GHz frames
“wlan_radio.11ac.bandwidth == 0” for 802.11ac frames with 20 MHz channels.
“wlan_radio.11ac.bandwidth == 1” for 802.11ac frames with 40 MHz channels.
“wlan_radio.11ac.bandwidth == 4” for 802.11ac frames with 80 MHz channels.
“wlan_radio.11ac.bandwidth == 11” for 802.11ac frames with 160 MHz channels.
It is also possible that you highlight certain frames with colors. For example, all the beacon frames green, all the authentication frames blue, and all the association frames red. You still have the whole capture but a better overview when you scroll down through the trace. Those highlights are based on the filters.
Another feature is a feature called in the CWNP “Expert Analysis.” This generic term is a feature that takes the captured frames and the radio tap headers to make a visual dashboard. In this dashboard, you have information such as:\r\n- Channel Utilization: How busy a certain channel is. How much of the airtime is consumed in a certain channel?
– Top Talkers: The clients that have transmitted the most frames.
– Most Utilized SSIDs: The SSIDs with the highest utilization rate.
– Active Device Count: The number of the active communicated devices.
– Top APs based on Active Associations: List of access points with the most active numbers of clients.
– AP Security Settings: A list of access points that use WEP, WPA, WPA2 networks, as well as access points with open network access.
A dashboard like this gives a good overview of what happened in a network. Are there clients that roam, a lot of sticky clients, or are there access points that are overloaded? This is a good starting point before you do a deep-dive in the capture itself.
In the capture, you will see three times. The first one is Arrival Time. This is the time that is based on the system clock. The Delta Time is the time between two consecutive packages. The last one is Relative Time. This is between two packages that can be set by the user. For example, the time between the first authentication request and the first data frame that is transmit. In this example, you have an idea how long the client takes to go through all the 3 phases.
