This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 5 and 41 (spanning 36 versions)
Revision 5 as of 2004-10-12 21:23:41
Size: 1887
Editor: OlivierBiot
Comment: Some more information.
Revision 41 as of 2015-04-16 11:15:32
Size: 6554
Editor: EnderWiggin
Comment: Removed broken link to "The IEEE802.11 frame format with Wireshark display filters annotated" twitpic.
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Line 6: Line 5:
It is specified by [http://standards.ieee.org/getieee802/802.11.html various IEEE 802.11 specifications]. It is specified by [[http://standards.ieee.org/getieee802/802.11.html|various IEEE 802.11 specifications]].

IEEE 802.11 sends network packets from the sending host to one ([[Unicast]]) or more ([[Multicast]]/[[Broadcast]]) receiving hosts.
Line 10: Line 11:
 * 802.11b (11MBit/s 2.4GHz) First generation of WLAN equipment; allows 1, 2, 5.5 and 11 Mbps.
 * 802.11a 54MBit/s 5GHz
 * 802.11g 54MBit/s 2.4GHz
/!\ '''See the [[CaptureSetup/WLAN]] page for instructions how to capture from WLAN's (including monitor mode), and see the CaptureSetup page for general information on capturing on WLAN's and other media.'''

== 802.11 Standards ==
The basic 802.11 standards are:

 * 802.11 (2MBit/s 2.4GHz) First generation of WLAN equipment; allows 1 and 2 Mbps.
 * 802.11b (11MBit/s 2.4GHz) Second generation of WLAN equipment, and the first generation to receive widespread use; allows 1, 2, 5.5 and 11 Mbps.
 * 802.11a (54MBit/s 5GHz)
 * 802.11g (54MBit/s 2.4GHz)
 * 802.11n Enhancements for Higher Throughput

Some additional 802.11 standards are:

 * 802.11i (Security WPA1 and WPA2) No change to data rate. Improvement in security.
 * 802.11h (Spectrum and Transmit Power Management)
 * 802.11e (Quality of service, packet busting)
 * 802.11d International (country-to-country) roaming extensions
 * 802.11f Inter-Access Point Protocol (IAPP)
 * 802.11j Extensions for Japan
Line 15: Line 32:
Line 18: Line 34:
== 802.11 vs. "fake Ethernet" captures ==
When capturing with Wireshark (or other tools using libpcap/WinPcap, such as TcpDump / WinDump) there are two ways in which 802.11 can be supplied by the system and stored in a capture file:

 * "real" 802.11: the hardware/driver provides the actual protocol data that travels over the air, complete with 802.11 headers. (There are variants of this in which "radio information" such as signal strength can be provided as well.)
 * "fake" Ethernet: the hardware/driver translates the 802.11 headers into Ethernet headers so that the whole packet looks like a normal Ethernet packet. If the hardware/driver is doing this, all 802.11-specific management and control frames are usually discarded, as there's no equivalent to them in Ethernet (although some drivers might use a non-standard way of making them look like Ethernet packets, such as using a special Ethernet packet type).

Detailed information about how to capture 802.11 traffic can be found at the [[CaptureSetup/WLAN]] page.
Line 19: Line 43:
Line 23: Line 46:
__One ICMP Ping Request and response session from Station(STA1 to station(STA2) via Access point(AP)__<<BR>> ''ICMP ECHO request''<<BR>>
Line 24: Line 48:
XXX - Add example traffic here (as plain text or Ethereal screenshot).  * ICMP Echo request (802.11 data packet with source STA1, Destination STA2, To DS bit set) This packet is transmitted from STA1 and received by AP<<BR>>
 * ACK(802.11 control packet, dest STA1) This packet is transmitted by AP and recieved by STA1 <<BR>>
 * ICMP Echo request (802.11 data packet with source STA1, Destination STA2, From DS bit set) This packet is transmitted by AP and received by STA2.<<BR>>
 * ACK(802.11 control packet Dest AP) This packet is sent to AP by STA2 to acknowledge reciept of the Echo request packet.
Line 26: Line 53:
== Ethereal == ''ICMP ECHO Response''<<BR>>
Line 28: Line 55:
The 802.11 dissector is fully functional.  * ICMP Echo response(802.11 data packet with source STA2, Destination STA1, To DS bit set) This packet is transmitted from STA2 and received by AP<<BR>>
 * ACK(802.11 control packet, dest STA2) This packet is transmitted by AP and recieved by STA2<<BR>>
 * ICMP Echo response (802.11 data packet with source STA2, Destination STA1, From DS bit set) This packet is transmitted by AP and received by STA1.<<BR>>
 * ACK (802.11 control packet Dest AP) This packet is sent to AP by STA1 to acknowledge reciept of the Echo response packet.

XXX - Add example traffic here (as Wireshark screenshot).

== Wireshark ==
The 802.11 dissector is fully functional. It supports WEP and WPA/WPA2 decryption (see [[HowToDecrypt802.11]] for details) and 802.11n.

Capturing 802.11 traffic can be tricky, see CaptureSetup page for instructions how to capture from WLAN's (including monitor mode) and other media.
Line 31: Line 68:
802.11 is a complex protocol and Wireshark has a variety of 802.11-related preferences as a result.
Line 32: Line 70:
(XXX add links to preference settings affecting how 802.11 is dissected). {{attachment:ws_dot11_prefs.png}}

The reassembly and retransmission settings can affect the way that higher-layer information is dissected and displayed. The FCS and Protection bit settings can affect how frames are decrypted. For detailed information about the decryption settings, see [[HowToDecrypt802.11]].

You can also add 802.11-specific information to the packet list.

{{attachment:ws_col_prefs_dot11.png}}
Line 35: Line 79:

XXX - Add a simple example capture file. Keep it short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically.
[[attachment:SampleCaptures/Network_Join_Nokia_Mobile.pcap]]
Line 39: Line 82:
A complete list of 802.11 display filter fields can be found in the [http://www.ethereal.com/docs/dfref/w/wlan.html display filter reference] A complete list of 802.11 display filter fields can be found in the [[http://www.wireshark.org/docs/dfref/w/wlan.html|wlan]], [[http://www.wireshark.org/docs/dfref/w/wlan_mgt.html|wlan_mgt]], and [[http://www.wireshark.org/docs/dfref/w/wlan_aggregate.html|wlan_aggregate]] display filter references.
Line 41: Line 84:
 Show only the 802.11-based traffic: {{{
 wlan }}}

 Show only the 802.11-based traffic to and from 802.11 MAC address 08:00:08:15:ca:fe: {{{
 wlan.addr==08.00.08.15.ca.fe }}}
 . Show only the 802.11-based traffic:
 {{{
 wlan
}}}

 Show only the 802.11-based traffic to and from 802.11 MAC address 08:00:08:15:ca:fe:
{{{
 wlan.addr==08.00.08.15.ca.fe
}}}
 Hide beacon frames:
 {{{
 wlan.fc.type_subtype != 0x08
}}}
 Show management frames for a specific SSID:
 {{{
 wlan_mgt.ssid == "Spatula City"
}}}
Line 48: Line 102:
Newer versions of libpcap support raw 802.11 headers via the "wlan" link type. Older versions must use "ether" or "link" via fake Ethernet headers, and might not support 802.11 capture at all.
Line 49: Line 104:
 Capture only the 802.11-based traffic to and from 802.11 MAC address 08:00:08:15:ca:fe: {{{
 wlan host 08:00:08:15:ca:fe }}}
 . Capture only the 802.11-based traffic to and from 802.11 MAC address 08:00:08:15:ca:fe:
{{{
 wlan host 08:00:08:15:ca:fe
}}}
 . Filter out beacon frames:
 {{{
 wlan[0] != 0x80
}}}

See CaptureSetup/WLAN page for instructions on how to capture from WLANs (including monitor mode).
Line 53: Line 116:
 * [[http://www.wi-fiplanet.com/tutorials/article.php/1439551|802.11 Alphabet Soup]] a tutorial of the various 802.11 letters. Dated August 05, 2002.

Wi-Fi (WLAN, IEEE 802.11)

Wi-Fi, or IEEE 802.11, is the standard for wireless LANs, or WLANs. The abbreviation Wi-Fi stands for Wireless Fidelity, and resembles the Hi-Fi acronym. It represents a whole collection of protocols within the same family of Ethernet and Token Ring.

It is specified by various IEEE 802.11 specifications.

IEEE 802.11 sends network packets from the sending host to one (Unicast) or more (Multicast/Broadcast) receiving hosts.

The 802.11 protocols specify a wireless shared network, which means that the maximum bandwidth is only available to one user at a time.

/!\ See the CaptureSetup/WLAN page for instructions how to capture from WLAN's (including monitor mode), and see the CaptureSetup page for general information on capturing on WLAN's and other media.

802.11 Standards

The basic 802.11 standards are:

  • 802.11 (2MBit/s 2.4GHz) First generation of WLAN equipment; allows 1 and 2 Mbps.
  • 802.11b (11MBit/s 2.4GHz) Second generation of WLAN equipment, and the first generation to receive widespread use; allows 1, 2, 5.5 and 11 Mbps.
  • 802.11a (54MBit/s 5GHz)
  • 802.11g (54MBit/s 2.4GHz)
  • 802.11n Enhancements for Higher Throughput

Some additional 802.11 standards are:

  • 802.11i (Security WPA1 and WPA2) No change to data rate. Improvement in security.
  • 802.11h (Spectrum and Transmit Power Management)
  • 802.11e (Quality of service, packet busting)
  • 802.11d International (country-to-country) roaming extensions
  • 802.11f Inter-Access Point Protocol (IAPP)
  • 802.11j Extensions for Japan

History

XXX - add a brief description of 802.11 history

802.11 vs. "fake Ethernet" captures

When capturing with Wireshark (or other tools using libpcap/WinPcap, such as TcpDump / WinDump) there are two ways in which 802.11 can be supplied by the system and stored in a capture file:

  • "real" 802.11: the hardware/driver provides the actual protocol data that travels over the air, complete with 802.11 headers. (There are variants of this in which "radio information" such as signal strength can be provided as well.)
  • "fake" Ethernet: the hardware/driver translates the 802.11 headers into Ethernet headers so that the whole packet looks like a normal Ethernet packet. If the hardware/driver is doing this, all 802.11-specific management and control frames are usually discarded, as there's no equivalent to them in Ethernet (although some drivers might use a non-standard way of making them look like Ethernet packets, such as using a special Ethernet packet type).

Detailed information about how to capture 802.11 traffic can be found at the CaptureSetup/WLAN page.

Protocol dependencies

  • 802.11 is the lowest software layer, so it only depends on hardware.

Example traffic

One ICMP Ping Request and response session from Station(STA1 to station(STA2) via Access point(AP)
ICMP ECHO request

  • ICMP Echo request (802.11 data packet with source STA1, Destination STA2, To DS bit set) This packet is transmitted from STA1 and received by AP

  • ACK(802.11 control packet, dest STA1) This packet is transmitted by AP and recieved by STA1

  • ICMP Echo request (802.11 data packet with source STA1, Destination STA2, From DS bit set) This packet is transmitted by AP and received by STA2.

  • ACK(802.11 control packet Dest AP) This packet is sent to AP by STA2 to acknowledge reciept of the Echo request packet.

ICMP ECHO Response

  • ICMP Echo response(802.11 data packet with source STA2, Destination STA1, To DS bit set) This packet is transmitted from STA2 and received by AP

  • ACK(802.11 control packet, dest STA2) This packet is transmitted by AP and recieved by STA2

  • ICMP Echo response (802.11 data packet with source STA2, Destination STA1, From DS bit set) This packet is transmitted by AP and received by STA1.

  • ACK (802.11 control packet Dest AP) This packet is sent to AP by STA1 to acknowledge reciept of the Echo response packet.

XXX - Add example traffic here (as Wireshark screenshot).

Wireshark

The 802.11 dissector is fully functional. It supports WEP and WPA/WPA2 decryption (see HowToDecrypt802.11 for details) and 802.11n.

Capturing 802.11 traffic can be tricky, see CaptureSetup page for instructions how to capture from WLAN's (including monitor mode) and other media.

Preference Settings

802.11 is a complex protocol and Wireshark has a variety of 802.11-related preferences as a result.

ws_dot11_prefs.png

The reassembly and retransmission settings can affect the way that higher-layer information is dissected and displayed. The FCS and Protection bit settings can affect how frames are decrypted. For detailed information about the decryption settings, see HowToDecrypt802.11.

You can also add 802.11-specific information to the packet list.

ws_col_prefs_dot11.png

Example capture file

SampleCaptures/Network_Join_Nokia_Mobile.pcap

Display Filter

A complete list of 802.11 display filter fields can be found in the wlan, wlan_mgt, and wlan_aggregate display filter references.

  • Show only the 802.11-based traffic:
     wlan
    Show only the 802.11-based traffic to and from 802.11 MAC address 08:00:08:15:ca:fe:
     wlan.addr==08.00.08.15.ca.fe
    Hide beacon frames:
     wlan.fc.type_subtype != 0x08
    Show management frames for a specific SSID:
     wlan_mgt.ssid == "Spatula City"

Capture Filter

Newer versions of libpcap support raw 802.11 headers via the "wlan" link type. Older versions must use "ether" or "link" via fake Ethernet headers, and might not support 802.11 capture at all.

  • Capture only the 802.11-based traffic to and from 802.11 MAC address 08:00:08:15:ca:fe:
     wlan host 08:00:08:15:ca:fe
  • Filter out beacon frames:
     wlan[0] != 0x80

See CaptureSetup/WLAN page for instructions on how to capture from WLANs (including monitor mode).

Discussion

Wi-Fi (last edited 2015-04-16 11:15:32 by EnderWiggin)