How to validate the WI-FI Information within Wireshark – Part I: Determining the WLAN capabilities
How to validate the WI-FI Information within Wireshark
Part I: Determining the WLAN capabilities
The WLAN Link Layer Options
If you want to capture the WLAN traffic with Wireshark (a general Info about HowTo setup up a WIFI capture with Wireshark can be found here: https://wiki.wireshark.org/CaptureSetup/WLAN/) you have to choose a Link Layer Type
Most times, I am able to choose between the 802.11, 802.11 + Radio Tap Header or the PPI-Header (Per Packet Info).
These three Options are providing the following information:
- Just the 802.11 Info
- 802.11 + Radio Tap Header
- The 802.11 info plus some additional Radio info which is provided by the driver of the WLAN interface
- PPI (Per Packet Information)
- Adds a pseudo header to the frame which provide a lot of interesting information like bandwidth, signal strength and so on. Also, it is easier to read the detailed information.
The following picture shows an example of a PPI header. Although this PPI header reports the “Number of spatial streams” is 0 (unknown), the user can deduce that the Wi-Fi device supports 3 spatial streams by observing the RSSI values reported for each antenna (0 through 3). Also it provides us some information about the signal strength and the noise at every antenna.
The PPI Header
If you are relatively new in the area of Wi-Fi analysis and you play around with these options, you might want to use the PPI option. At least I wanted it, because it provided me a method to read the information I expected in a human readable format.
I used an 802.11n AP and an 802.11n card and my driver always told me a data rate of about 300Mbps, so I expected to see at least one small info about 802.11n in the trace. However, I was only able to see this information with the PPI options.
But, as I had to learn at the Wireshark Q&A the PPI is just a pseudo header with some educational guessed values developed by CACE Technology for their AirPcap Cards . For that, I don´t trust the PPI information when using different NICs other than AirPcap.
The Radiotap Header
Therefore, the Radiotap Header provides the more trustworthy information because these values are provided directly from the firmware of the Wi-Fi interface. If you think everything is now perfect, then you have never worked with this header. The values in the Radiotap Header are only as good as the manufacturer of the interface has implemented them. An overview about the defined fields could be found here: Fields of the Radio Tap Header
That means if the manufacturer provides the wrong info then you get the wrong info by Wireshark. One example is the channel type. As you can see, the Radiotap Header displays a channel type of 802.11a but in fact, it is an 802.11ac frame working with 80MHz channel width.
Determining the real WLAN capabilities
Regarding these discrepancies, I have thought over and talked to Amato about this. In the end we wrote down some rules (see the table below) how everybody should be able to identify which standards are provided. One of the most reliable Information are the “WLAN Management frames” With these “WLAN Management frames” the WI-FI devices are exchanging their capabilities.
For determine which capabilities can be archieved the following WLAN Packets have to be analyzed for that kind of investigation:
- For the capabilities of the AP, you have to look at the “WLAN Management Frame” labeled as Beacon frames transmitted by the AP.
- For the capabilities of the client, you have to look at the “WLAN Management Frame” labeled as Probe Requests and/or Association Requests frames transmitted by the client.
Within each of these Management frames, the IEEE 802.11 specification defines certain Information Elements (IE) that provide the capability of the Wi-Fi device. In the following picture, a Beacon frame is displayed (i.e., this frame provides the capability of the Access Point).
With the help of the following table, a decision of the highest possible supported standard can be determined:
With this matrix (Table 1), we can determine that the AP of Picture 4 supports 802.11ac since the VHT information element is present.
Thus far, we have only examined the capabilities of the AP or the client. However, do the client and AP always use the highest possible supported standard after associating? In addition, what is the data rate used during the transfer of data? For example, in the above picture, the AP supports 802.11ac since the Beacon frame contains the VHT information element. The 802.11ac standard supports over 600 different data rates!
In the next part of these article Amato and I will present you how the used datarates could be determined, so Stay Tuned…
AP Access Point IE Information Element, the Information Elements provide the capabilities of a WiFi device. HT High Thruoghput MCS Modulation and Coding Index NIC Network Interface Card PPI Per Packet Information Radio Tap Fields http://www.radiotap.org/defined-fields VHT Very High Throughput