Wireshark – Blog Wifi

13 August 202216 August 2022 Roméo Diaz Non classé

How Wireshark can facilitate Wi-Fi incident analysis (Part 3 : Analysis)

Once the frames have been captured and formatted, we can proceed to the analysis. This step can be very difficult, especially when we don’t yet know what we are looking for. To do this, Wireshark offers several tools that will allow us to better target the research, however it is essential to have a minimum of knowledge of WLAN exchanges, packet format, and the various parameters. For this, I refer you to the CWAP training course, which is very complete on the subject.

1 Decrypt a frame

To make application analysis easier, it can be interesting to decrypt the frames and thus see the content of the exchanges. To do this, go to the menu “Edit” > “Preferences” > “Protocols” > “IEEE 802.11” and make sure that the box “Enable decryption” is checked. Then to add keys, you have to click on the button “Edit …” in front of “Decryption keys”.

In the window that opens you can add keys, depending on the type of encryption used you have several possibilities:

If you are using WEP : You have to select the wep key type and then enter the key (10 numeric values or 26 alphanumeric characters)
If you are using WPA/WPA2 PSK : You can use the key type “wpa-pwd” or “wpa-psk”.
For wpa-pwd you have to fill in the key and then the name of the ssid according to the following format: key:ssid
For wpa-psk you have to fill in the pre-shared key in 64byte hexadecimal format
If you are using WPA/WPA2 Enterprise: You can select wpa-psk and fill in the PMK key that you can retrieve from the client or from the Radius server

2 Visualization filters

One very important element in the analysis with Wireshark is the visualization filters. They allow you to display only the packets that match the specified filter. The advantage over capture filters is that they allow you to keep all the packets for future use.

To find a display filter, it is possible to go to the details of a package, to select the field that interests us, by simply clicking on it the name of the field appears in the bottom bar. By right-clicking on it, then “Apply as filter” it is possible to directly select the field with the value of the package to be able to find all the other packages that correspond to this criterion (choice “Selected”) or on the contrary to exclude all the packages corresponding to this criterion (choice “Not Selected”).

You can also write your own filter with the help of the Wireshark references here: https://www.wireshark.org/docs/dfref/w/wlan.html

or by using this compilation which includes a lot of very useful filters:

https://semfionetworks.com/blog/wireshark-most-common-80211-filters/

Macros

When we use several filters one after the other, they quickly become quite difficult to read and to facilitate this we can use macros. Macros will allow us to create pre-defined filters in which we will only have to add parameters. To create a macro, go to the menu bar, choose the “Analyze” menu and then “Display Filter Macros”.

Here is an example of a macro called “low_rssi”:

wlan_radio.signal_dbm <= $1 && wlan_radio.channel == $2 && wlan.ssid==$3

To use it, I will simply call it in the display filters bar by replacing $1 by the desired value, $2 by the desired value, and $3 by the desired value. This gives for example :

${low_rssi:-77;36;SSID1}

It is recommended to create your own macros in order to facilitate their use and to be sure that they correspond to your needs and your way of writing the filters, otherwise you will spend more time finding the order of the parameters and the type of expected value than writing them.

Buttons

During analyses, we notice that we regularly use the same display filters, in order to avoid having to rewrite them each time and to have quicker access to them, we have the possibility to create buttons that will directly apply the chosen filter. To create a button, go to the “Edit” menu, then “Preferences”, then “Filter Buttons”, here is an example of a button :

3 Graphs

In some cases, the visualization of the packets is not enough to analyze the packets and it can be interesting to use graphs to highlight some information. The number of functionalities available with the graphs is very important, I will make here a quick presentation as well as some use cases, but I invite you to dig into this functionality which is very useful to analyze the different exchanges.

Graphs I/O

The I/O graphs are a two-dimensional view in which we can choose the information on the abscissa and ordinate. To access it, go to the Statistics menu and then “I/O Graphs”.

By default, two graphs are already present:

Here is a description of each column and the different possibilities they offer:

Enabled: Allows you to display or not a line, if it is checked the line will be displayed
Graph Name : This is the name of the graph
Display Filter : Display filter that allows to choose the packages we want to use for the graph
Color : It is the color used for the graph
Style : It’s the way the graphic is displayed, there are 3 main categories :
Line: It is a curve that connects all the points in a single line (example above)
Impulse / Bar and Stacked Bar: Each point is indicated with a bar from the x-axis to the value.
Dot/Square/Diamond/Cross/Circle/Plus: Each value is indicated by a dot (depending on the shape chosen)
Y Axis : This is the unit chosen to represent the ordinate axis (taking into account the interval indicated below)
Packets : Number of packets corresponding to the display filter in the interval
Bytes / Bits : Number of bytes or bits transmitted in the packets during the interval
SUM (Y Field): Sum of the values contained in the “Y Field” (shown in the next section)
MAX (Y Field) / MIN (Y Field): Maximum/minimum value of the “Y Field” field
AVG (Y Field) : Average value of the “Y Field” field
LOAD (Y Field): Sum of the “Y Field” fields divided by the interval
COUNT FRAME (Y Field): Number of packets containing the “Y Field” field
COUNT FIELD ( Y Field) : Number of occurrences of the “Y Field” field
Y Field : Name of a field allowing a particular value to be displayed in the Y Axis part
SMA Period : Allows to display an average of the values during an interval

Here are some examples of graphs:

The graph here shows us the maximum and average value of the data rate on all captured packets.

The graph shows the total number of transmitted packets (curve) and the number of retransmitted packets (bars)

This graph shows the channel utilization.

6 August 202216 August 2022 Roméo Diaz Non classé

How Wireshark can facilitate Wi-Fi incident analysis (Part 2 : Customization)

The customization will allow you to have your own markers and shortcuts in the interface to facilitate the analysis of packets later. The main interface of Wireshark is divided into 4 parts :

Part 1 includes the different menus, buttons and the display filter bar
Part 2 contains the list of captured packets, we will see later how to customize the columns
Part 3 contains the details of the package selected in part 2.
The 4th part contains the Hexadecimal and text version view of the package. This part also contains the status bar at the very bottom of the interface, it shows information such as the name of the profile currently in use, the total number of packets in the capture and the number of packets displayed, and other information about the capture file.

1 Profiles

In Wireshark, the profile allows you to customize many parameters and this allows you to quickly adapt the configuration to the type of capture you want to make (WLAN, Ethernet, Application, …). The profile allows you to customize :

Preferences
Capture filters
Display filters
Color rules
Disabled protocols
Macros
Some display settings

By default, the profiles are located in the directory :

C:\Users\<username>\AppData\Roaming\Wireshark\profiles\<profile name>

The name of the directory then corresponds to the name of the profile. You can therefore import profiles by adding them to this directory.

To access the profile management interface, right-click on : “Profile: <Active profile name>”, then select “Manage profiles”.

Here you can create a new profile by clicking on the ( + ) , delete one by clicking on the ( – ) or copy one ().

2 Columns

In the package visualization interface, it is possible to select the information you want to display in the columns and the way they are displayed. This is very useful to have the information quickly in front of you and to facilitate reading.

There are two ways to choose the columns you want to display :

The first is via the menu Edit > Preferences :

You can add columns with the ( + ), remove them with the ( – ), you can also change the way the information is displayed by clicking in the Type way, for example you can change the way the time is shown. For personalized columns, you must then fill in the field with the field you want to see appear.

The second method consists in selecting in the details of a package the field you want to appear in a column by right-clicking and then “Apply as column”

You can also remove columns by right-clicking on them and selecting “Remove this column”.

Once you have selected all your columns, you can use the “Auto-Size Columns” option to automatically adjust the width of each column.

Here are some examples of columns and associated fields:

Name	Field
Frame Number	frame.number
Receiver Adress	wlan.ra
Transmitter Adress	wlan.ta
Destination Adress	wlan.da
Source Adress	wlan.sa
SSID	wlan.ssid
PHY	wlan_radio.phy
Data rates	wlan_radio.data_rate
Channel	wlan_radio.channel

You can find all the fields available here :https://www.wireshark.org/docs/dfref/w/wlan_radio.html

and https://www.wireshark.org/docs/dfref/w/wlan.html

3 Colorization

Colorization helps to quickly identify packets in the list according to some predefined criteria, it can be by type of frame, if the frame has been retransmitted or not, by channel, by signal strength, … It is possible to change the background as well as the writing color. There are two ways to create coloring filters :

The first is by opening the menu View > Colorizing rules and then creating and editing the colorizing rules as you wish, you can then check or uncheck a rule to activate or deactivate it. If a package corresponds to several filters, the first one in the list is taken into account, so the order is important and can be modified with a drag and drop.

The second method consists of selecting the field you want to apply as a filter in the package details, right-clicking on it, and applying a colorization rule to it. This will then apply it to all the packages corresponding to the same filter on the selected package. Again, the order of application of the rules is important, because the first one that matches is applied.

2.4 Le nommage des équipements

In order to facilitate the reading of the packets, it is also possible to replace the MAC address of an equipment, that makes it possible to find it then in a more readable way. To do this, simply modify the “ether” file located in the directory:

C:\Users\<User name>AppData\Roaming\Wireshark\Profiles<Profile name>.

In this file, you must first put the MAC address (in the format XX:XX:XX:XX:XX:XX) followed by the name of the equipment, separated by a space. Here is an example of a file:

02:12:C7:E3:FD:38 XcoverPro
EA:83:E5:38:09:84 Xcover5
E6:CA:41:00:4B:DF Zebra
00:DC:B2:2B:02:10 AP1
00:DC:B2:2B:27:50 AP2
00:DC:B2:2B:3F:70 AP3

Once the file is saved, Wireshark must be restarted and here is the result:

30 July 202216 August 2022 Roméo Diaz Non classé

How Wireshark can facilitate Wi-Fi incident analysis (Part 1 : Packets capture with Windows)

The analysis of frames using Wireshark or another frame analyzer is essential in the resolution of network incidents. It allows us to obtain all the information exchanged and to understand precisely what is going on. But this quickly becomes a real headache if we are not well organized and not looking for the right elements. Through this white paper, we will try to show you some tips to facilitate the resolution of Wi-Fi incidents using Wireshark on Windows.

To do this we will start by looking at the different ways of capturing data, then we will study the interface of Wireshark and see how its customization allows us to visualize more clearly the information we want to see and in a third time we will see how the tools integrated in Wireshark allow us to analyze in more detail the captured frames and allow us to identify malfunctions.

1 Capture with a network card

Prerequisites :

Wi-Fi card in monitor mode (to see the list of compatible Wi-Fi cards: https://secwiki.org/w/Npcap/WiFi_adapters)
Npcap installed with “Support raw 802.11 traffic” feature
Wireshark version higher than 3.0

Capturing 802.11 frames with the built-in Wi-Fi card has always been a problem with a Windows computer. Indeed, it is only very rarely possible to activate the Monitor mode, which enables capturing the radio layer. By default, it is the Managed mode that is activated and allows capturing the packets from layer 3. The Npcap library permits to solve this problem, provided that the wifi card is compatible (see Prerequisites).

You can also know the modes supported by your network card with the following command (Wi-Fi is the name of the network card) :

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi" modes

Warning : Before starting the procedure, it is important to make sure that Winpcap is not installed on the computer.

The first step is to activate the Monitor mode on the network card:

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi" mode monitor

To know the mode currently used by the network card :

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi" mode

It is then necessary to select the channel which one wishes to listen (for example for the channel 1) :

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi" channel 1

2 Capture with an external module

We do not always have the possibility of travelling to make the captures we want, or we want to use an external equipment to make the capture. Here I present three possibilities that exist, there are others, for example the possibility of using an access point in “listening” mode (be careful, because activating the listening mode usually disables the AP).

Wlan pi

To capture packets from the Wlan Pi, we will use the WLANPiShark2 script (It is installed by default on the WlanPi) :

https://github.com/WLAN-Pi/WLANPiShark2 . It will allow us from a Windows computer to collect the captured packets.

Here is an explanatory diagram provided by the author:

The use is then very simple, because the WLANPiShark2 script is already integrated in the Wlan Pi distribution. You just have to modify the WLANPiShark.bat script on your computer with the information you want and then run it with the different parameters to make it work.

You can find all the details about the use of the script on the github of the project: https://github.com/wifinigel/WLANPiShark

Ekahau Sidekick

The Ekahau Sidekick module also allows you to capture packets. To do this, you just need to connect it to your computer, launch the Ekahau Capture software (you need an Ekahau Connect account) and then select the channels that interest you. In the options, we have the possibility to choose the location where the file will be saved, as well as the “dwell time” (listening time per channel). Once all this is selected, we can launch the capture.

IMAGE EKAHAU CAPTURE

With another computer

Windows allows with the feature “Remote Packet Capture Protocol” to receive in wireshark packets captured by another computer. To do this, you must go to the client machine in the service management and activate the service: Remote Packet Capture Protocol v.0 (experimental). You can also configure the service by changing the destination port or by adding an authentication.

Then, on the server machine, you go to the capture options, then to “Manage Interfaces” to add “remotes interfaces”. You can then enter the IP address of the client machine and the port (by default 2002).

Then you will see the interfaces appear in the list of available interfaces in the following format:

rpcap://<Adresse IP client>:2002/<ID de l’interface>

3 Initiating the capture

When analyzing Wi-Fi incidents, it is generally not recommended to use capture filters, as this may mask different exchanges that take place between different devices. It is recommended to capture all traffic and then apply visualization filters. If the traffic is too important, it is possible to split it into several pieces according to size, duration or number of packets.

However, if the volume of data is still too large or you know exactly what you are looking for, it may be interesting to set up capture filters to facilitate the analysis.

Here are some examples of filters that can be used:

wlan addr1 00:01:02:03:04:05 :Capture packets where MAC address 1 is 00:01:02:03:04:05 (addr2 for MAC address 2, …)

wlan type mgt : To capture only management type frames

no wlan type data : To not capture data frames

wlan type mgt subtype beacon : To capture only beacons frames

wlan type ctl and (subtype rts or subtype cts) : To capture only Clear-To-Send and Request-To-Send frames

To find all the filters :

https://www.wireshark.org/docs/man-pages/pcap-filter.html