{"id":38,"date":"2022-07-30T08:00:37","date_gmt":"2022-07-30T06:00:37","guid":{"rendered":"http:\/\/wifiromeo.fr\/?p=38"},"modified":"2022-08-16T15:15:27","modified_gmt":"2022-08-16T13:15:27","slug":"how-wireshark-can-facilitate-wi-fi-incident-analysis-part-1-packets-capture-with-windows","status":"publish","type":"post","link":"https:\/\/wifiromeo.fr\/?p=38&lang=en","title":{"rendered":"How Wireshark can facilitate Wi-Fi incident analysis (Part 1 : Packets capture with Windows)"},"content":{"rendered":"\n<p>The analysis of frames using Wireshark or another frame analyzer is essential in the resolution of network incidents. It allows us to obtain all the information exchanged and to understand precisely what is going on. But this quickly becomes a real headache if we are not well organized and not looking for the right elements. Through this white paper, we will try to show you some tips to facilitate the resolution of Wi-Fi incidents using Wireshark on Windows.<\/p>\n\n\n\n<p>To do this we will start by looking at the different ways of capturing data, then we will study the interface of Wireshark and see how its customization allows us to visualize more clearly the information we want to see and in a third time we will see how the tools integrated in Wireshark allow us to analyze in more detail the captured frames and allow us to identify malfunctions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1 Capture with a network card<\/h2>\n\n\n\n<p>Prerequisites :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Wi-Fi card in monitor mode (to see the list of compatible Wi-Fi cards: <a href=\"https:\/\/secwiki.org\/w\/Npcap\/WiFi_adapters\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/secwiki.org\/w\/Npcap\/WiFi_adapters<\/a>)<\/li><li>Npcap installed with \u00ab\u00a0Support raw 802.11 traffic\u00a0\u00bb feature<\/li><li>Wireshark version higher than 3.0<\/li><\/ul>\n\n\n\n<p>Capturing 802.11 frames with the built-in Wi-Fi card has always been a problem with a Windows computer. Indeed, it is only very rarely possible to activate the Monitor mode, which enables capturing the radio layer. By default, it is the Managed mode that is activated and allows capturing the packets from layer 3. The Npcap library permits to solve this problem, provided that the wifi card is compatible (see Prerequisites).<\/p>\n\n\n\n<p>You can also know the modes supported by your network card with the following command (Wi-Fi is the name of the network card) :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Windows\\System32\\Npcap&gt;WlanHelper.exe \"Wi-Fi\" modes<\/pre>\n\n\n\n<p><strong>Warning : Before starting the procedure, it is important to make sure that Winpcap is not installed on the computer.<\/strong><\/p>\n\n\n\n<p>The first step is to activate the Monitor mode on the network card:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Windows\\System32\\Npcap&gt;WlanHelper.exe \"Wi-Fi\" mode monitor<\/pre>\n\n\n\n<p>To know the mode currently used by the network card :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Windows\\System32\\Npcap&gt;WlanHelper.exe \"Wi-Fi\" mode<\/pre>\n\n\n\n<p>It is then necessary to select the channel which one wishes to listen (for example for the channel 1) :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Windows\\System32\\Npcap&gt;WlanHelper.exe \"Wi-Fi\" channel 1<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">2 Capture with an external module<\/h2>\n\n\n\n<p>We do not always have the possibility of travelling to make the captures we want, or we want to use an external equipment to make the capture. Here I present three possibilities that exist, there are others, for example the possibility of using an access point in \u00ab\u00a0listening\u00a0\u00bb mode (be careful, because activating the listening mode usually disables the AP).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Wlan pi<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_227e735fba5a4982a48384e74ceebd26~mv2.png\/v1\/fit\/w_239,h_160,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><figcaption>Source de l\u2019image : https:\/\/www.badgerwifi.co.uk\/store\/p\/wlanpi<\/figcaption><\/figure>\n<\/div>\n\n\n<p>To capture packets from the Wlan Pi, we will use the WLANPiShark2 script (It is installed by default on the WlanPi) :<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/WLAN-Pi\/WLANPiShark2\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/WLAN-Pi\/WLANPiShark2<\/a> . It will allow us from a Windows computer to collect the captured packets.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Here is an explanatory diagram provided by the author:<\/p>\n\n\n\n<figure class=\"wp-block-image alignfull\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_06abb6c2efd4430f9bf260821218941a~mv2.png\/v1\/fit\/w_300,h_300,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>The use is then very simple, because the WLANPiShark2 script is already integrated in the Wlan Pi distribution. You just have to modify the WLANPiShark.bat script on your computer with the information you want and then run it with the different parameters to make it work.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_81dbdf45a2dc443c8e38ea3f24f84144~mv2.png\/v1\/fit\/w_300,h_300,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>You can find all the details about the use of the script on the github of the project: <a href=\"https:\/\/github.com\/wifinigel\/WLANPiShark\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/wifinigel\/WLANPiShark<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ekahau Sidekick<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_0ef65a840ed64063aa4e26fa5e2e5172~mv2.png\/v1\/fit\/w_197,h_179,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><\/figure>\n<\/div>\n\n\n<p>The Ekahau Sidekick module also allows you to capture packets. To do this, you just need to connect it to your computer, launch the <a href=\"https:\/\/www.ekahau.com\/products\/ekahau-connect\/capture\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ekahau Capture<\/a> software (you need an Ekahau Connect account) and then select the channels that interest you. In the options, we have the possibility to choose the location where the file will be saved, as well as the \u00ab\u00a0dwell time\u00a0\u00bb (listening time per channel). Once all this is selected, we can launch the capture.<\/p>\n\n\n\n<p>IMAGE EKAHAU CAPTURE<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">With another computer<\/h3>\n\n\n\n<p>Windows allows with the feature \u00ab\u00a0Remote Packet Capture Protocol\u00a0\u00bb to receive in wireshark packets captured by another computer. To do this, you must go to the client machine in the service management and activate the service: Remote Packet Capture Protocol v.0 (experimental). You can also configure the service by changing the destination port or by adding an authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_c88e7f74fcd843c097b3809962a87682~mv2.png\/v1\/fit\/w_300,h_300,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then, on the server machine, you go to the capture options, then to \u00ab\u00a0Manage Interfaces\u00a0\u00bb to add \u00ab\u00a0remotes interfaces\u00a0\u00bb. You can then enter the IP address of the client machine and the port (by default 2002).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_b025922be23b442abd3b8755896b97a6~mv2.png\/v1\/fit\/w_300,h_300,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then you will see the interfaces appear in the list of available interfaces in the following format:<\/p>\n\n\n\n<p><em>rpcap:\/\/&lt;Adresse IP client&gt;:2002\/&lt;ID de l\u2019interface&gt;<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3 Initiating the capture<\/h2>\n\n\n\n<p>When analyzing Wi-Fi incidents, it is generally not recommended to use capture filters, as this may mask different exchanges that take place between different devices. It is recommended to capture all traffic and then apply visualization filters. If the traffic is too important, it is possible to split it into several pieces according to size, duration or number of packets.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/static.wixstatic.com\/media\/68bc5d_5133356b75cd472dbcef668ff9827e9a~mv2.png\/v1\/fit\/w_300,h_300,al_c,q_5,enc_auto\/file.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>However, if the volume of data is still too large or you know exactly what you are looking for, it may be interesting to set up capture filters to facilitate the analysis.<\/p>\n\n\n\n<p>Here are some examples of filters that can be used:<\/p>\n\n\n\n<p><em>wlan addr1 00:01:02:03:04:05<\/em> :Capture packets where MAC address 1 is 00:01:02:03:04:05 (addr2 for MAC address 2, &#8230;)<\/p>\n\n\n\n<p><em>wlan type mgt<\/em> : To capture only management type frames<\/p>\n\n\n\n<p><em>no wlan type data<\/em> : To not capture data frames<\/p>\n\n\n\n<p><em>wlan type mgt subtype beacon<\/em> : To capture only beacons frames<\/p>\n\n\n\n<p><em>wlan type ctl and (subtype rts or subtype cts) <\/em>: To capture only Clear-To-Send and Request-To-Send frames<\/p>\n\n\n\n<p>To find all the filters :<\/p>\n\n\n\n<p><a href=\"https:\/\/www.wireshark.org\/docs\/man-pages\/pcap-filter.html\">https:\/\/www.wireshark.org\/docs\/man-pages\/pcap-filter.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The analysis of frames using Wireshark or another frame analyzer is essential in the resolution of network incidents. It allows us to obtain all the information exchanged and to understand precisely what is going on. But this quickly becomes a real headache if we are not well organized and not looking for the right elements. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[64,66,82,84],"class_list":["post-38","post","type-post","status-publish","format-standard","hentry","category-non-classe","tag-capture-en","tag-cwap-en","tag-windows-en","tag-wireshark-en"],"_links":{"self":[{"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=\/wp\/v2\/posts\/38","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38"}],"version-history":[{"count":1,"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions"}],"predecessor-version":[{"id":41,"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions\/41"}],"wp:attachment":[{"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wifiromeo.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}