SecurityTube, Wireless Lan Security Megaprimer notes: part 5 (Dissecting WLAN Headers)

Vivek’s video is here.

Basic Terminology

STA: Station (Wireless Client)

BBS: Basic Services Set (AP and clients in infrastructure or Ad-Hoc Clients)
* Infrastructure BSS: Setup using Access point
* Independent BSS: Ad-Hoc network

BSSID: Basic Service Set Identifier
* Infrastructure Mode: MAC address of AP
* Ad-hoc Mode: Randomly chosen address by first device. (IBSS)

DS: Distribution System (connects APs in ESS).
* The LAN connecting APs together.

ESS: Extended Service Set (set of BSSs)
* Basically everything (BSSs + DS)

WLAN Packet Header

Looking at a beacon frame (could be any frame)

0. Open a frame in wireshark
0.1 Take a look at the “Frame section”
* Contains meta information about the packet, received time etc.

0.2 Take a look at the “Radiotap Header”
* Received from card
* Signal strength (Useful for intrusion detection, can be used to triangulate clients)
* Channel frequency etc.

0.3 WLAN Headers, open “IEEE 802.11 Beacon Frame” section
* Frame type information (subtype)

1. All WLAN Packets have the following fields:
* Frame Control (2 bytes)
* Duration/ID (2 bytes)
* Address 1 (6 bytes)
* FCS (4 bytes) (Checksum)

1.1 Frame Control:
* Bitfield containing a bunch of information:
* Protocol
* Default value 0, may change with major revision (currently always 0)

* Type/Subtype
* Type – Management, Control or Data frame
* Sub-types of each of these.

* To DS and From DS
* Indicate where the packet is going:

To DS From DS Info
0 0 STA to STA in the same IBSS (ad-hoc) or management and control frame
0 1 Exiting the Distribution System (DS) (e.g. AP to client)
1 0 Entering the DS (e.g. client to AP)
1 1 Used in Wireless Distribution System (WDS, e.g. extending Wifi network)

* More frag: are more fragments of frame following (data and management only).
* Retry: Indicates that this frame is a retransmission (data and management only).

* Power Management: Indicates if client is in power save mode or active mode. (power save e.g. battery)
* More Data: Indicates that there’s more data queued up to be sent.
* Protected frame: Indicates if frame body in encrypted or not.
* Order: Indicates that all frames must be processed in order.

Check you can see all this in wireshark (Type and subtype are shown twice)

1.2 Duration/ID field
* Used to set “NAV” (Network Allocation Vector).
* NAV is the minimum time to wait before transmission
(tells other clients please wait this long for this packet transmission to complete)

1.3 Address fields
* Depends on type/sub-type (Source address, destination address, BSSID address)

1.4 Sequence Control
* Sequence number of the packet AND Fragment number of the packet.

Check you can see all this in wireshark!

1.5 QoS (quality of service)…

1.6 Frame body: The data payload
* management frame information
* data transmission

1.7 FCS: CRC check over the MAC header and Frame body
* Easy to “fix” FCS if we modify the frame.