SecurityTube, Wireless Lan Security Megaprimer notes: part 5 (Dissecting WLAN Headers)
Vivek’s video is here.
Basic Terminology
STA: Station (Wireless Client)
BBS: Basic Services Set (AP and clients in infrastructure or Ad-Hoc Clients)
* Infrastructure BSS: Setup using Access point
* Independent BSS: Ad-Hoc network
BSSID: Basic Service Set Identifier
* Infrastructure Mode: MAC address of AP
* Ad-hoc Mode: Randomly chosen address by first device. (IBSS)
DS: Distribution System (connects APs in ESS).
* The LAN connecting APs together.
ESS: Extended Service Set (set of BSSs)
* Basically everything (BSSs + DS)
WLAN Packet Header
Looking at a beacon frame (could be any frame)
0. Open a frame in wireshark
0.1 Take a look at the “Frame section”
* Contains meta information about the packet, received time etc.
0.2 Take a look at the “Radiotap Header”
* Received from card
* Signal strength (Useful for intrusion detection, can be used to triangulate clients)
* Channel frequency etc.
0.3 WLAN Headers, open “IEEE 802.11 Beacon Frame” section
* Frame type information (subtype)
1. All WLAN Packets have the following fields:
* Frame Control (2 bytes)
* Duration/ID (2 bytes)
* Address 1 (6 bytes)
* FCS (4 bytes) (Checksum)
1.1 Frame Control:
* Bitfield containing a bunch of information:
* Protocol
* Default value 0, may change with major revision (currently always 0)
* Type/Subtype
* Type – Management, Control or Data frame
* Sub-types of each of these.
* To DS and From DS
* Indicate where the packet is going:
| To DS | From DS | Info |
| 0 | 0 | STA to STA in the same IBSS (ad-hoc) or management and control frame |
| 0 | 1 | Exiting the Distribution System (DS) (e.g. AP to client) |
| 1 | 0 | Entering the DS (e.g. client to AP) |
| 1 | 1 | Used in Wireless Distribution System (WDS, e.g. extending Wifi network) |
* More frag: are more fragments of frame following (data and management only).
* Retry: Indicates that this frame is a retransmission (data and management only).
* Power Management: Indicates if client is in power save mode or active mode. (power save e.g. battery)
* More Data: Indicates that there’s more data queued up to be sent.
* Protected frame: Indicates if frame body in encrypted or not.
* Order: Indicates that all frames must be processed in order.
Check you can see all this in wireshark (Type and subtype are shown twice)
1.2 Duration/ID field
* Used to set “NAV” (Network Allocation Vector).
* NAV is the minimum time to wait before transmission
(tells other clients please wait this long for this packet transmission to complete)
1.3 Address fields
* Depends on type/sub-type (Source address, destination address, BSSID address)
1.4 Sequence Control
* Sequence number of the packet AND Fragment number of the packet.
Check you can see all this in wireshark!
1.5 QoS (quality of service)…
1.6 Frame body: The data payload
* management frame information
* data transmission
1.7 FCS: CRC check over the MAC header and Frame body
* Easy to “fix” FCS if we modify the frame.
RSS