Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing...
Transcript of Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing...
![Page 1: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/1.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Visualizing 802.11
Wireshark Data
Tuesday, July 26th, 2012
Ryan Woodings
Chief Geek | MetaGeek
@metageek
![Page 2: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/2.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
802.3 - Wired 1. CSMA CD 2. Distributed Access Scheme
802.11 - Wireless 1. CSMA CA • Distributed Access Scheme Additional Considerations 2.4 & 5 GHz Public ISM bands Overlapping Channels Non-Wi-Fi Transmitters Tx Power Restrictions
Wired vs Wireless
![Page 3: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/3.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Channels
2.4 GHz • 11 (US) 3 Non-Overlapping • 13 (Europe) 4 Non-Overlapping
5 GHz • 9 non-DFS (US) • 12 DFS (US) • 4 non-DFS (Europe) • 15 DFS (Europe)
Detailed List http://en.wikipedia.org/wiki/List_of_WLAN_channels
![Page 4: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/4.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Channel Overlap
![Page 5: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/5.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Physical Layer Modulation
CCK (HR-DSSS Phase Shift Keying)
OFDM (Orthogonal Frequency Division Multiplexing)
![Page 6: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/6.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Channel Contention
Co-Channel: Every station and access point on the same channel competes for the time to talk. Adjacent Channel: Every Station and access point on an overlapping channel competes for time to talk. Non-Wi-Fi: non-802.11 devices also compete for medium access.
![Page 7: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/7.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Physical Layer Modulation
Live Demo
![Page 8: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/8.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
802.11b
• 2.4 GHz-only
• 22 MHz Wide
• 1-11 Mbps
• HR-DSSS BPSK w/ CCK Modulation
• Good for longer range but low data rate.
![Page 9: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/9.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
802.11a
• 5 GHz-only
• 20 MHz Wide
• 6-54 Mbps
• OFDM Modulation
![Page 10: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/10.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
802.11g
• 2.4 GHz-only
• 20 MHz Wide
• 6-54Mbps
• ERP-OFDM Modulation
![Page 11: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/11.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
802.11n
• 2.4 & 5 GHz
• 20-40 MHz Wide
• 6-450 Mbps
• OFDM Modulation
![Page 12: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/12.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Dynamic Rate Selection
As clients are further away from an Access point they choose a lower modulation rate.
![Page 13: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/13.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Channel Contention
![Page 14: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/14.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Channel Contention
![Page 15: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/15.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Contention Domains
Channel
Antenna Pattern
Physical Barriers
Transmit Power
![Page 16: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/16.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Wireless Medium Access
CSMA w/ CA
![Page 17: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/17.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Wireless Medium Access
![Page 18: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/18.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
802.11 Frame Types
Management Frames wlan.fc.type == 0 Control wlan.fc.type == 1 Data wlan.fc.type == 2
![Page 19: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/19.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Management Frames
Management frames "manage" stations joining and leaving a WLAN. These frames exist only in the 802.11 MAC layer. For Example, • Beacons
• Probes
• Authentications
• Associations
wlan.fc.type == 0
![Page 20: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/20.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Control Frames
Control Frames "control" the RF medium and aid in delivery of data and management frames. For Example, • ACK
• Block-ACK
• RTS
• CTS
wlan.fc.type == 1
![Page 21: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/21.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Data Frames
Data Frames carry higher-level protocol data For Example, • Data
• Data+CF-Ack
• Data+CF-Poll
• QoS data
wlan.fc.type == 2
![Page 22: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/22.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Visual Packet Analysis
![Page 23: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/23.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Packets vs. Bytes vs. Time
![Page 24: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/24.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Packet Analysis Demo
Live Demo
![Page 25: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/25.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
WireShark Config Profiles
WLAN Frame Types Data, Management and Control Data Rates Highlight frames sent slow/fast Channels For captures with multiple adapters.
![Page 26: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/26.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
WireShark Config Profiles
Additional Columns to Consider: SubType wlan.fc.type_subtype Data Rate IEEE 802.11 TX rate (existing field type) RSSI IEEE 802.11 RSSI (existing field type)
![Page 27: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/27.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Packet Type Profile
![Page 28: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/28.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Channel Profile
![Page 29: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/29.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Data Rate Profile
![Page 30: Visualizing 802.11 Wireshark Data...SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012 Visualizing 802.11 Wireshark Data Tuesday, July 26th, 2012 Ryan Woodings Chief Geek | MetaGeekSHARKFEST](https://reader035.fdocuments.net/reader035/viewer/2022070207/60f815c181730b57a93694ff/html5/thumbnails/30.jpg)
SHARKFEST ‘12 | UC Berkeley | June 24–27, 2012
Fin.
Visualizing 802.11
Wireshark Data
Tuesday, July 26th, 2012
Ryan Woodings
Chief Geek | MetaGeek
@metageek