Cace Technologies AirPcap Wireless Capture Adapters User's Manual
Contents
1. 1 The Multi Channel Aggregator applies to USB AirPcap GIG APOC hs OLY e AE E E 12 AirPcap and W ICS AIK se cxrdaecsntntuantacancenseesamerssencasnisisobesdinentnactuceseas denen 14 Identifying the AirPcap Adapters in Wireshark ccccsssccceeeesseees 14 The Wireless VOOM DAR occccssasnscreassagscosssnenaaetontaasancontessaseacesesascetesaanacceceas 14 The Wireless Settings Dialog iscsscxtdecdccsneasaccianidesetseetancscivesdemaseaddenesiens 16 The Decryption Keys Management Dialog c cccccccccsesesteeeeeeees 18 The Multi Channel Aggregator applies to USB AirPcap PGMA O e EE 19 Transmit Raw 802 11 Frames on Your Network ccccccesssseeeeeeeeeeees 20 Where to Learn MOLE ais see csaaneacineusanseiencansacuecwosstaausonialienbensedeastayeienssaaeanee 21 Appendix A 802 11 Frequencies seeeeseeeeeeeeeessssssssereessssssssresessssssssress 22 AGZ D ANAC eese EEE ENS 22 DTI To ING e Gases seaenedues eo E E E 22 Channels Supported by the AirPcap Product Family 22 Figures Tables Figure 1 The AirPcap Control Panel Settings Tab cceccceeesesnteeeees 9 Figure 2 AirPcap N and Extension ChannelSetting ccccsccceeeeeseees 10 Figure 3 The AirPcap Control Panel Keys Tab 0 cc eecescseeeeeeseees 12 Figure 4 Multi Channel Aggregator ccccscccccceesssessceeeceeeesssesneeeeeeees 13 Figure 5 The Wireshark Adapters List cccssccccssesssteeceeeesneeeeeeeeene2. 5GHz band are much more complex Each BSS operates on a particular channel 1 e the access point and all of the wireless clients within a BSS communicate over a common channel The same channel may be used by more than one BSS When this happens and if the BSSs are within communication range of each other the different BSSs compete for the bandwidth of the channel and this can reduce the overall throughput of the interfering BSSs On the other hand selecting different channels for nearby access points will mitigate channel interference and accommodate good wireless coverage using multiple BSSs A BSS is formed by wireless clients associating themselves with a particular access point Naturally a wireless client will have to discover whether there is an access point within range and its corresponding channel For this purpose access points advertise themselves with beacon frames and wireless clients can passively listen for these frames Another discovery approach is for the wireless client to send out probe requests to see if certain access points are within range Following the discovery process wireless clients will send requests to be associated with a particular BSS Types of Frames The 802 11 link layer is much more complicated than the Ethernet one The main reason is that wireless links have lower reliability compared to the reliability of wired links and therefore the 802 11 link layer has featur
3. frequency band The channel of the additional frequency band is called the extension channel The Extension Channel list box lets you choose a valid extension channel above or below for a given channel See Figure 2 Not all channels have above and below extension channels For example BG channels 1 2 3 and 4 do not have a 1 below extension channel The reason is that the center frequencies of the primay and extension channels need to be separated by 20MHz So if 4 were the primary channel channel which is the lowest BG center frequency is only 15 MHz below channel 4 Capture Type 802 11 frames only 802 11 frames plus radio information See Radiotap or 802 11 frames plus the Per Packet Information PPI header See Downloads for the current PPI AirPcap User s Guide specification PPI and radio information includes additional information not contained in the 802 11 frame transmit rate signal power signal quality channel and for PPI multiple antenna information e Include 802 11 FCS in Frames if checked the captured frames will include the 802 11 4 bytes Frame Check Sequence This option can be disabled if an application has difficulty decoding the packets that have the Frame Check Sequence e FCS Filter this drop down list allows you to configure the kind of Frame Check Sequence filtering that the selected adapter will perform o All Frames the adapter will capture all the frames regardless of whether the
4. CACE TECHNOLOGIES Ni Pcap Family of Wireless Capture Adapters User s Guide Copyrights Copyright 2007 CACE Technologies LLC All rights reserved This document may not in whole or part be copied photocopied reproduced translated reduced or transferred to any electronic medium or machine readable form without prior consent in writing from CACE Technologies LLC AirPcap Family of Wireless Capture Adapters User s Guide Document Version 3 1 Document Revision August 2007 CACE Technologies LLC Davis CA 95616 530 758 2790 530 758 2781 fax support cacetech com http www cacetech com CACE TECHNOLOGIES Contents and Figures Contents The AiPcap Product Family i s issiccashesshusvsdostasrasdusstovoticasascobaauovastiasasivoses 3 A Brief Introduction to 802 11 oo eecessccceceeseneeceeeseseaeeecesseneeeeeesesaeeeees 4 PR Tora Oy ee att ren ss E E TE Sete T E deaetsede 4 8502 LI Standards oreren oea a E e s EE EAEE EE 4 Dai P A A OSA EIA E E A A EE 5 Tps or TE e a 6 How AirPcap Adapters Operate cccccsssscccceccessesssnceeeeeeessessaeeeseeseeeeeas 7 Multiple Channel Capture applies to USB adapters only 8 Configuring the Adapters the AirPcap Control Panel eeeeeeeeeeeees 9 Identifying the AirPcap Adapters c cccccccccssssssseceeecessessnseeeseeeeeeens 9 O a E es ens E E ees 10 WEFR V oee sean siedepsees et eaaneeaeeueaaeees
5. ET 7 Airpcap N Wireless Capture Device i AirPcap USB wireless capture adapter nr 00 th AirPeap USB wireless capture adapter nr 01 YI AirPcap USE wireless capture adapter nr 02 i CACE CardBus 802 11a b g n Wireless Capture Adapter dighves E NOC Extranet Access Adapter Microsoft s Packet Scheduler E Realtek RTLS139 8 10x Family Fast Ethernet NIC Help Figure 5 The Wireshark Adapters List When you insert more than one USB AirPcap adapter you will see an additional capture interface called AirPcap Multi Channel Aggregator This interface aggregates the traffic from all the available USB AirPcap adapters and allows them to be used as a single multi channel capture device The Wireless Toolbar Figure 6 shows the Wireshark wireless toolbar The wireless toolbar provides a fast and productive way to set up the most important wireless capture settings The wireless toolbar appears when at least one AirPcap adapter is plugged into one of the USB ports and can be used to change the parameters of the currently active wireless interfaces If the currently active interface is not an airpcap adapter the wireless toolbar will be grayed 14 AirPcap User s Guide When Wireshark starts the active interface is the default one Edit Preferences Capture Default Interface During Wireshark usage the active interface is the last one used for packet capture 1 Untitled Wireshark BA File Edt View Go Captur
6. FCS is valid or not o Valid Frames the adapter will only capture frames that have a valid FCS o Invalid Frames the adapter will only capture frames that have an invalid FCS Note AirPcap User s Guide AirPcap stores the configuration information on a per adapter basis This means that changing the configuration of an adapter does not affect the settings of any of the other adapters WEP Keys The AirPcap driver is able to use a set of WEP keys to decrypt traffic that is WEP encrypted If a frame is WEP encrypted the driver will attempt to decrypt the frame using the user supplied set of WEP keys the driver will try all of the WEP keys for each frame until it finds one that decrypts the frame If the decryption is successful the unencrypted frame is passed to the user application otherwise the original frame is passed along By configuring the AirPcap driver with multiple WEP keys it is possible to decrypt traffic coming from multiple access points that are using different WEP keys but transmitting on the same channel The list of keys can be edited by selecting the Keys tab in the AirPcap control panel Figure 3 To add or remove a key use the Add New Key or Remove Key buttons respectively Edit Key allows you to change the value of an existing key Move Key Up and Move Key Down can be used to change the order of the keys This may be an important performance 12 Note cons
7. PA personal sessions which use pre shared keys Decryption of WPA Enterprise sessions is not supported As explained in The Wireless Toolbar section there are three possible decryption modes None Driver and Wireshark The keys specified in this dialog will be used either by the Driver or Wireshark depending upon the selected Decryption Mode It should be noted that WPA and WPA2 are decrypted only in Wireshark mode Note that no matter which setting is used the keys are applied to the packets in the same order they appear in the keys list Therefore putting frequently used keys at the beginning of the list improves performance To add or remove a key use the Add New Key or Remove Key buttons respectively Edit Key allows you to change the value of an existing key Move Key Up and Move Key Down can be used to change the order of the keys This may be an important performance consideration since the driver uses the keys in the order they appear in this list Use the Select Decryption Mode drop down box to switch among the different decryption modes fal Decryption Keys Management Wireshark Select Decryption Mode Type Key WEP 1234abed WPAPWD abcdefgh Figure 8 Decryption Keys Management Dialog in Wireshark AirPcap User s Guide WEP keys are array of bytes of arbitrary length expressed in hexadecimal WPA and WPA2 keys can be of two types e Passphrase WPA PWD T
8. PCI and mini PCI Express A Brief Introduction to 802 11 Terminology The terms Wireless LAN or WLAN are used to indicate a wireless local area network e g a network between two or more stations that uses radio frequencies instead of wires for the communication All components that can connect to a WLAN are referred to as stations Stations fall into one of two categories access points or wireless clients Access points transmit and receive information to from stations using radio frequencies As we shall see later the particular choice of a radio frequency determines a wireless channel An access point usually acts as a gateway between a wired network and a wireless network Wireless clients can be mobile devices such as laptops personal digital assistants PDAs IP phones or fixed devices such as desktops and workstations that are equipped with a wireless network interface card In some configurations wireless devices can communicate directly with each other without the intermediation of an access point This kind of network configuration is called peer to peer or ad hoc A Basic Service Set BSS is the basic building block of a WLAN The coverage of one access point is called a BSS The access point acts as the master to control the stations within that BSS A BSS can be thought of as the wireless version of an IP subnet Every BSS has an id called the BSSID which is the MAC address of the acces
9. Unlike passive reception there are restrictions on the transmission frequencies channels imposed by various countries While there are no channel restrictions for monitoring 802 11 traffic AirPcap Tx and Ex will allow transmission on only those channels that are permitted according to the ship to country AirPcap User s Guide Where to Learn More AirPcap User s Guide The best sources of information about the Wireshark network analyzer are The documentation page on the Wireshark website http www wireshark org docs From here you can download the User s Guide the man pages and the developer s manuals The Wireshark wiki http wiki wireshark org The Wireshark mailing lists http www wireshark org lists Wireshark University http www wiresharku com WSU features Laura Chappell regarded by many as the best protocol analysis trainer in the world If you are a developer the best sources of information are The AirPcap developer s pack downloadable from http www cacetech com support downloads htm The AirPcap developer s pack contains all the components you need to create wireless aware capture applications including lib files dlls an online API documentation and a set of ready to compile example programs The WinPcap developer resources page http www winpcap org devel htm where you can download the WinPcap source code and developer s pack The winpcap users mailing list http www winpcap org co
10. are can optionally be configured to decrypt WEP encrypted frames An arbitrary number of keys can be configured in the driver at the same time so that the driver can decrypt the traffic of more than one access point at the same time WPA and WPA2 support is handled by applications such as Wireshark and Aircrack ng See the section WEP Keys on page 11 and The Decryption Keys Management Dialog on page 18 for more information Multiple Channel Capture applies to USB adapters only This section applies to all members of the AirPcap Product family except AirPcap N When listening on a single channel is not enough multiple AirPcap adapters can be plugged in a PC and used at the same time to capture traffic simultaneously from different channels The AirPcap driver provides support for this operation through to the Multi Channel Aggregator technology that exports capture streams from multiple AirPcap adapters as a single capture stream The Multi Channel Aggregator consists of a virtual interface that can be used from Wireshark or any other AirPcap based application Using this interface the application will receive the traffic from all the installed AirPcap adapters as if it was coming from a single device The Multi Channel Aggregator can be configured like any real AirPcap device and therefore can have its own decryption FCS checking and packet filtering settings AirPcap User s Guide Configuring the Adapters the AirPcap Contr
11. ary 370b0 1 9f 7 1 1f 4d5a 8b1e 4289dbO0bcafd1033 mspx mfr true Another good source is the book 802 1 1 Wireless Networks The Definitive Guide 2 Edition by Matthew Gast ISBN 10 0 596 10052 3 How AirPcap Adapters Operate AirPcap User s Guide The AirPcap adapter captures the traffic on a single channel at a time the channel setting for the AirPcap adapter can be changed using the AirPcap Control Panel or from the Advanced Wireless Settings dialog in Wireshark Depending on the capabilities of your AirPcap adapter it can be set to any valid 802 1 1a b g n channel for packet capture All of the AirPcap adapters can operate in a completely passive mode This means that they can capture the traffic on a channel without associating with an access point or interacting with any other wireless device Unless you are transmitting with either AirPcapTx or AirPcap Ex none of the adapters is detectable by any other wireless station The AirPcap adapters can work in so called Monitor Mode In this mode the AirPcap adapter will capture all of the frames that are transferred on a channel not just frames that are addressed to it This includes data frames control frames and management frames When more than one BSS shares the same channel the AirPcap adapter will capture the data control and management frames from all of the BSSs that are sharing the channel and that are within range of the AirPcap adapter The AirPcap softw
12. ature does not include traffic from the AirPcap N adapter AirPcap Control Panel a m x Settings Keps Interface AuPcap Multi Channel Aggregator m Core Basic Configuration Channel Include 802 17 FCS in Frames Extension Channel Capture Type 802 11 Radio FCS Fiter_ All Frames Figure 4 Multi Channel Aggregator As Figure 4 shows the Multi Channel Aggregator has its own FCS Capture Type and FCS Filter settings These settings and not the ones of the physical adapter will be used when capturing from the Aggregator Note that it s not possible to set the channel of the Multi Channel Aggregator instead the channel drop down box will show the list of the aggregated channels To change the channel of any individual adapter select the Capture adapter from the Interface drop down list and set the desired value in the channel drop down box AirPcap User s Guide 13 AirPcap and Wireshark The user interface of Wireshark is completely integrated with AirPcap This increases your productivity and allows you to get the best from the network analyzer you are used to Identifying the AirPcap Adapters in Wireshark Figure 5 shows the Wireshark Capture Interfaces dialog Capture Interfaces The AirPcap Interfaces are easly identified by icon next to them i Wireshark Capture Interfaces E Adapter for generic dialup and VPN capture Wincor E Waren ie a SE OP
13. de AirPcap User s Guide 4920MHz to 4995MHz in 5MHz increments These correspond to A channels 240 to 255 SOOOMHz to 5995MHz in 5MHz increments These correspond to A channels 0 to 199 6000MHz to 6100MHz in 5 MHz increments AirPcap N AirPcap N supports a wide range of center frequencies As usual the channel bandwidth around each center frequency is 20MHz The center frequencies supported by the Cardbus AirPcap N adapter are 2312MHz to 2372MHz in 5 MHz increments 2412MHz to 2472MHz in 5 MHz increments These correspond to BG channels 1 to 13 2484MHz corresponds to BG channel 14 2512MHz to 2732 in 20MHz increments 5120MHz to 5700MHz in 20 MHz increments These correspond to A channels 24 to 140 in increments of 4 5745MHz to 5825MHz in 20 MHz increments These correspond to A channels 149 to 165 in increments of 4 23
14. e Analyze Statistics Sarau max eo AlBevor FE SB QaAQaea Mm Xx Clear Apply Filter Expression 802 11 Channel 5180 MHz 436 Channel Offset 1 T FCS Filter All Frames Decryption Mode Wireshark 7 Wireless Settings Decryption Keys Source Destination Protocol Infg 00 16 01 6f 03 c 6 Te tr eter TT itt IEEE 802 Beacon frame SN 528 FAN 0 BI LO0 SSID BUFFALC 7 O1102404 00 16 01 6fF 03 6 1 ee SY ea eb IEEE 802 Beacon frame SN 529 FN40 BI LO0 SSID BUFFALC 8 0 102409 01 6f 03 c6 ff FF F Ff TF TF FF IEEE 802 ams i i IEEE 802 IEEE IEEE IEEE IEEE IEEE TEE IEEJ feacon frame SN 530 FN BI 100 SSID BUFFALC Bese F J Beaco Beaco Beaco Beaco Beaca Beaco 802 Beacon frame 5N 538 FN 0 61 100 SSID BUFFALC moo G FN 0 BI 100 SSID BUFFALC gt 16 0 102405 00 16 01 6F 03 c6 FFF tt itt itt FF 17 0 102397 00 16 01 6fF 03 c6 TT itT FF TT its Frame 1 263 bytes on wire 263 bytes captured PPI version 0 32 bytes IEEE 802 11 IEEE 802 11 wireless LAN management frame 00 File C DOCUME 1 GERALD 1 COM LOCALS 1 Temp etherOOXa01540 9361 Bytes 00 00 03 34M 0 Drops 0 Figure 6 The Wireshark Wireless Toolbar The Wireless toolbar has the following controls e 802 11 Channel allows the user
15. es to reduce the effects of frame loss For example every data frame is acknowledged with an ACK frame Moreover the protocol needs to support access point discovery association and disassociation authentication wired wireless bridging and many other features that are not necessarily needed in a wired link layer When capturing on a wireless channel you will see three main kinds of frames e Data frames e Control frames o Acknowledgement o Request to Send o Clear to Send e Management frames o Beacons o Probe Requests Probe Responses o Association Requests Association Responses o Reassociation Requests Reassociation Responses o Disassociations o Authentications Deauthentications Additionally frame headers may contain Quality of Service QoS and High Throughput HTC information AirPcap User s Guide The Control frames are used to improve the reliability characteristics of the link The establishment of a BSS through the process of discovery and association is supported by the Management frames including possible authentication steps in the process It is beyond the scope of this brief introduction to describe the details of these frames and their usage in the 802 11 protocol If you are interested in additional details you can consult the following websites http standards ieee org getieee802 802 11 html http www wi fiplanet com tutorials article php 1447501 http technet2 microsoft com WindowsServer en libr
16. his is the Passprase and SSID combination most often used to configure WPA and WPA2 The passphrase is a string between 8 and 63 characters in length The SSID can be omitted in which case Wireshark will use the last seen SSID on the network Non printable characters can be represented by a character followed by a hexadecimal number for both the passphrase and SSID The passphrase and SSID are used to derive Pre Shared Key e Pre Shared key WPA PSK This allows the user to provide a binary TKIP or CCMP key used to derive the temporary key of each session which is normally the kind of key returned by tools like Aircrack The key is 256 bit long and is expressed as a hex string 64 characters A tool to convert a passphrase and SSID into a 256 bit PSK can be found on the Wireshark web site at http www wireshark org tools wpa psk html The keys that you specify in this list are global Every AirPcap adapter included the Multi Channel Aggregator will use them The Multi Channel Aggregator applies to USB AirPcap adapters only The Multi Channel Aggregator has its own FCS Filter Capture Type and option to Include 802 11 FCS in Frames These settings and not the ones of the physical adapter will be used by when capturing from the Multi Channel Aggregator However it s not possible to set the channel of the Multi Channel Aggregator instead the channel drop down box will show the list of the aggregated channels Mul
17. ideration since the driver uses the keys in the order they appear in this list The currently configured keys are shown in the Keys list It is possible to turn WEP decryption on and off at any time by using the Enable WEP Decryption check box AirPcap Control Panel Settings Keys WEP Configuration Enable WEP Decryption keps Add New Key 1234abcd Reset Configuration Figure 3 The AirPcap Control Panel Keys Tab The keys are applied to the packets in the same order they appear in the keys list Therefore putting frequently used keys at the beginning of the list improves performance The keys are stored by the AirPcap Control Panel globally This means that any keys specified in the list will be used by all AirPcap adapters Including AirPcap N The Multi Channel Aggregator applies to USB AirPcap adapters only When more than one USB AirPcap adapter is plugged in the AirPcap Control Panel will show one additional interface the Multi Channel Aggregator As explained in the Multiple Channel Capture applies to USB adapters only section of this manual the Multi Channel Aggregator is a virtual capture interface that can be used from Wireshark or any other AirPcap based application Using this capture interface the application will receive AirPcap User s Guide the traffic from all the installed USB AirPcap adapters as if it was coming from a single device this fe
18. is 20 MHz which means that channels may overlap The commonly used non overlapping channels are channels 1 6 and 13 There is a 14 channel whose center frequency is 12MHz above channel 13 These frequency bands are referred to as channels and stations communicate using a particular channel 802 1 la and 802 1 1n operate in the 5 GHz range which is divided into a large number of channels The center frequency of channel O is 5 000 MHz the center frequency of channel 1 is 5 005 MHz The formula for relating channels n to center frequencies in the 5 GHz range is Center frequency MHz 5 000 5 n where n 0 199 Center frequency MHz 5 000 5 256 n where n 240 255 Note that channels 240 to 255 range from 4 920 MHz to 4 995 MHz As with the 2 4 GHz band each channel is 20 MHz wide 802 11n allows for wide channels that is two adjacent 20 Mhz bands note that the channel numbers of the two adjancent 20 MHz bands are not adjacent can be used side by side in order to be backward compatible with 802 1 1a b and g or they can be combined into a single 40 MHz channel in Greenfield mode The actual use of the channels however depends on the country For example in the USA the FCC allows channels 1 through 11 in the 2 4 GHz band whereas most of Europe can use channels 1 through 13 No matter where you are you can use AirPcap to listen on any supported channel The regulations for the
19. ntact htm 21 Appendix A 802 11 Frequencies 22 2 4GHz Band 2312MHz to 2372 MHz in SMHz steps The 802 11b g center frequencies and corresponding channel numbers are 2412MHz Channel 1 to 2472MHz Channel 13 where the frequencies are incremented by SMHz and the channel numbers by 1 There is an additional frequency for channel 14 namely 2484MHz which is 12MHz beyond channel 13 All of the 2 4GHz channels are supported by all of the adapters in the AirPcap Product Family 5GHz Band The 5 GHz range which is divided into a large number of channels The center frequency of channel 0 is 5 000 MHz the center frequency of channel is 5 005 MHz The formula for relating channels n to center frequencies in the 5 GHz range 1s Center frequency MHz 5000 5 n where n 0 199 Center frequency MHz 5000 5 256 n where n 240 255 Note that channels 240 to 255 range from 4920MHz to 4995MHz Channels Supported by the AirPcap Product Family All of the 2 4GHz channels are supported by all of the adapters in the AirPcap Product Family AirPcap Ex AirPcap Ex supports an extended range of center frequencies The bandwidth associated with each center frequency is 20MHz The center frequencies are e 2312MHz to 2372MHz in 5 MHz increments e 2412MHz to 2472MHz in 5 MHz increments These correspond to BG channels 1 to 13 e 2484MHz corresponds to BG channel 14 AirPcap User s Gui
20. ol Panel The AirPcap control panel Figure 1 provides a convenient and intuitive way to configure the parameters of currently connected AirPcap adapters The changes made to an adapter using the AirPcap control panel will be reflected in all of the applications using that adapter To start the AirPcap control panel click on START PROGRAMS AirPcap AirPcap Control Panel AirPcap Control Panel Settings Keys interlace Ai Pcap USE wireles capture adapter me 00 hi Bink Led Basic Configuration Channel 2437 MHz EG 6 v v Include 802 11 FICS in Frames Extension Channel Capture Type 802 11 Radio FCS Filter Valid Frames Figure 1 The AirPcap Control Panel Settings Tab The drop down list in the Interface box at the top of the panel presents a list of currently installed adapters Selecting one of the adapters in the list allows you to view edit its configuration Identifying the AirPcap Adapters The drop down list identifies the USB AirPcap adapters using adapter numbers e g 00 01 and does not distinguish between AirPcap Classic AirPcap Tx and AirPcap Ex Fortunately the AirPcap adapters have an Led that can be caused to blink by first selecting the adapter from the drop down list and clicking on the Blink Led button This feature is useful in distinguishing among the USB AirPcap adapters when multiple adapters are plugged into your sys
21. on or off you will see the changes immediately reflected in the Wireshark window o Driver the packets are decrypted by the driver before reaching Wireshark This option has two advantages capture filters on TCP IP fields or packet payloads will work when logging the network traffic to disk it will be unencrypted This will make it easier for third party applications to understand them Since this kind of decoding is done during the capture the changes you make will be effective starting with the next capture e Wireless Settings this button opens the Wireless Settings dialog for the currently selected AirPcap adapter See the next section for details e Decryption Keys this button opens the Decryption Keys Management dialog See the Decryption Keys Management Dialog section below for details The Wireless Settings Dialog The Wireless Settings Dialog Figure 7 can be used to set the advanced parameters of an AirPcap adapter The dialog can be accessed either from the Wireless Toolbar Wireless Settings or from the main menu Capture Options Wireless Settings 16 AirPcap User s Guide _ Advanced Wireless Settings AirPcap N Wireless Capture Device Basic Parameters Channel Channel Offset Capture Type Figure 7 Wireless Settings Dialog in Wireshark The parameters that can be configured are e Channel the channels are specified in terms of their center frequencies and the range of channels va
22. ries from adapter to adapter e Channel Offset set to 1 0 or 1 for AirPcap N This allows the use of wide channels e Capture Type 802 11 frames only or 802 11 frames plus Radio information Radiotap header or 802 11 frames plus the Per Packet Information PPI header Radiotap and PPI include information such as transmit rate signal power signal quality channel and will be displayed by Wireshark in the radiotap header of every frame e Include 802 11 FCS in Frames if checked the captured frames will include the 802 11 4 bytes Frame Check Sequence e FCS Filter this drop down list allows to configure the kind of Frame Check Sequence filtering that the selected adapter will perform o All Frames the adapter will capture all the frames regardless of whether the FCS is valid or invalid o Valid Frames the adapter will only capture frames that have a valid FCS o Invalid Frames the adapter will only capture frames that have an invalid FCS AirPcap User s Guide 17 The Decryption Keys Management Dialog This dialog window shown in Figure 8 can be used to organize the keys that will be used to decrypt the wireless packets It is possible to decrypt packets encrypted with WEP WPA and WPA2 however notice that e In order to decrypt WPA and WPA2 you will need to capture the 4 way EAPOL handshake used to establish the pairwise transient key PTK used for a session e Wireshark can only decrypt W
23. s 14 Figure 6 The Wireshark Wireless Toolbar c ccecssscecceeeesneeeeeeeeseees 15 Figure 7 Wireless Settings Dialog in Wireshark ccceccesseeeeeeeseees 17 Figure 8 Decryption Keys Management Dialog in Wireshark 18 Table 1 Feature Comparison for the AirPcap Product Family 3 AirPcap User s Guide CACE TECHNOLOGIES The AirPcap Product Family The AirPcap offerings are the first open affordable and easy to deploy packet capture solution for Windows All of the AirPcap offerings will capture full 802 11 data management and control frames that can be viewed in Wireshark thereby providing in depth protocol dissection and analysis capabilities Below we provide a feature matrix that gives a high level overview of the feature sets of the adapters in the AirPcap Product Family More detailed information regarding each the member of the AirPcap Product Family can be found on the CACE Technologies Website http www cacetech com AirPcap AirPcap Tx AirPcap Ex AirPcap N Classic Fully Integrated with Wireshark Multi Channel Monitoring with 2 or more adapters Packet Transmission External Antenna Connector USB Dongle USB Dongle USB Dongle Cardbus 32 bits Frequency Bands 2 4GHz b g 2 4GHz b g 2 4 and 5GHz 2 4 and 5GHz a b g a b g n Table 1 Feature Comparison for the AirPcap Product Family L Other form factors available by special order are mini
24. s point servicing the BSS and a text identifier called the SSID 802 11 Standards 802 11 is a standard that defines the physical layer and the data link layer for communication among wireless devices The original 802 11 specification was ratified in 1997 uses the 2 4 GHz frequency band and allows transmission rates of 1 or 2 Mbps 802 1 la ratified in 1999 is an extension of 802 11 that operates at 5 GHz It supports 8 additional transmission rates 6 9 12 18 24 36 48 and 54 Mbps 02 1 1b ratified in 1999 is an extension of 802 11 that uses the same 2 4 GHz frequency band and supports two additional transmission rates 5 5 and 11 Mbps 802 11g ratified in 2003 is backward compatible with 802 11b and supports the same additional transmission rates found in 802 1 1a 6 9 12 4 AirPcap User s Guide AirPcap User s Guide 18 24 36 48 and 54 Mbps 802 1 li ratified in 2004 defines an enhanced security mechanism based on AES 802 1 In expected to be ratified in 2009 is backward compatible with 802 1 1a b and g and will operate at 2 4 GHz and optionally 5 GHz It can potentially support data rates up to 600 Mbps Channels 802 11b and 802 11g divide the 2 4 GHz spectrum into 13 channels beginning with channel and ending with channel 13 The center frequency of channel 1 is 2 412MHz channel 2 is 2 417MHz etc The center frequencies of adjacent channels are 5 MHz apart The bandwidth of each channel
25. tem and an easy way to associate the physical adapters with the adapter numbers assigned by the system AirPcap N appears as AirPcap N Wireless Capture Device in the drop down list making it easy to identify if it is present see Figure 2 AirPcap User s Guide 9 10 Settings AirPcap Control Panel Settings Keys Interface SuPcap N Wireless Capture Device Basic Configuration Channel 2437 MHz BG 6 v Include 802 17 FCS in Frames Extension Channel o w Capture Type 802 11 PPI FCS Filer Valid Frames ki Reset Configuration Figure 2 AirPcap N and Extension ChannelSetting The Basic Configuration box contains the following settings Channel The channels available in the Channel list box depend upon the selected adapter Since channel numbers 1 14 in the 2 4GHz and 5GHz bands overlap and there are center frequncies channels that do not have channels numbers each available channel is given by its center frequency Where applicable the BG or A channel numbers are also given All of the channel center frequencies supported by the selected adapter will be made available in the Channel list The bandwidth of each channel is 2O0MHz Extension Channel For 802 11n adapters one can use the Extension Channel list create a wide channel The choices are 1 the preceding 20MHz frequency band O no extension channel or 1 the succeeding 20MHz
26. tichannel aggregation is not available with the AirPcap N Cardbus adapter To change the channel of any individual adapter select the Capture Options menu item select the desired interface click on the Wireless Settings button and then set the channel value in the channel drop down box AirPcap User s Guide 19 Transmit Raw 802 11 Frames on Your Network 20 For advanced users AirPcap Tx and AirPcap Ex have the ability to inject raw 802 11 frames into your wireless network which makes them an invaluable aid in assessing the security of your wireless network There are several freeware and open source tools that are compatible with AirPcap Tx and AirPcap Ex Since these tools have not been developed by CACE Technologies it is recommended that you visit their official websites for additional information e Aircrack ng This is a well known suite of tools for auditing wireless networks It allows various types of attacks on a wireless network o To learn more visit the official aircrack ng website www aircrack ng org e Cain amp Abel This is a multi function security tool for Windows that includes wireless accees point and host detection o To learn more visit the official Cain amp Abel website www oxid it cain html Using the AirPcap API AirPcap Tx and Ex can inject any kind of frame including control management and data frames This frames can be transmitted at any allowable rate depending upon your adapter
27. to change the channel on which the current AirPcap adapter captures The channel can be changed at any time even while Wireshark is capturing e Offset for AirPcap N allows the user to set an extension or wide channel Tip When real time packet updates are enabled Edit Preferences Capture Update list of packets in real time switching from channel to channel allows you to see which channels have traffic and which ones are unused e FCS Filter allows the user to select which packets the current AirPcap adapter should capture all the packets only packets with a valid FCS or only packets with an invalid FCS This feature can be used to get a quick check on the quality of the transmission on the channel and or the quality of the adapter s reception AirPcap User s Guide 15 e Decryption mode can be one of the following o None no decryption is performed neither at the driver level nor in Wireshark o Wireshark the driver doesn t perform any decryption of the captured packets and they are decrypted by Wireshark while displaying them This has the advantage of minimizing the CPU load during the capture process Moreover the driver doesn t manipulate the packets so the captured data is a precise picture of the network traffic However capture filters also known as BPF filters on TCP IP fields or packet payloads will not work Since this kind of decryption is done by the analyzer when you turn it
Download Pdf Manuals
Related Search