Capture Beacon Frames

Whenever we go outside to hangout with our friends or family either to restaurants or to any place checking for the available free WiFI access points is one the first thing which we do nowadays. Even though we have access to mobile internet (like 4G or 3G) we still look out for these things. Access to internet is becoming more and more common (sometimes rudimentary) and it is now impossible to imagine that when we turn on the WiFi in our smart phones we see at least a few access point name in the list. In office environment, we may see access points with the same name repeated multiple times which helps our smartphones to connect to them when we are moving from one place to other.

How does the smart phone or whatever the electronic device which does the scanning to find the access points nearby able to see these things.

Beacons

Beacon frame are sent by access point all the time. There is a minimum time interval between two beacon frames which is 102 micro seconds. It contains all the information about the network which in WiFi terminology is called its own BSS. These beacons are especially important in infrastructure BSS. It helps the end-user to knows its the availability and the services the access point can provide. There is a whole lot of information hidden in this frame which is a sub-type of management frame. Pls note most of the latest A.P provide an option to turn off the beacon frames for security reasons.

At the top-level there are three types of frames in 802.11, the management frames, control frames and data frames. As the name suggests the management frames are the ones which are used to manage the network. The device (aka station) which does a scan to get the list of available nearby access points is actually sending a probe request frame. This could either be a direct request to the particular access point or to everyone. In the case of device sending probe request to everyone (broadcast) all the access points who received the probe request frame will reply back with their beacons. If the device sends a probe request directed to a particular access point then the access point replies back to that particular device itself (in this case it is called probe response). Control frames and data frames are the other two packet types and we shall discuss about that in some of the future blogs.

Capture beacons

In order to see the beacon frames we must first need to put our WiFI Nic in monitor mode.I have already created a separate blog on how to put WiFi card in monitor mode. Pls refer to that link for more details.

In short you can execute these below commands and put your card in monitor mode.

iw dev <interface name> interface add mon0 type monitor;
ip link set <interface name> up

For capturing of frames i have used wireshark which is the de-facto tool for analysing network packets. Below is the initial capture of WiFi packets from mon0 interface which is in monitor mode.

all_packets

The capture has a total of 75 packets (see the bottom). As previously said there are probe requests frames which are either broadcast ed or which are directed to a particular access point. For example, the first packet in the capture is an example for broadcast ed probe request frame. Any Access point can now reply back this station. Packet number fourteen is an example of directed probe request frame. This request is sent particularly to that access point alone.

As you can see not all the frames in this capture are beacon frames and it is a collection of various frames. In order to see the beacon frames alone which is the motive of this blog in the first place wireshark provides us with a feature called filters. These filters are a very a powerful and extensively flexible feature provided by wireshark. They are a lot of filter options supported by wireshark and you can get a glimpse of that from the expressions button.

We can add the below filter entry and apply the same to the packet capture which we have made just now.

before_apply.png

wlan.fc.type_subtype == 0x8 is the expression which we need to add in the filter box. The reason why we are comparing it with 0x8 is, beacons are part of the management frames which has the type field set to 0 and beacons are represented by a hex value of 0x8 i.e there sub-type is 8. We can change the sub-type alone and map them to any one of the other management frames. For example the above filter can be modified to show only probe request frames with this expression wlan.fc.type_subtype == 0x5 and wlan.fc.type_subtype == 0x6 goes for probe response frames.

Below is the sample screenshot after applying the filter to see the beacon frames alone.

after_apply.png

Details from the beacon frames

Of the 75 packets captured, five are beacon frames. If your environment is having a lot of access points nearby you then your capture may have a lot more beacon frames. Below image shows the actual information carried by the beacon frames. There is a lot of detail which this beacon carries.

details.png

One of the first thing it shows is its SSID (pls see the First tag under the Tagged parameters). These tags are called information elements and each information element has two parameters,  number and length. The number represents the type of the field and length represents the amount of data that this fields carries in bytes.The SSID’s information element has its number as 0, supported rates has its field set to 1 and so on . Pls look into the beacon frame for more details on this.

SSID information element carries the naming which we have given our access points. Supported rates information element gives the supported data rates and the DS information element gives us the channel in which the A.P is active. The station can establish a connection only in the channel in which the access point is operating.

Traffic indication map information element is used by A.P when a particular station which is associated with the A.P goes to sleep and the access point wants to notify the station about any data it has received for that station. In other words this IE has the details about any new packet which the A.P has for the station. One of the important IE (information element) is the HT (High Throughput) capabilities IE. These are present on the A.P’s which support 802.11n. It gives a hell lot of details about supported channel width, A-MPDU’s, A-MSDU’s, Short GI at 20MHz or 40MHz, Block ACKs , MCS, TxBF, Antenna selection and etc which are actually supported by the 802.11n standard. Actually the A.P which am using supports 802.11ac which is the latest commercially available WiFI standard. Those IE’s are called VHT (Very High throughput) and have the details as mentioned above. The reason why we don’t see those IE’s in this beacon are 802.11ac is strictly 5GHz. That means it operates only in 5GHz band. As you can see from the DS parameter set IE, this A.P is operation in channel 10 which is in 2.4GHz. If you have recently bought an A.P chances are that they support 802.11ac. We shall discuss more on this in a separate blog itself and particularly about the WMM IE. For the curious readers this is the IE which talks about EDCA that is supported by this A.P

Apply colour filters

We can apply some colour filters captured packet in wireshark. So whenever we apply this filter in future the specific colour filters will also get applied. It makes it a lot easier to visually isolate the packets which we want to see. Pls follow the below steps for applying the colouring rules to the filters.

apply_color.png

You can choose the foreground and background colour of your choice and leave the rest of the work to be done wireshark. This is very neat feature of wireshark very seldom used.

With colour filter applied the same packets looks like this.

after_color_filter.png

This is very much useful when you have captured a lot of packets and want to isolate only the ones which you want to analyse. As said above we shall discuss more about beacon frames alone in a separate blog in the coming future.

Advertisements