WiFi Standard 802.11ac Packet Analysis

Learn the differences between the 802.11ac standard packets' data in this post, as well as how to extract useful data from their traffic.

WiFi Standard 802.11ac Packet Analysis
Photo by Raphael Lopes / Unsplash

Hello World! It is the format and contents in the packet that makes a protocol. Therefore if you want to understand about the protocol, you must understand the data it is transmitting on the physical medium (here radio). Today I will discuss a few details of the 802.11ac standard of the WiFi and then how the packets are different from the one we have discussed in the Wifi Traffic Analysis post.

The standard was developed by the wireless task group of IEEE committee and made public in 2013. It is basically an amendment to IEEE 802.11, that builds on 802.11n, but it only operates on the 5 GHz band and provides the maximum speed of this standard is 1.3 Gbps with more spatial streams (up to eight versus four)

The labs I have used for the demonstration are provided by AttackDefense platform. If you want to practice, you can visit the following links

The labs are using pretty older version of the Wireshark, logical operators combinations of the filters may vary, but the field names are hardly changed.
Q1 How many antennas were there in the capturing device?

The capturing device driver adds its section to the actual 802.11x packets while sniffing them, which provides meta information about the device itself. For example, at the time of capture, original WiFi packets do not contain information about the channel, antennas, or signal strength. As a result, it is similar to other pseudo-headers, such as "Frame", which Wireshark adds to all packets, including 802.11x.

There is no need to apply a filter because the radiotap filter is present in all WiFi packets. Simply expand the Radiotap Header section and count the Antenna property contained within it.

Answser – 2

Q2 A 802.11ac capable client device is using “CourageTheCowardlyDog” SSID. What is the MAC address of this device

If the client is truly 802.11ac capable, it must have interacted with the access point. To filter specific packets, you must have the BSSID, which you can obtain by using the following filter.

wlan.ssid == "CourageTheCowardlyDog"

We got the BSSID e4:95:6e:45:9c:97 which can use used as filter with wlan.bssid field having transmitter address set to the client MAC address.

According to my knowledge and the answer here, wlan_radio section is also a psuedo-header and contains a field named phy which has different values based on its type. The value for 802.11ac can be found in the wiretap/wtap.h file (here 8). The filter you can use to get the desired answer can be found below.

wlan.bssid == e4:95:6e:45:9c:97 && wlan_radio.phy == 8

Answer – 34:e6:ad:56:e1:04

Q3 In big networks, multiple BSSIDs operate under single/same SSID. Which BSSID is responsible for most traffic of “EASYDAFTAR SOUTH” SSID?

When the client is activated or its base service set (bss) is changed, it broadcasts the probe request with the SSID name of the access point from the saved network list. If the SSID of the hotspot device in the network matches, it will respond with the probe response. As a result, large networks ensure the connectivity of nearby clients by assigning the same SSID to multiple BSSIDs.

On the menu bar, select the Wireless \( \to \) WLAN Traffic option. It will open a new window with all of the traffic grouped by BSSID. Apply the following filter to the Display filter input below, and the answer will appear on the screen.

wlan.ssid == "EASYDAFTAR SOUTH"

Trivia – Here, DAFTAR is the Hindi translation of Office.

Answer – c8:d7:19:17:7e:3a

Q4 What is the frequency of operation for the network associated with BSSID e4:95:6e:45:9c:97? Provide value in MHz.

Again, all the information about the frequency at which the client is operating can be found in the wlan_radio section of the capture, filter all the packets for the particular BSSID and look for wlan_radio.frequency field in it.

wlan.bssid == e4:95:6e:45:9c:97

Answer – 5180 Mega Hertz or 5.18 Ghz

Q5 How many packets belong to 802.11ac standard?

From the second question, you know that the 802.11ac standard will have the value of PHY set to 0x8, therefore you can filter all the packets using the following filter and check the number of Displayed packets in the status bar.

wlan_radio.phy == 0x8

Answer – 227127

Q6 How many client devices were connected to BSSID e4:95:6e:45:9c:97 at MAC timestamp 1167524353?

Okay, so I'm not sure what the MAC timestamp is, and it's also not clear from the documentation, so I'll leave it to you to figure out. Using the following filter, you can find this information in the radiotap.mactime field.

wlan.bssid == e4:95:6e:45:9c:97 && radiotap.mactime == 1167524353

Answer – 1

Q7 Are any packets in given traffic capture were transmitted using 802.11ac beamforming?  State Yes or No.

In general, we know that WiFi signals are broadcasted in all directions, which is accomplished by omni-directional antennas. However, there are special antennas that can direct the signal to the receiver (client), increasing signal power and allowing for faster transmission due to less traffic.

The following filter can be used to determine whether traffic in the 802.11ac standard is beamformed.

wlan_radio.11ac.beamformed

Answer – No

Q8 Does BSSID e4:95:6e:45:9c:97 hardware supports MCS9? State Yes or No.

The MCS (Modulation and Coding System) clarifies data rates across a range of channel widths, guard intervals, and spatial streams. There are ten MCS indexes in 802.11ac, ranging from 0 to 9. Simply put, the higher the MCS value, the better the data transmission / receiving quality. This information is only available in the "QoS Data" frame.

To see if any BSSIDs support MCS type 9, use the following filter. If there is any network traffic, the answer is Yes.

wlan.bssid == e4:95:6e:45:9c:97 && wlan_radio.11ac.mcs == 9

Answer – Yes

Q9 What is the value of maximum supported transmission power for AP hosting “CourageTheCowardlyDog” SSID? Provide an answer in dBm units.

The power of the frequencies is specific to the hardware device, which is broadcased in the Beacon frame's tagged parameters (195). To obtain this data, apply the following filter and look for the Tx (transmission) Power Envelope parameter. You'll notice that all of the frequency channels have the same value.

wlan.ssid == "CourageTheCowardlyDog" && wlan.fc.type_subtype == 0x8 && wlan.tag.number == 195

Answer – 23.0 dBm

Q10 Does the Access Point with BSSID e4:95:6e:45:9c:97 have support for SU-Beamforming or MU-Beamforming? State Yes or No.

The WiFi device's beamforming can be directed at a single client or multiple clients, which we refer to as single-user (SU) beamforming and multi-user (MU) beamforming. This information can be found in the beacon frame's tagged property (191). Filter the traffic by the BSSID and tag number 191. You will get the answer in the VHT (Very High Thoughput) Capabilities of the tagged parameters set.

wlan.bssid == e4:95:6e:45:9c:97  && wlan.tag.number == 191

The VHT capabilities are for the 802.11ac standard, while the HT capabilities are for the 802.11n standard. Because the standard is based on the 802.11n standard, both are included in the beacon frame data.

Answer – Both single-user and multi-user beamforming is not supported.

Resources