• +64 21311943
  • jeet.kulkarni@outlook.com
  • Auckland, New Zealand

Analyzing Frame Exchanges – #CWAP #Wireshark

This blog post will focus on certain aspects of Wireshark frames which can be brought to use for analyzing and troubleshooting Wi-Fi issues. I recommend downloading metageek color filters and apply it to your Wireshark for filtering specific frame types with applied colorization.

You can read more about applying the color filters here.

SSID/BSSID information.

  • In Pcaps they can be found from Management – Beacon frames
  • Beacon frames have purple color applied by default. The SSID column can determine the name of the SSID.
  • However, for hidden SSID you will notice the SSID length is zero and set as Wildcard SSID
  • Certain vendors can provide the information regarding device name from “Vendor Specific” tags under Tagged parameters.
  • BSSID is radio MAC address associated with each SSID. It is derived from ‘base radio MAC address’
  • Each advertised SSID will have different BSSID even if they are transmitted from the same AP.

Spatial Streams

  • When a device reports 3×3:3 MIMO, it has 3 transmit chains, three receive chains and 3 spatial steams in that order.
  • Supported spatial streams by Client/STA can be found in all the Management Request frames such as Probe Request, Association Request or Reassociation Request.
  • Supported spatial streams by AP can be found in Beacon & Response frames such as Probe Response, Association Response and Reassociation Response.
  • Depending on the PHY, the frames will be shown under MCS set under HT or VHT capabilities information.

Power Save & Traffic Buffer

  • The SM Power Save (Spatial Multiplexing) allows AP to save power. This can be seen in HT/VHT Capabilities Ass/Reass Request frames.
  • Power save modes in HT
    • 0 – Static, 1 – Dynamic, 2 – Reserved & 3 – Disabled
  • In HT frames this information can be found under HT Capabilities Info as outlined below
  • In VHT frames, this information is shown under TxOP PS. The AP needs to support the 802.11 stations to go into TXOP power save mode.
  • Power save modes in VHT. Indicates whether a VHT AP allows non-ap VHT STAs in TXOP power save mode to enter sleep state during TxOP.
    • 0 indicate if the AP does not support TxOP PS mode
    • 1 indicate if AP support TxOP PS mode.
  • Client STA use “Listen Interval” field to inform AP to go into power save mode. An AP uses the listen interval in determining the lifespan of frames that will be buffered for the STA.
  • In the below Association Request frame, the listen interval is 0x0014 ~ 20 beacon intervals as the wake up time for the client.

Supported Data Rates

  • A standard WLAN best practice to improve performance is to disable lower data rates on the AP. This helps in increase overall capacity by eliminating overhead caused from management frames sent out at lowest configured basic data rate.
  • In order to determine the data rates supported by client, the best place to look at is Probe Request frames. (subtype 0x4)
  • Probe Response frames can show the supported data rates by the AP.

Leave a Reply

Your email address will not be published.