Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Wireshark Lab: 802.11 v6.0
Supplement to Computer Networking: A Top-Down
Approach, 6th ed., J.F. Kurose and K.W. Ross
“Tell me and I forget. Show me and I remember. Involve me and I
understand.” Chinese proverb
In this lab, we’ll investigate the 802.11 wireless network protocol. Before beginning this lab, you
might want to re-read Section 6.3 in the text1. Since we’ll be delving a bit deeper into 802.11 than is
covered in the text, you might want to check out “A Technical Tutorial on the 802.11Protocol,” by
In all of the Wireshark labs thus far, we’ve captured frames on a wired Ethernet connection. Here,
since 802.11 is a wireless link-layer protocol, we’ll be capturing frames “in the air.” Unfortunately,
many device drivers for wireless 802.11 NICs don’t provide the hooks to capture/copy received 802.11
1. Getting Started
is 128.119.240.19.
• At t = 49.58, the host disconnects from the 30 Munroe St AP and attempts to connect to the
linksys_ses_24086. This is not an open access point, and so the host is eventually unable to
connect to this AP.
• At t=63.0 the host gives up trying to associate with the linksys_ses_24086 AP, and
associates again with the 30 Munroe St access point.
Once you have downloaded the trace, you can load it into Wireshark and view the trace using the
File pull down menu, choosing Open, and then selecting the Wireshark_802_11.pcap trace file. The
resulting display should look just like Figure 1.
Wireshark Lab: 802.11
SOLUTION
Supplement to Computer Networking: A Top-Down
Approach, 6th ed., J.F. Kurose and K.W. Ross
1. What are the SSIDs of the two access points that are issuing most of the beacon
frames in this trace? 1. ANSWER: The two access points that are issuing most of
2. What are the intervals of time between the transmissions of the beacon frames the
linksys_ses_24086 access point? From the 30 Munroe St. access point? (Hint: this
3. What (in hexadecimal notation) is the source MAC address on the beacon frame from
30 Munroe St? Recall from Figure 6.13 in the text that the source, destination, and
BSS are three addresses used in an 802.11 frame. For a detailed discussion of the
802.11 frame structure, see section 7 in the IEEE 802.11 standards document (cited
4. What (in hexadecimal notation) is the destination MAC address on the beacon frame
from 30 Munroe St? ANSWER: The destination MAC address on the 30 Munroe St,
5. What (in hexadecimal notation) is the MAC BSS IS on the beacon frame from 30
Munroe St? ANSWER: The MAC BSS ID address on the 30 Munroe St, beacon
6. The beacon frames from the 30 Munroe St access point advertise that the access point
can support four data rates and eight additional “extended supported rates.” What are
these rates? ANSWER: The support rates are 1.0, 2.0, 5.5, 11.0 Mbps. The extended
7. Find the 802.11 frame containing the SYN TCP segment for this first TCP session
(that downloads alice.txt). What are three MAC address fields in the 802.11 frame?
Which MAC address in this frame corresponds to the wireless host (give the
hexadecimal representation of the MAC address for the host)? To the access point?
To the first-hop router? What is the IP address of the wireless host sending this TCP
segment? What is the destination IP address? Does this destination IP address
correspond to the host, access point, first-hop router, or some other network-attached
device? Explain. ANSWER: The TCP SYN is sent at t = 24.811093 seconds into the
8. Find the 802.11 frame containing the SYNACK segment for this TCP session. What
are three MAC address fields in the 802.11 frame? Which MAC address in this frame
corresponds to the host? To the access point? To the first-hop router? Does the
sender MAC address in the frame correspond to the IP address of the device that sent
the TCP segment encapsulated within this datagram? (Hint: review Figure 5.19 in the
text if you are unsure of how to answer this question, or the corresponding part of the
previous question. It’s particularly important that you understand this). ANSWER:
The TCP SYNACK is received at t = 24.827751 seconds into the trace. The MAC
9. What two actions are taken (i.e., frames are sent) by the host in the trace just after
t=49, to end the association with the 30 Munroe St AP that was initially in place
when trace collection began? (Hint: one is an IP-layer action, and one is an 802.11-
layer action). Looking at the 802.11 specification, is there another frame that you
might have expected to see, but don’t see here? ANSWER: At t = 49.583615 a
DHCP release is sent by the host to the DHCP server (whose IP address is
10. Examine the trace file and look for AUTHENICATION frames sent from the host to
an AP and vice versa. How many AUTHENTICATION messages are sent from the
wireless host to the linksys_ses_24086 AP (which has a MAC address of
Cisco_Li_f5:ba:bb) starting at around t=49? ANSWER: The first
11. Does the host want the authentication to require a key or be open? ANSWER: The
12. Do you see a reply AUTHENTICATION from the linksys_ses_24086 AP in the
trace? ANSWER: I can’t find any reply from the AP. This is probably because the
13. Now let’s consider what happens as the host gives up trying to associate with the
linksys_ses_24086 AP and now tries to associate with the 30 Munroe St AP. Look for
AUTHENICATION frames sent from the host to and AP and vice versa. At what
times are there an AUTHENTICATION frame from the host to the 30 Munroe St.
AP, and when is there a reply AUTHENTICATION sent from that AP to the host in
reply? (Note that you can use the filter expression “wlan.fc.subtype == 11and
wlan.fc.type == 0 and wlan.addr == IntelCor_d1:b6:4f” to display only the
AUTHENTICATION frames in this trace for this wireless host.). ANSWER:: At t =
63.168087 there is a AUTHENTICATION frame sent from 00:13:02:d1:b6:4f (the
14. An ASSOCIATE REQUEST from host to AP, and a corresponding ASSOCIATE
RESPONSE frame from AP to host are used for the host to associated with an AP. At
what time is there an ASSOCIATE REQUEST from host to the 30 Munroe St AP?
When is the corresponding ASSOCIATE REPLY sent? (Note that you can use the
filter expression “wlan.fc.subtype < 2 and wlan.fc.type == 0 and wlan.addr ==
IntelCor_d1:b6:4f” to display only the ASSOCIATE REQUEST and ASSOCIATE
RESPONSE frames for this trace.) ANSWER: At t = 63.169910 there is a
15. What transmission rates is the host willing to use? The AP? To answer this
question, you will need to look into the parameters fields of the 802.11 wireless LAN
management frame. ANSWER: In the ASSOCIATION REQUEST frame the
16. What are the sender, receiver and BSS ID MAC addresses in these frames? What is
the purpose of these two types of frames? (To answer this last question, you’ll need
to dig into the online references cited earlier in this lab). ANSWER: At t = 2.297613
there is a PROBE REQUEST sent with source 00:12:f0:1f:57:13, destination:
