Networking Wireshark Lab Homework This trace was collected using AirPcap and Wireshark

Unlock access to all the studying documents.

View Full Document

Wireshark Lab: 802.11 v6.0

Supplement to Computer Networking: A Top-Down

Approach, 6th ed., J.F. Kurose and K.W. Ross

“Tell me and I forget. Show me and I remember. Involve me and I

understand.” Chinese proverb

In this lab, we’ll investigate the 802.11 wireless network protocol. Before beginning this lab, you

might want to re-read Section 6.3 in the text1. Since we’ll be delving a bit deeper into 802.11 than is

covered in the text, you might want to check out “A Technical Tutorial on the 802.11Protocol,” by

In all of the Wireshark labs thus far, we’ve captured frames on a wired Ethernet connection. Here,

since 802.11 is a wireless link-layer protocol, we’ll be capturing frames “in the air.” Unfortunately,

many device drivers for wireless 802.11 NICs don’t provide the hooks to capture/copy received 802.11

1. Getting Started

is 128.119.240.19.

• At t = 49.58, the host disconnects from the 30 Munroe St AP and attempts to connect to the

linksys_ses_24086. This is not an open access point, and so the host is eventually unable to

connect to this AP.

• At t=63.0 the host gives up trying to associate with the linksys_ses_24086 AP, and

associates again with the 30 Munroe St access point.

Once you have downloaded the trace, you can load it into Wireshark and view the trace using the

File pull down menu, choosing Open, and then selecting the Wireshark_802_11.pcap trace file. The

resulting display should look just like Figure 1.

Wireshark Lab: 802.11

SOLUTION

Supplement to Computer Networking: A Top-Down

Approach, 6th ed., J.F. Kurose and K.W. Ross

1. What are the SSIDs of the two access points that are issuing most of the beacon

frames in this trace? 1. ANSWER: The two access points that are issuing most of

2. What are the intervals of time between the transmissions of the beacon frames the

linksys_ses_24086 access point? From the 30 Munroe St. access point? (Hint: this

3. What (in hexadecimal notation) is the source MAC address on the beacon frame from

30 Munroe St? Recall from Figure 6.13 in the text that the source, destination, and

BSS are three addresses used in an 802.11 frame. For a detailed discussion of the

802.11 frame structure, see section 7 in the IEEE 802.11 standards document (cited

4. What (in hexadecimal notation) is the destination MAC address on the beacon frame

from 30 Munroe St? ANSWER: The destination MAC address on the 30 Munroe St,

5. What (in hexadecimal notation) is the MAC BSS IS on the beacon frame from 30

Munroe St? ANSWER: The MAC BSS ID address on the 30 Munroe St, beacon

6. The beacon frames from the 30 Munroe St access point advertise that the access point

can support four data rates and eight additional “extended supported rates.” What are

these rates? ANSWER: The support rates are 1.0, 2.0, 5.5, 11.0 Mbps. The extended

7. Find the 802.11 frame containing the SYN TCP segment for this first TCP session

(that downloads alice.txt). What are three MAC address fields in the 802.11 frame?

Which MAC address in this frame corresponds to the wireless host (give the

hexadecimal representation of the MAC address for the host)? To the access point?

To the first-hop router? What is the IP address of the wireless host sending this TCP

segment? What is the destination IP address? Does this destination IP address

correspond to the host, access point, first-hop router, or some other network-attached

device? Explain. ANSWER: The TCP SYN is sent at t = 24.811093 seconds into the

8. Find the 802.11 frame containing the SYNACK segment for this TCP session. What

are three MAC address fields in the 802.11 frame? Which MAC address in this frame

corresponds to the host? To the access point? To the first-hop router? Does the

sender MAC address in the frame correspond to the IP address of the device that sent

the TCP segment encapsulated within this datagram? (Hint: review Figure 5.19 in the

text if you are unsure of how to answer this question, or the corresponding part of the

previous question. It’s particularly important that you understand this). ANSWER:

The TCP SYNACK is received at t = 24.827751 seconds into the trace. The MAC

9. What two actions are taken (i.e., frames are sent) by the host in the trace just after

t=49, to end the association with the 30 Munroe St AP that was initially in place

when trace collection began? (Hint: one is an IP-layer action, and one is an 802.11-

layer action). Looking at the 802.11 specification, is there another frame that you

might have expected to see, but don’t see here? ANSWER: At t = 49.583615 a

DHCP release is sent by the host to the DHCP server (whose IP address is

10. Examine the trace file and look for AUTHENICATION frames sent from the host to

an AP and vice versa. How many AUTHENTICATION messages are sent from the

wireless host to the linksys_ses_24086 AP (which has a MAC address of

Cisco_Li_f5:ba:bb) starting at around t=49? ANSWER: The first

11. Does the host want the authentication to require a key or be open? ANSWER: The

12. Do you see a reply AUTHENTICATION from the linksys_ses_24086 AP in the

trace? ANSWER: I can’t find any reply from the AP. This is probably because the

13. Now let’s consider what happens as the host gives up trying to associate with the

linksys_ses_24086 AP and now tries to associate with the 30 Munroe St AP. Look for

AUTHENICATION frames sent from the host to and AP and vice versa. At what

times are there an AUTHENTICATION frame from the host to the 30 Munroe St.

AP, and when is there a reply AUTHENTICATION sent from that AP to the host in

reply? (Note that you can use the filter expression “wlan.fc.subtype == 11and

wlan.fc.type == 0 and wlan.addr == IntelCor_d1:b6:4f” to display only the

AUTHENTICATION frames in this trace for this wireless host.). ANSWER:: At t =

63.168087 there is a AUTHENTICATION frame sent from 00:13:02:d1:b6:4f (the

14. An ASSOCIATE REQUEST from host to AP, and a corresponding ASSOCIATE

RESPONSE frame from AP to host are used for the host to associated with an AP. At

what time is there an ASSOCIATE REQUEST from host to the 30 Munroe St AP?

When is the corresponding ASSOCIATE REPLY sent? (Note that you can use the

filter expression “wlan.fc.subtype < 2 and wlan.fc.type == 0 and wlan.addr ==

IntelCor_d1:b6:4f” to display only the ASSOCIATE REQUEST and ASSOCIATE

RESPONSE frames for this trace.) ANSWER: At t = 63.169910 there is a

15. What transmission rates is the host willing to use? The AP? To answer this

question, you will need to look into the parameters fields of the 802.11 wireless LAN

management frame. ANSWER: In the ASSOCIATION REQUEST frame the

16. What are the sender, receiver and BSS ID MAC addresses in these frames? What is

the purpose of these two types of frames? (To answer this last question, you’ll need

to dig into the online references cited earlier in this lab). ANSWER: At t = 2.297613

there is a PROBE REQUEST sent with source 00:12:f0:1f:57:13, destination: