Profile your primary device again, what happens?
Profiler
Gather Wi-Fi device capabilities directly, by asking the device
Last updated
Was this helpful?
Gather Wi-Fi device capabilities directly, by asking the device
Last updated
Was this helpful?
In this lab, we'll look at one of the WLAN Pi's most popular home-grown tools: Profiler.
Profiler allows analysis of wireless clients to understand their 802.11 capabilities. This information is invaluable when designing a Wi-Fi network, and you need to understand the capabilities of the clients that will be using the network.
In summary, Profiler turns the WLAN Pi into a fake AP and listens for association requests from clients whose capabilities we wish to analyse. Profiler analyses each client's authentication frames to produce a report detailing its 802.11 capabilities.
By default, Profiler will attempt to profile clients on the 5 GHz band. Profiling clients is also supported on the 2.4 GHz band by starting Profiler in a 2.4 GHz mode.
The diagram below provides a high level summary of Profiler's operation. We'll explore this in more detail during this lab.
To complete this lab you'll need the following items:
Windows or macOS laptop to browse to the WLAN Pi M4
WLAN Pi M4
To start the profiler process and view client reports on the WLAN Pi, there must be IP connectivity between your laptop/Mac and the WLAN Pi.
In this lab, we'll connect using the lab's wireless and wired network connections. Your laptop/Mac will be connected to the lab wireless network, and your WLAN Pi M4 will be connected to one of the lab PoE switch ports.
Once both devices have a network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target browsing address. We'll be browsing to the Cockpit utility on the WLAN Pi to provide the command line (terminal) access required for this lab. We'll also browse to the Web UI of the WLAN Pi itself to browse the Profiler reports that are stored on the WLAN Pi.
One of the many challenges we face working with Wi-Fi is determining the 'actual' capabilities of a Wi-Fi device. Mike Albano (@mike_albano) maintains a database of device capabilities over at clients.mikealbano.com
Where does this information come from?
The clients themselves!
When a Wi-Fi station attempts to associate to an AP, the station will share capability information so that the AP can communicate with the station efficiently. This capability information is not always published or easy to locate, WLAN Pi Profiler makes the gathering of this detail a breeze!
WLAN Pi Profiler works like this:
Makes use of Scapy (python library) to create a "fake" access point by transmitting specifically forged beacon frames
Listens for an association frame, decodes the frame and parses out the relevant Wi-Fi capability information about the device
Device information that Profiler can reveal includes:
802.11k/r/v/w support
802.11n/ac/ax support
Maximum number of Spatial Streams
Beamforming support
Supported MCS Rates
Maximum Transmit Power
Supported 5 GHz channels
Navigate: Apps > Profiler > Start
Screen displays: Starting...
Wait 3-6 seconds
Screen displays: Success, Profiler started.
A QR code that can be used as a shortcut to get clients to try to join profiler's SSID is also displayed.\
When Profiler is active pressing the centre joystick button will toggle between 'Join Wi-Fi QR code' and FPMS menu
Now that Profiler is running, we can try profiling some clients. To profile a client, we simply need to get it to try to associate with the SSID that is broadcast by Profiler's "fake AP".
If the client being profiled can join a network using a QR code, then it can use the QR code automatically created by the WLAN Pi and displayed by FPMS:
Via FPMS navigate: Apps > Profiler > Status:
\
Scan the QR code with your iPhone/Android smart-device
'Action' the discovered Wi-Fi network by tapping on the pop-up. This 'should' initiate an attempt to associate with your WLAN Pi 'fake AP'
The association will fail! This is expected behaviour
If nothing happens after 10 seconds consider repeating the process, scan the QR code again, Profiler attempts to forge and transmit beacon frames every 102.4 ms as well as respond to probe requests as soon as possible.
When an association attempt is successfully captured FPMS will indicate this with pop-up message:
Device Profiled xx:xx:xx:xx:xx:xx
If you initiated Profiler from the CLI, you should see output similar to this screenshot.
Note that it's possible to see the full Profiler device report on the CLI, as shown above.
It may take your device a few scans before it detects the Profiler SSID. The way profiler forges and transmits beacon frames they are not consistently transmitted every 102.4 ms, but profiler tries!
The indication of a successful profiling event are the same as detailed in the previous section.
Once a profiling event has occurred, you'll want to look at the client's capability profile. The client reports are stored on the WLAN Pi and can be accessed via its web UI. To access a profile, follow these steps:
Open a new tab, in your chosen browser
Navigate to the WLAN Pi web UI at http://wlanpi-xxx.local
or http://<IP>
.
Click on the Profiler tab. From here you can:
View test results within the browser window - this displays all of the capabilities that have been detected for client by Profiler.
Download the association request pcap. This allows you to open the actual association frame that was used to create the client profile. This is useful if you'd like to inspect the individual information elements yourself using a tool such as Wireshark to verify the information provided by profiler.
The latest device you profiled is added to the top of the list, not to the bottom.
Profile your primary device again, what happens?
Enable Low Power mode on your primary device (if you know how).
On iPhone
Settings > Battery > Low Power Mode
Profile your primary device again, what happens? What is different now?
Try disabling MAC randomization on the client and re-profile the device. Do you see any different in the device's profile?
Although profiler cannot broadcast its fake AP on the 6 GHz band as yet, it is able to detect if clients are 6 GHz capable from the profile information it detects via 5 GHz profiling.
If you have access to a 6 GHz client, profile it and check its generated profile. You should see a capability of "6 GHz Operating Class":
At this time, detailed 6 GHz client capabilities cannot be reported by profiler.
Navigate your way to the Profiler section of the WLAN Pi WebUI, download the report CSV.
This includes a summary of the data you just collected in CSV format. You should see a separate report for each frequency band.
When you have completed this lab, remember to stop Profiler before moving on. Stop Profiler with one of these options:
If you started Profile via FPMS, select menu option: Apps > Profiler > Stop
If you started Profiler via CLI: return to the terminal window where Profiler was launched and hit Ctrl-C to kill the process
When using Profiler from FPMS you may notice a few other options that we haven't looked at in this lab. Here is a short summary of what each option does:
Status: reports whether Profiler is running and the channel & SSID used
Stop: stops Profiler if it's running
Start: starts the profiler process to enable profiling to commence
Start 2.4 GHz: runs profiler on the 2.4 GHz band rather than the default 5 GHz band. This allows the 2.4 GHz capabilities of a client to be determined (which may be different to the 5 GHz band)
Start (no 11r): in the early days of Profiler, it was found that some clients would not try to associate if they detected information elements that indicated 802.11r support by the fake AP. This meant that no profile could be generated for the client. Try this option if you are having difficulties getting a client to profile
Start (no 11ax): similar to the "no 11r" option above, some clients may not try to associate if they detect 11ax information elements, so that a client profile cannot be achieved. Try this option if you are having difficulties getting a client to profile
Purge Reports: summary report files are stored on the WLAN Pi and build up on over time. If you wish to remove old report files, select this option.
Purge Files: client profile files are stored on the WLAN Pi and build up on over time. If you wish to remove old profile files, select this option.
A few friends who are willing to let you analyse their clients