๐ŸAirtool Lab

Let's see if we can sniff some Wi-Fi traffic on 2.4, 5 GHz, and 6 GHz!

Now that we've set up our Mac to allow us to capture and decode Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.

We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz, and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.

The lab will look at the following areas:

  • Customizing the Wireshark UI to provide better decoding for Wi-Fi frames

  • How to start and stop a capture, how to start a new capture

  • Capturing on 2.4 GHz:

    • Beacon frames

  • Capturing on 5 GHz:

    • Reduced Neighbor Reports

  • Capturing on 6 GHz:

    • Fast Initial Link Setup (FILS) frames

What You'll Need For This Lab

  • A Mac with Airtool 2 installed as per the previous setup instructions. The Mac should be associated to one of the lab APs for connectivity to the WLAN Pi M4.

  • A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.

The default coloration of Wireshark frame decodes is a fairly bland black-and-white presentation, which makes picking out the different frame types and getting a sense of the traffic flows quite tricky.

MetaGeek provides an excellent customization file that colorizes different Wi-Fi frame types and makes interpreting hundreds of frames in a capture file far more manageable. Once installed, it allows you to switch to a new "MetaGeek" profile within Wireshark to see the new options that the file provides.

The following MetaGeek page provides access to the customization file and installation instructions. It is strongly recommended that you install this profile if time allows:

Starting a Capture

To start a capture using the WLAN Pi, select your WLAN Pi from the Airtool 2 menu (your WLAN Pi may be under the "Remote Capture" menu if you did not select it as a favorite during setup):

A pop-up for the probe appears, allowing the selection of the WLAN Pi's capture interface, band, channel, and channel width:

The first time you use the sensor, you will also be prompted to enter the login credentials for the WLAN Pi:

Wireshark will now open and display the frames being captured by the WLAN Pi.

Stopping a Capture

To stop the capture, hit the red square button on the top bar of Wireshark:

Starting a Subsequent Capture

To start a new capture, you need to quit Wireshark completely. You can then select the sensor again to start a new capture.

When you are done capturing, you need to quit Wireshark before starting a new capture. Otherwise, you will find the remote sensor 'greyed out.'

Lab Exercises

2.4 GHz Capture

Let's start with a simple capture on the 2.4 GHz band. Use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use Airtool to start a capture as shown below (adjust for the channel being used by the lab AP):

Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?

To filter the Wireshark display to show just beacon frames, enter the following display filter:

wlan.fc.type_subtype == 0x8

Take a look at the frame detail of several of the beacon frames. Can you find:

  • The beacon's SSID name?

  • The AP's country code?

  • The channel utilization in the QBSS load element?

5 GHz Capture

Repeat the capture process of the previous example, but this time capture frames from a 5 GHz channel. Again, use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use Airtool 2 again as follows (corrected for your local AP channel):

While the capture is running, use your phone to try to associate to the lab SSID (don't worry about having the correct PSK to join the network). This will initiate probe requests from your client device and probe responses from the AP.

Stop the capture and apply the display filter shown below:

wlan.fc.type_subtype == 0x5

If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.

Scroll through the tags and identify the "Reduced Neighbor Report" tag. Expand and take a look at the available fields. This is the tag that identifies the 6 GHz channels that the AP is also operating on. Can you see which 6 GHz channel the lab AP is operating on?

6 GHz Capture

Finally, let's capture frames on the 6 GHz band.

We'll initiate the capture as in the previous two examples. Again, use the lab AP channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Fire up a capture as follows (corrected for your local AP channel):

Leave the capture running for a few seconds and then stop it to review the frames collected.

If we're capturing on a channel where this is an AP operating as 6-GHz only from Aruba, we should we numerous "Action" frames. There is an action frame at least every 20 ms. Let's take a closer look at these to find out what's going on here.

Apply the following display filter:

wlan.fixed.publicact == 0x22

An Aruba AP only broadcasts FILS when it is operating as 6-GHz only. If there is any VAP operating in 2.4 GHz or 5 GHz on an adjacent radio, FILS is disabled automatically. If you do not see these action frames, you'll need to ask the instructor which channel to scan on to discover the AP which is operating as 6-GHz only.

The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world.

You can read more about them here:

Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:

Expand the "HE Capabilities" tagged parameter. Expand the HE PHY Capabilities Information section and take a look at the capabilities information. Does your AP support 160 MHz channels on 6 GHz?

You're all done! Well done on completing this frame capture lab.

Bonus Content: Capture on multiple channels and remote sensors

You can also use Airtool 2 to capture Wi-Fi traffic on multiple channels simultaneously by using multiple remote sensors or a single remote sensor with multiple Wi-Fi modules. Airtool 2 generates a single capture file by merging the frames captured on each sensor based on their timestamps.

To ensure the correct merging of Wi-Fi frames from each sensor, Airtool 2 requires all sensors to synchronize their time using NTP.

Airtool 2 uses the PCAP Next Generation (pcapng) Capture File Format. This format allows Airtool 2 to annotate each frame with the sensor and interface name used to capture the frame. You can use this information to filter frames by sensor and interface name in Wireshark.

You can also capture Wi-Fi traffic on multiple channels simultaneously using the same remote sensor if the remote sensor supports more than one Wi-Fi adapter. For example, if you have three remote sensors, and each sensor supports two Wi-Fi adapters, you can capture Wi-Fi traffic on six different channels simultaneously.

Advanced Airtool 2 features, such as automatic frame slicing and live captures using Wireshark, are also available for multi-source captures.

Prepare for a multi-source capture

You must first go to Preferences > Sensors and add any remote sensors you would like to use for multi-source captures. You only need to add a remote sensor the first time you use it. Subsequently, the remote sensor will always be available for multi-source captures.

Airtool 2 discovers WLAN Pi-based remote sensors deployed in your local area network automatically.

Ensure you plug in at least one compatible Wi-Fi adapter per remote sensor and know the interface name assigned to it (e.g., wlan0) as you will need it when configuring the remote sensor for capturing.

Start a multi-source capture

  1. Choose Multi-Source Capture from the Airtool 2 menu.

  2. Click the "+" button to add an entry for each remote sensor you want to use for capturing.

  3. For each entry, configure which sensor, interface name, channel, and channel width you would like to use.

  4. Click "Start Capture."

Airtool 2 won't allow you to start the capture if it detects an invalid configuration. For example, you cannot use the same sensor and interface name combination twice.

To reduce the amount of data sent back from a remote sensor, you may wish to limit each captured frame's size by enabling the "Limit each frame to" option and entering the desired frame size in bytes.

More details can be found here.

Last updated