🔍Profiler

Gather Wi-Fi device capabilities directly, by asking the device

Overview

In this lab, we'll look at one of the WLAN Pi's most popular home-grown tools: Profiler.

Profiler allows analysis of wireless clients to understand their 802.11 capabilities. This information is invaluable when designing a Wi-Fi network, and you need to understand the capabilities of the clients that will be using the network.

In summary, Profiler turns the WLAN Pi into a fake AP and listens for association requests from clients whose capabilities we wish to analyse. Profiler analyses each client's authentication frames to produce a report detailing its 802.11 capabilities.

By default, Profiler will attempt to profile clients on the 5 GHz band. Profiling clients is also supported on the 2.4 GHz band by starting Profiler in a 2.4 GHz mode.

The diagram below provides a high level summary of Profiler's operation. We'll explore this in more detail during this lab.

Profiler high-level overview of operation

What You'll Need For This Lab

To complete this lab you'll need the following items:

• Windows or macOS laptop to browse to the WLAN Pi M4

• WLAN Pi M4

• A few friends who are willing to let you analyse their clients 😄

Connectivity

To start the profiler process and view client reports on the WLAN Pi, there must be IP connectivity between your laptop/Mac and the WLAN Pi.

In this lab, we'll connect using the lab's wireless and wired network connections. Your laptop/Mac will be connected to the lab wireless network, and your WLAN Pi M4 will be connected to one of the lab PoE switch ports.

Once both devices have a network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target browsing address. We'll be browsing to the Cockpit utility on the WLAN Pi to provide the command line (terminal) access required for this lab. We'll also browse to the Web UI of the WLAN Pi itself to browse the Profiler reports that are stored on the WLAN Pi.

Lab Instructions

One of the many challenges we face working with Wi-Fi is determining the 'actual' capabilities of a Wi-Fi device. Mike Albano (@mike_albano) maintains a database of device capabilities over at clients.mikealbano.com

Where does this information come from?

The clients themselves!

When a Wi-Fi station attempts to associate to an AP, the station will share capability information so that the AP can communicate with the station efficiently. This capability information is not always published or easy to locate, WLAN Pi Profiler makes the gathering of this detail a breeze!

WLAN Pi Profiler works like this:

1. Makes use of Scapy (python library) to create a "fake" access point by transmitting specifically forged beacon frames

2. Listens for an association frame, decodes the frame and parses out the relevant Wi-Fi capability information about the device

Device information that Profiler can reveal includes:

• 802.11k/r/v/w support

• 802.11n/ac/ax support

• Max No. of Spatial Streams

• Beamforming support

• Supported MCS Rates

• Max Tx Power

• Supported 5 GHz channels

Step 1 - Start Profiler

Start Profiler via FPMS

1. Navigate: Apps > Profiler > Start

2. Screen displays: Starting...

3. Wait 3-6 seconds

4. Screen displays: Success, Profiler started. A QR code that can be used as a shortcut to get clients to try to join profiler's SSID is also displayed.

FPMS Profiler Start Option

Profiler started screen (QR code can be used for client associations)

Start Profiler via WLAN Pi CLI

1. Navigate to your Cockpit Terminal

2. Display 'all' the available Profiler commands:

   sudo profiler -h

3. Activate Profiler on a channel of your choosing:

   sudo profiler -c 48

4. Terminal will display a message along these lines:

Profiler started successfully

When Profiler is active pressing the centre joystick button will toggle between 'Join Wi-Fi QR code' and FPMS menu

Step 2 - 'Profile' a Wi-Fi device

Now that Profiler is running, we can try profiling some clients. To profile a client, we simply need to get it to try to associate with the SSID that is broadcast by Profiler's "fake AP".

Smart device capable of reading a QR code

If the client being profiled can join a network using a QR code, then it can use the QR code automatically created by the WLAN Pi and displayed by FPMS:

1. Via FPMS navigate: Apps > Profiler > Status:
2. Scan the QR code with your iPhone/Android smart-device

3. 'Action' the discovered Wi-Fi network by tapping on the pop-up. This 'should' initiate an attempt to associate with your WLAN Pi 'fake AP'

The association will fail! This is expected behaviour

If nothing happens after 10 seconds consider repeating the process, scan the QR code again, Profiler does not forge and transmit beacon frames every 102.4 ms

Device incapable of QR code association

If the client to be profiled cannot scan the QR code provided in FPMS, we have to manually initiate a connection using the Wi-Fi network list on the client device.

1. Find the SSID name being broadcast by Profiler: in FPMS Navigate to: Apps > Profiler > Status

2. Using the device you'd like to profile, attempt to associate to the SSID displayed on the WLAN Pi screen (example below):

SSID	Passphrase
wlanpi-xxx	does_not_matter

What you enter as a passphrase is not relevant! You can enter any string of at least 8 characters you wish, when prompted for the PSK. You may get a message warning you that the passphrase is incorrect; this is expected behaviour. The goal is getting the client device to transmit an association request frame which contains the information we seek.

When an association attempt is successfully captured FPMS will indicate this with pop-up message:

Device Profiled xx:xx:xx:xx:xx:xx

If you initiated Profiler from the CLI you should similar output to this in the terminal window:

Device profiled successfully - capabilities are reported

Note that it's possible to see the full Profiler device report on the CLI, as shown above.

It may take your device a few scans before it detects the Profiler SSID. The way Profiler forges and transmits beacon frames they are not consistently transmitted every 102.4 ms.

The indication of a successful profiling event are the same as detailed in the previous section.

Step 3 - Analyse the results

Once a Profiling event has occurred, you'll want to look a the client's capability profile. The client reports are stored on the WLAN Pi and can be accessed via its web UI. To access a profile, follow these steps:

1. Open a new tab, in your chosen browser

2. Navigate to the WLAN Pi web UI at http://wlanpi-xxx.local

3. Click on the Profiler tab. From here you can:

   1. View test results within the browser window - this displays all of the capabilities that have been detected for client by Profiler.

   2. Download the association request pcap. This allows you to open the actual association frame that was used to create the client profile. This is useful if you'd like to inspect the individual information elements yourself using a tool such as Wireshark to verify the information provided by Profiler.

Profiler Summary Page

The latest device you profiled is added to the top of the list, not to the bottom.

Client Profile Example

Step 4 - Profile the same device again

Primary device again

Profile your primary device again, what happens?

Expected behaviour

Nothing happens

Step 5 - Low Power Mode

Enable Low Power mode on your primary device (if you know how).

On iPhone Settings > Battery > Low Power Mode

Primary device again

Profile your primary device again, what happens? What is different now?

Expected behaviour

iPhone users: 2 Spatial Streams (SS) vs 1 SS in Low Power Mode

You may not have noticed this before... but... when you switch an iPhone from standard power mode to Low Power Mode, it automatically shuts off one of its radio chains, and only uses 1 spatial stream.

Profiler is the perfect tool to identify this behaviour in real world. If you have an iPhone (if not you can try to see if your smartphone behaves similarly to iPhone).

Profiler spotted the difference and automatically added a (diff) flag:​

​Standard power mode:​​

Low power mode:​​

Step 6 - Mac Randomisation

Try disabling Mac randomisation on the client and re-profile the device. Do you see any different in the device's profile?

Step 7 - 6 GHz Client Detection

Although Profiler cannot broadcast its fake AP on the 6 GHz band as yet, it is able to detect if clients are 6 GHz capable from the profile information it detects via 5 GHz profiling.

If you have access to a 6 GHz client, profile it and check its generated profile. You should see a capability of "6 GHz Operating Class":

6 GHz Capability Detection

At this time, detailed 6 GHz client capabilities cannot be reported by Profiler.

Step 8 - Download Profiler Report

Navigate your way to the Profiler section of the WLAN Pi web GUI, download the report CSV.

This includes a summary of the data you just collected in CSV format. You should see a separate report for each frequency band.

Step 9 - Stop Profiler

When you have completed this lab, remember to stop Profiler before moving on. Stop Profiler with one of these options:

• If you started Profile via FPMS, select menu option: Apps > Profiler > Stop

• If you started Profiler via CLI: return to the terminal window where Profiler was launched and hit Ctrl-C to kill the process

Additional Information

When using Profiler from FPMS you may notice a few other options that we haven't looked at in this lab. Here is a short summary of what each option does:

• Status: reports whether Profiler is running and the channel & SSID used

• Stop: stops Profiler if it's running

• Start: starts the profiler process to enable profiling to commence

• Start 2.4 GHz: runs profiler on the 2.4 GHz band rather than the default 5 GHz band. This allows the 2.4 GHz capabilities of a client to be determined (which may be different to the 5 GHz band)

• Start (no 11r): in the early days of Profiler, it was found that some clients would not try to associate if they detected information elements that indicated 802.11r support by the fake AP. This meant that no profile could be generated for the client. Try this option if you are having difficulties getting a client to profile

• Start (no 11ax): similar to the "no 11r" option above, some clients may not try to associate if they detect 11ax information elements, so that a client profile cannot be achieved. Try this option if you are having difficulties getting a client to profile

• Purge Reports: summary report files are stored on the WLAN Pi and build up on over time. If you wish to remove old report files, select this option.

• Purge Files: client profile files are stored on the WLAN Pi and build up on over time. If you wish to remove old profile files, select this option.