🪟Windows Capture Lab

Now that we've set up our Windows device to allow us to capture Wi-Fi frames via the WLAN Pi M4, let's capture some frames and see what's going on in our test lab.

We'll work through some simple examples of capturing frames on the 2.4 GHz, 5 GHz and 6 GHz bands. You may choose to do as many or a few of the examples as you choose.

The lab will look at the following areas:

• Customizing the Wireshark UI to provide better decoding for Wi-Fi frames

• How to start and stop a capture, and how to start a subsequent capture.

• Capturing on 2.4 GHz:

  • Beacon frames

• Capturing on 5 GHz:

  • Reduced Neighbour Reports

• Capturing on 6 GHz:

  • Fast Initial Link Setup (FILS) frames

What You'll Need For This Lab

Items needed for this lab:

• Windows laptop with Wireshark, Python and wlan-extcap installed as per the previous setup instructions. The laptop should be associated to one of the lab APs so that it can contact the WLAN Pi.

• A WLAN Pi M4. This should be connected to a lab switch to provide both power and network connectivity.

Customizing the Wireshark UI (Optional, but recommended)

The default colouration of Wireshark frame decodes is a fairly bland black and white presentation, which makes picking out different frames types and getting a sense of the traffic flows seen quite tricky.

Metageek provide an excellent customisation file that colourizes Wi-Fi frames according to their frame types and makes interpreting hundreds of frames in a capture file far more manageable. Once installed, it allows you to switch to a new "Metageek" profile within Wireshark to see the new options that the file provides.

The following Metageek page provides access to the customisation file, together with installation instructions. It is strongly recommended that you install this profile if time allows:

Wireshark Configuration ProfileMetaGeek Support

Download and install the Metageek Wireshark profile

Starting & Stopping Captures

Starting a Capture

The procedure for starting a capture was covered back in the setup section of this packet capture guide. Let's summarize it below:

• Open Wireshark and select 'Wi-Fi remote capture' in the list of available interfaces. This launches the Wi-Fi remote capture UI:

  
• Complete the fields in the 'Capture', Server and Authentication sections of the remote capture UI:

  • Capture:

    • Remote Wi-Fi Interface name: always 'wlan0' on the WLAN Pi M4

    • Remote Wi-Fi Channel: the channel on which frames are to be captured by the WLAN Pi M4

    • Remote Wi-Fi channel width: channel width used by the AP transmitting frames to be captures (20, 40, or 80 MHz)

    • Server:

      • Remote SSH server address: IP address of the WLAN Pi M4

      • Remote SSH Server port: port used for SSH communication to the WLAN Pi (this will generally be port 22)

    • Authentication:

      • Remote SSH SSH server username: username of account used to access the WLAN Pi M4 (usually 'wlanpi')

      • Remote SSH SSH server password: password of account used to access the WLAN Pi M4

      • Path to SSH private key: (not used in this lab) filename of private key (if used) on WLAN Pi M4. This is used in place of the previous username/password field values.

  • Hit the 'Start' button to start the capture. After a few seconds, the captured frames will be displayed in the Wireshark UI. The capture process will continue until manually stopped.

If you've already run a capture and decide to launch a subsequent capture, you may see the following error. The end of the message dialog shows the message: 'Can't find a valid authentication'

This may seem a strange message, as you have already entered the required credentials for the WLAN Pi to perform a previous capture.

Unfortunately Wireshark is forgetful and can't remember your password between captures. Each time you start a new capture you'll need to renter your password.

We can work around this limitation by configuring password-less SSH access. We do not cover this process in this lab, but please checkout this blog post for details if you are keen to set this up.

Use SSH key stored on GitHub instead of an SSH password to access your WLAN Pi - Jiri BrejchaJiri Brejcha | Wi-Fi Technical Solutions Architect

Stopping a Capture

To stop a capture, hit the red square button on the top bar of Wireshark:

Starting a Subsequent Capture

To start a new capture you need to manually 'close' the current capture

File > Close

Now you can access the landing page, configure the password and start a new capture

Lab Exercises

2.4GHz Capture

Let's start with a simple capture on the 2.4 GHz band. Use the channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use the remote capture utility to start a capture on the 2.4 GHz band as shown below (adjust for the channel being used by the lab AP)

Leave the capture going for a few seconds to gather a selection of frames. Stop the capture and review the captured frames. Can you spot any beacon frames?

To filter the Wireshark display to show just beacon frames, enter the following display filter:

Check out the frame detail of several of the beacon frames. Can you find:

• The beacon's SSID name?

• The AP's country code?

• The channel utilization in the QBSS load element?

5GHz Capture

Repeat the capture process of the previous example, but this time capture frames from a 5GHz channel. Use the channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Use the remote capture utility again as follows (corrected for your local AP channel):

While the capture is running, use your phone to try to associate to the lab SSID (don't worry about having the correct PSK to join the network). This will initiate probe requests from your client device and probe responses from the AP.

Stop the capture and apply the display filter shown below:

If all went well, you'll have a few probe responses and will be able to inspect the tagged parameters in the probe response.

Scroll through the tags and identify the "Reduced Neighbor Report" tag. Open in up an take a look at the fields available. This is the tag that identifies the 6 GHz channels that the AP is also operating on. Can you see which 6 GHz channel the lab AP is operating on?

6 GHz Capture

Finally, let's capture frames on the 6 GHz band. We'll initiate the capture as in the previous 2 examples. Use the channel number(s) discovered in the previous Wi-Fi scanning lab for your capture.

Fire up a capture as follows (correct for your local AP channel):

Leave the capture running for a few seconds and then stop it to review the frames collected. Notice that there are a large number of "Action" frames. There is an action frame at least every 20mS.

Let's take a closer look at these to find out what's going on here. Apply the following display filter:

The frames we're seeing are Fast Initial Link Setup (FILS) discovery announcement frames. They're a kind of condensed beacon for the Wi-Fi 6E world. you can read more about them here: https://www.extremenetworks.com/extreme-networks-blog/the-road-to-ap-discovery-in-6-ghz/

Finally, if you have time, apply a new display filter to your captured frames to display the beacons captured:

Snap open the "HE Capabilities" tagged parameter. Snap open the HE PHY Capabilities Information section and check out the capabilities data. Does you AP support 160 MHz channels on 6 GHz?

You're all done! Well done on completing this frame capture lab.