Layer 2 Wireless Protocol Analyzer For capturing 802.11s frames

[sritam2]

Dear All,

I am trying to set up a MESH network using open80211s implementation. First I will form the open MESH with no encryption and then later on with encryption and SAE authentication.

I want to use a L2 protocol analyser for capturing the 802.11s frames when the MESH Stations start communicating once the MBSS gets formed. In the Wiki pages Wireshark has been suggested as the tool to capture 802.11s frames.

But the procedure to configure Wireshark so as to capture 802.11s frames is not explained and I am not able to capture and analyse the 802.11s frames.

Please help me and refer me to a good L2 protocol analyser so that I will be able to capture and analyse the 802.11s frames when the MESH Stations communicate in the MBSS.

Thanks and Regards, Sritam Paltasingh.

[bcopeland]

On Sun, Apr 30, 2017 at 01:46:13PM -0700, sritam2 wrote:

But the procedure to configure Wireshark so as to capture 802.11s frames is not explained and I am not able to capture and analyse the 802.11s frames.

Please help me and refer me to a good L2 protocol analyser so that I will be able to capture and analyse the 802.11s frames when the MESH Stations communicate in the MBSS.

Wireshark works. You just need to bring up a monitor interface and capture on that to see the management frames.

-- Bob Copeland %% http://bobcopeland.com/

[sritam2]

Hi Bob,

Thank you for your valuable advise.

Do I need to explicitly configure wireshark for capturing 802.11s management frames or does wireshark capture any kind of 802.11 (a/b/g/n/s) frames irrespective of its type, once the monitor interface has been created.

For adding a monitor interface on top of my wireless NIC phy0 I use the following iw command: iw phy phy0 interface add monitor1 type monitor Is the above command correct to create a monitor interface on top of the wireless NIC that I have.

Do, I need to tell Wireshark to use this created monitor interface through some configuration or will wireshark automatically detect it ??

I am downloading wireshark from the following URL suggested in the HOWTO section of Wiki page of open80211s: https://www.wireshark.org/develop.html. I built it from source code and install it.

Please provide your valuable comments.

Thanks and Regards, Sritam Paltasingh.

[bcopeland]

Wireshark will work fine, just point it at monitor1; you created it correctly.

[sritam2]

Hi Bob, Just completed my work now based on what you have suggested. I configured the wlan0 interface of my laptop in monitor mode. But using a tool named "airmon-ng" instead of iw to configure and enable my wireless NIC to monitor mode. It was sucessful. The monitor interface name was wlan0mon

Then from the laptop which I had configured as a MESH station using the guidelines given at the wiki/HOWTO page of open80211s, I joined the MESH station to the MBSS named "mymesh" and thus the station started to send beacons. I wanted to capture and see the beacons.

Thus, then i used the command "airodump-ng --band bg wlan0mon" to capture the beacons. I was successful. I confirmed it by comparing the MAC address of the beacon frames with the MAC address of the wireless NIC in the MESH station. Even the set channel number (11) is same. Below is the snapshot of it.

But still the ESSID field is showing some random name. I had set the MESH_ID name as "mymesh". But ESSIID is set to some random value. I do not know the reason for it. Please comment on why such a random name is coming for ESSID field.

All this was done as wireshark was unable to capture the beacons. I opened the interface option of wireshark and pointed it to "wlan0mon" interface which is in monitor mode. Then I started to capture. But unfortunately I could not see the beacons sent by the MESH station.

Please help if I have done anything wrong.

Thanks and Regards, Sritam Paltasingh.

[warlock20]

"All this was done as wireshark was unable to capture the beacons".... are you sure?

[sritam2]

Hi,

I will redo everything once again and recheck and come back.

[sritam2]

Hello Guys,

I did the experiments once again. Wireshark is working. But it worked only when I ran wireshark in Ubuntu 14.04 after downloading its source code from the link mentioned in the HOWTO section : https://github.com/o11s/open80211s/wiki/HOWTO.

So, conclusion is that Wireshark captures the 802.11s frames.