THE BLOG ★ Ramblings on WiFi & stuff.

Options for Wireless Packet Capture in Windows

UPDATED: 05/28/2019

HOLD THE PRESSES!!! So, as of Wireshark 3.0, you can do RF Monitor mode captures in Windows using inexpensive NICs. Specifically, the Netgear A6210. Here’s write up on how to set this up, but nothing special is required other than Wireshark 3.0, or newer, and a supported NIC (Netgear A6210).

So, of course, this comes with some caveats. The main one is that this does not support channel information. So, while you CAN set the channel you want to capture on, there will be no data in the capture confirming you are indeed on that channel.

WiFiXax has a blog post on howe to do it.

You can go ahead and read the rest of this post, but at this point, why would you? ¯\_(ツ)_/¯


In Windows, you cannot effectively analyze wireless frames, because you are unable to put the wireless NIC in "RF Monitor Mode" - that is the mode in which the wireless NIC can see ALL 802.11 frames in the air, not just ones intended for itself.

Historically, it's been an expensive proposition. There are some great tools out there like OmniPeek (which I use), the gold standard for Windows packet analysis. And for years, AirPcap Nx was the main NIC folks used for pcap'ing WLANs with Wireshark. Unfortunately, both options are pricey. And the AirPcap NX is no longer manufactured. You’d be lucky to find a used one on eBay. Linux and MacOS have been the only ways to cheaply get access to RF Monitor mode without spendy software and hardware, like Omnipeek and the AirPcap Nx.

But, not everyone uses Linux, or Mac OS. Fortunately, and fairly recently, there are more and more ways to get RF Monitor mode in Windows. Here are some relatively inexpensive options (NOT an exhaustive list) to perform an RF Monitor Mode wireless packet capture in Windows using relatively inexpensive hardware.

OR, you could just get a Mac and do it natively. 😉

Lastly, if you have access to an Ekahau Sidekick, and you have an Ekahau Connect account, you can use the Sidekick to perform offline packet captures, and you can even have each NIC capture on a difference channel! Cool!


* If anyone has additional relatively inexpensive options for this list please DM me @HeyEddie



"relatively inexpensive"

def.

I don't know. Less than a grand? Less than $500? Please don't get all pedantic on me. 😉

SharkTIPS! My Favorite Wireshark Customizations


Thanks to the gentle nagging of @WiFiNigel I finally got around to posting SOME of the things I've been wanting to post. It's been sitting in a text file for several months without me ever getting around to posting it. And thanks to @JamesGarringer‬ for inspiring me to think about maybe writing it.

Wireshark may be free, but it's a powerful and useful beast. Knowing how to use your tools, and set them up to be the most efficient and productive is important. So, here are a few of my favorite Wireshark customizations that help me do my job. This is the first of two posts.


🦈  SharkTIP #1 - Custom Profiles

The first thing you should do after installing Wireshark is to create custom profiles to have Wireshark ready to go for the task at hand. For me, that means wireless frame capture & analysis. I like to have certain columns, and colors all set so I can quickly spot things that I’m looking for. In future SharkTips I cover some of the other Wireshark customizations I use in my custom profiles.

Creating profiles is easy. First, click on “Edit” menu and then select “Configuration Profiles”. You’ll see this window popup:

Wireshark Configuration Profiles Panel

Next,  click on the “+” to add and name a new profile. Then click “OK” to close and save the new profile.

That’s it! Now, you’ll just have to take the time to customize your view to your likes and needs. You can arrange the panel layout, the columns that you prefer to see, the colors of the packet/frames. Any changes you make to the active profile are automatically saved.

To switch profiles just click on “Profiles” at the bottom, right-hand corner of Wireshark. You’ll see a list of all the available profiles. Just click on the one you want and your done.

Profile Selector

You can even save you profiles for use on other machines, or to share. A quick Google search should allow to find customer profiles that other users have created that may suit your needs.

To share a profile, or add someone else's profile, go to the help about for Wireshark and click on the “Folders” tab. You’ll see links to various folders. Click on the link for the “Personal configuration”. When the window pops up go into the "Profiles" folder. There you will see folders for each of your profiles. Just copy and share the profile(s) you want share.

Alternatively, if you want to add someone else's profile(s) copy their profile folders into your "Profiles" folder. Next time you start Wireshark the profiles will be available to you.

The Profile Folder


SharkTIP #2 - Columns That Matter

Columns are YUGE. Having the right columns front and center will make finding what you want faster and easier. If you're trying to learn and understand 802.11, taking the CWAP, having the right columns will go a along way to helping you understand what's happening up in them frames!

Useful Wireshark Columns for 802.11 (Click to see Full Size)

There are a few different ways to create columns:

 

OPTION 1

You can right-click on the column bar and select "Column Preferences" from the menu. Then you can press the "+" button to create a new column, give it a name and either select form the list of presets, or use a filter for what you want.

For example, if you wanted to create a column that shows TX rate you could...

The standard way to add new columns to Wireshark.

OPTION 2 (My preferred method) 

This option gives you more stuff to choose from. You'll be surprised what you'll find. Select an item you want from the Packet DETAILS below the Packet List like so...

Adding Columns to Wireshark from the Packet Details Window instead of selecting from the standard list.

Here are some of some of the columns I use:

  • Sequence No.

  • Length

  • Size

  • Source

  • Destination

  • SSID

  • PTK

  • PHY

  • PWR MGMT

  • Noise

  • Type/Subtype

  • Protocol

  • CH.

  • Priority

  • RSSI

  • Rate

  • DTIM

  • Duration

  • Info

I hide/unhide columns as needed by right-clicking on the column bar and selecting/de-selecting what I want from the list:

Wireshark Hiding/Unhiding Columns


SharkTIP #3 - Colorize The Packets!

I spend the majority of my time working with 802.11. So, I’ve customized Wireshark to make analyzing it faster and easier.

One of the first things I did was add a custom color palette for colorizing 802.11 frames. Fortunately, I didn’t have to work too hard. @WiFiTrent created this awesome color profile based on MetaGeek’s Eye P.A., and @WifiNigel blogged about how to add it to Wireshark here. The color scheme breaks it down into three basic color sets for each 802.11 frame type - Management, Control, and Data. It makes it so much easier to spot things quickly, and helps me better understand what I’m seeing. I love it!

Wireshark Coloring Rules for 802.11

To install it click on “View” and select “Colorization rules…”. You’ll see an option to import the file. Or, if you want to take the time to create your own color rule set just click on the “+” button and start creating your rules, frame by frame!

👉 Download it at WiFiNigel’s blog.

Happy coloring! 🖍


SharkTIP #4 - Create A List Of Commonly Used Display Filters

Just click on the little bookmark icon to the left of the filter entry field, select "Manage Display Filters", and add your most commonly used display filters for quick and easy access. Then just click and select them on the fly!

Wireshark Display Filters

@VergesFrancois created this 👉 great document listing the most common Wireshark 802.11 Display Filters .

 

Display Filter Buttons! (Wah????)

Another cool way to do filters are Filter Buttons! Ceate Filter Buttons in Wireshark toolbar for your most used filters. Just click and BLAMO! You're filtering, yo!

Easy to do. Here is how you create and remove an existing filter button. Here I'm adding a button to quickly filter on only frames that pertain to my MacBook, JAYNE.

Just click on the "+" on the filter bar and then add a label and the filter you want to use...


SHARKTIP #5 - Custom Name Resolution (The “ethers” file) 🕵🏻

Sometimes it hard to see through the mass of information Wireshark presents you.  For quick scanning I like to add name resolution for mac addresses so devices I’m looking for are easily identifiable in Wireshark.

It's simple to do. 

  1. On a Mac go to Wireshark > About Wireshark, and on Windows go to Help > About

  2. When the dialog pops up click on the “Folders” tab

  3. Click on the link next to "Personal configuration".

  4. Open the “ethers” file in your text editor of choice (If you don't see an "ethers" file you create a text file and copy paste the example below.)

  5. Add each device on a separate line, Mac address, followed by a space, and then the name:

    Example of an ethers file:

    # Use the ethers files to name devices. 
    # This will replace the MAC address with the name you specify here.
    # An example of adding a device MAC address and name.

    ######## EXAMPLE DEVICE ENTRY ############

    # 1A:2B:3C:4D:5E:6F DEVICE-NAME

    ######## ENTER YOU DEVICES BELOW! ########

    1a:2b:3c:4d:5e:6f ATV-HOME
    a1:b2:c3:d4:e5:f6 IAP-224
    00:01:02:03:04:0f MACBOOK
    a1:b2:c3:d4:e5:f6 IPHONE
    00:c2:c1:d3:dd:c7 IPAD


  6. Save the file in /etc, restart Wireshark and now you’ll see the device name instead of the Mac address.

 

IT will look something like this:

(Here I added my AppleTV and Aruba IAP-224:)

Wireshark Name Resolution with the Ether File

That's it of now. I'll post some more SHARKTIPS™ :-) in the next few weeks.  


Add a Custom AP + Antenna Combination in Ekahau

Shout out to @WiFiNigel for helping me figure this one out. I'm sure there are other folks out there that have figured this out, but I never did... until now.

So, I'm in the middle of a design in Ekahau Site Survey (ESS) for a fairly large manufacturing facility (about 1.2 million square feet) and I'm using a specific AP with various antennas types depending on the use-case at the facility.

When you place an AP in ESS the next time you place a new AP on the map it uses the last AP you placed, and it saves you previous configs such as TX power, antenna hight, and angle. However, if you customize an AP - like I did - by selecting an AP from the dropdown and then changing the antennas to a 3rd party antenna -the next time you place an AP it DOES NOT use that - it uses the default from the dropdown.

This is a bummer if you're a.) adding a lot of APs, and/or b.) are switching between antennas types (like say a patch for racks, and dipoles in open areas, etc). Every time you place an AP you have to manually go in and change EVERYTHING - the TX power, the antenna hight, the angles, and of course - the antennas themselves.

I knew you could make changes to the ESS conf files for adding custom antennas and APs, but I had never actually done that - until now. I edited the "accessPointTypes.xml" file and added the AP with the antennas I wanted. The antenna already existed in ESS, it just wasn't paired with the AP I wanted to use. I figured this was all I needed to do to get it to work.

Upon opening my project file in ESS I saw that the new customized version of the AP was there in the list! (Yay!) But, when I placed it I saw only the generic antennas matched with it. (Boo.)

Nigel then made the brilliant observation that I may just need to look at the antenna conf files and add the AP + ANT combination there - and when I looked at the antenna files I noticed that's exactly what Ekahau did. They had AP + the 2.4 and 5 GHz versions of the antennas there:

So, it was quite simple really - I just copied each of the antenna files I wanted (2.4 and 5 GHz) and then pasted them back into the same folder. Now I had version of each (with the "copy" appended at the end) and all I had to do was rename the file by adding the AP name "+" the antenna name and remove the "copy" at the end. I then edited the "accessPointTypes.xml" again, this time I used the name of the antenna file as the name of the AP and saved the file.

Lo, and behold, when I restarted ESS, there it was! When I added the AP it had the correct antennas for 2.4 and 5 GHz, and when I added the next AP it matched the antennas as well as all the setting changes I made for the first one (TX power, ANT height, angle, etc.). I was pretty stoked - so I wrote this blog.

So, if you have a project where you have lots of APs with a 3rd party antennas, and don't want to edit EVERY. SINGLE. ONE - try this:

* NOTE: This is NOT the "Custom AP" that shows up in ESS. You should never use that.

This is for creating your own existing AP and Antenna combinations.

When you add an AP and change the antennas type in Ekahau, the next time you add the AP it will not have the same antennas, or settings. You have to manually edit the AP everytime you add it if it's not a combination that already exists in the dropdown.

You can edit the config files for antennas and APs so that you can create custom AP/ANT combos for use in all of your projects.

* EDIT 05-31-2016  I forgot to mention that you'll need admin rights to edit anything in that folder. Just right-click on the folder and give yourself full-rights.

*IMPORTANT! @WJComms on the Twitters made a good point: BACKUP YOUR CONFIG FILES AFTER YOU EDIT THEM. If you don't they'll be written over when you update ESS and you'll lose your changes. Back them up somewhere else and copy the changes to the updated config files after you update.

First thing's first: REQUIREMENTS

Estimated reading time: 2 minutes, 14 seconds. Contains 448 words

 

I was at a meeting today with a large Mechanical/Electrical Engineering firm who was in need of some wireless expertise. More and more they are getting asked to include wireless "designs" for building projects and are finding (as many do) that it's not as simple as it seems.

The discussion took many turns, but often came back to something like, "So, if we have a school with say 35 students per classroom how many APs do we need?" My answer would be, "it depends." What does it depend on? Their requirements.

How many clients (not users, but devices)? What type of clients (1 stream, 2 stream, 3 stream)? What applications will they be using (e-mail & web, video streaming vs. YouTube caching, voice, etc) What are the bandwidth requirements for their State testing? And more.

The point was - just like they could not just "make up" an electrical, or engineering design out of the blue (How many people need to be in the space? What's the total power consumption required? Do we need HVAC in all locations?) - one could not just "make up" a WLAN "design" (Well, one could, but then you get what you get). That made total sense to them which was good.

I love explaining how wireless works and seeing their eyes light up. I love how it makes sense to them when I explain why they're not going to see 1.3GBs throughput, or adding more APs is not a default answer to a problem, how coverage & capacity are different things, how having a bunch of low-end single stream devices is not as efficient as have a bunch of 2, or 3 stream devices, etc.

The FIRST step to wireless network design, and the best way to avoid the BAD-FI, is to determine the REQUIREMENTS and EXPECTATIONS of the customer. Here just a few of things you should consider:
 

  • How many clients will be using the WLAN?
     
  • What are the types/capabilities of the devices? (# of streams, 5GHz support, DFS support, 802.11r/k/v support, etc.)
     
  • What applications will be using the WLAN and what are the requirements of those applications?
     
  • Is there a budget for the project?
     
  • Are there accurate, scale floor plans available?
     
  • What security and authentication types are you looking to support?
     
  • What the total bandwidth coming into your facility?
     
  • What is the time-frame for the project?
     
  • Aesthetics: Are external antennas ok? Do LEDs need to be off Should APs be inconspicuous?
     
  • Cable lengths: where are/is the MDF/IDFs located? More than 300ft from the APs?


These are a few off the top of my head, but you get the gist. DEFINE your customer's (or, YOUR) requirements and expectations BEFORE you design a solution.

Anything else and you're just guessing.

What’s been impossible on iOS, but easy on Android for years, has finally come (back) in iOS 8.

Wi-Fi scanning can now be performed. You can see SSIDs, even hidden ones, and view RSSI. For now, it’s only available via the Apple Airport Utility and it needs to be manually enabled in settings.

Sorry, no API access for 3rd party developers (yet), but at least WLAN aficionados can finally scan wi-fi on iOS devices!

Download Apple Airport Utility:

https://appsto.re/us/YJ7Dz.i

Leverage DHCP Fingerprinting in ArubaOS

image

Estimated reading time: 6 minutes, 16 seconds. Contains 1254 words

I was recently at a customer site upgrading an Aruba controller and doing some basic WLAN “best-practices”. During this I was asked by the customer if there was a way to keep mobile devices off the corporate network. Without something like Aruba’s ClearPass it’s not easy to identify and restrict these devices

My initial thought was with their current solution (Microsoft NPS) they couldn’t easily keep 802.1X capable devices from connecting to the corporate WLAN if they had valid AD credentials. Then as I was working it occurred to me that Aruba mobility controllers use DHCP fingerprinting to profile devices. I could leverage that ability to help keep mobile devices off the corp WLAN. It’s not 100% accurate *(and should not be considered a complete security solution), and I let the customer know this, but it identifies iOS and Android devices pretty well.

Essentially, a DHCP fingerprint is an “almost” unique identifier for OSes, or device types. The DHCP protocol (RFC 2132) allows for information other than just IP requests and acknowledgments to be sent. These DHCP “options” includes vendor specific information which makes it possible to identify devices and even OSes by their unique signature. That being the case we can use the fact the ArubsOS supports this to create roles for these various devices and OSes and thus provide some level of management of these devices.

For example, we can create a rule that says if a device is an iPhone it will be placed in the “Mobile_Device” role. This role can than be restricted to Internet only with no access to internal resources, placed in another VLAN, or just sandboxed altogether. *Not the best overall solution, but it works well enough.

Step one is to identify the DHCP fingerprint for that specfic device. There are several ways to do this and a simple Google search will give you plenty of options. You can also search for the specific fingerprint as well and hopefully someone will have posted it. In this post we’ll just focus on using Aruba OS to find the fingerprint. But here is a list I’ve compiled so far from various blog-posts and from the Aruba Airheads community:

 

  • Android_device - (3C64686370636420342E302E3135)
  • Android 2.X - (3c6468637063642034)
  • Android 2.2 - (3701792103061c333a3b)
  • Android 2.3.X - (0c616E64726F69645F)
  • Android 4.0.X - (37012103060f1c333a3b)
  • Android 4.0.X(2) - (37012103061c333a3b)
  • Blackberry 2 - (3C426C61636B4265727279)
  • Blackberry(2) - (370103060F775ffc2c2e2f)
  • iOS Device - (370103060F77FC)
  • iPad - (37011c02030f06770c2c2f1a792a)
  • OS X 10.6 - (370103060f775ffc2c2e2f)
  • OS X 10.7 - (370103060f775ffc2c2e)
  • Win Mobile6 - (370103060f2c2e2f)

 

How To Find A DHCP Fingerprint

Step 1

Log in to the CLI of your Aruba controller and go to enable mode. Once there go to configure mode and enable logging level debug for DHCP by entering:

(config)# logging level debugging network

Step 2

Connect your device to the appropriate WLAN and then use the show command to view all the recent network entries. Search for the MAC address of the device and locate the DHCP option:

(config)#show log network all | include options

You should then see a output like this:

Sep 7 12:54:43 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173e6 reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79 Sep 7 12:55:15 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:60:2e:xx:xx:xx Transaction ID:0x464bcafb reqIP=192.168.15.248

Options 3d:0100602e024a08

3c:756468637020302e392e392d707265 

37:0103060c0f1c Sep 7 12:57:20 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173ef reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79

You’re looking for options that start with 37, 0C, 32, or 33. These are hex for DHCP options 12, 55, 60, and 81. In the above example the fingerprint for my device is 37:0103060f77fc, an iPhone. So, what I would use is that value without the colon (:) - just 370103060f77fc. Now that we have found the DHCP fingerpring we can create our rules and start enforcing policy.

Create a User Role

A user role us just a set of policies for the user/device in that role. This role can simply be an “allow-all” policy that does not restrict access, or it can be very specific like only allowing DHCP, DNS, and http/hhtps to the Internet. Or, as stated previously, placing the device in a different VLAN. It can even just be a role that denies access altogether. Regardless, the role needs to be created first so we can apply it in the User Rules for the devices later on. Since roles are pretty common usage in ArubaOS I’ll just say create the roles you want how you want. You can call it “iPhones”, or “MacBooks”, or “Android”, etc. If don’t know how to create roles page 265 in the Aruba OS User Guide walks you step-by-step.

Create A User Rule for the DHCP Fingerprints

  1. In the controller UI go to Security > Authentication > User Rules.
  2. Click on “Add” to create a new User Rule. Give it a name like “Mobile_devices.” You will be able to add multiple fingerprints in one rule so you don’t have to create multiples if don’t need to.
  3. Now click on your newly created rule and then click “Add” to start adding your rules. Here’s an example of adding iOS signature:
  • In this image the “set-type” is Role since we want a specific role to be assigned this device when it connects.
  • "Rule Type" says we’re looking at the DHCP options.
  • "Condition" is what condition is met to trigger this rule - so "equals" is what we want.
  • "Value" is what the condition of "equals" will match. This will be your DHCP fingerprint.
  • "Role" is the role you created earlier.
  • And lastly the description of the this rule. (i.e. iOS Device, Android Phone, AppleTV, etc.)

Finally, click “add” and you’ve created your first rule!

Apply The New User Rule

So, now we have the User Role that will be assigned to devices matching the DHCP fingerprints we have added in the User Rule. So, to make the magic happen we need to apply the User Rule to the AAA profile assigned to the specific VAP (Virtual AP) that you want this rule to function on.

  1. In the controller UI navigate to Configuration > Security > Authentication > AAA Profiles.
  2. Click on the profile for the WLAN/SSID you want to apply the User Rules to.
  3. On the right you should see an option called "User derivation rules". From the drop-down select the User Rule you created. Click "Apply" to save you changes.

Now connect your fingerprinted device to the appropriate SSID. If your device was recently connected it may still have same role it had before. This is because it has not yet aged out of the database. To ensure that the device gets the correct role you should delete it from the database. The best way to do this is from the CLI. SSH into the controller, go to enable mode, and enter the following:

(Master-7010) #aaa user delete mac [device mac address]

Now you should reconnect and see that your device has been given the new mobile device role that you assigned in your User Rule for that specific devices DHCP fingerprint. The controller matched the DHCP fingerprtint of your device with the rule you created and assigned the appropriate User Role.

Now, as I said in the beginnig this isn’t 100% fool-proof, but it catch most modern devices. It’s already part of the OS and short of purchasing ClearPass this is a great way to manage devices on your WLAN.

*UPDATE: As one reader has already mentioned this should not be considered as a high-security solution. At best it allows you maybe keep some devices off, or keep others from using ip DHCP space, etc. For a more comprehensive way to secure and manage BYOD you should look at products such as Aruba’s ClearPass.

In any case, if all you have is an Aruba WLAN this is another useful tool to have in your tool bag.

How to Perform a PCAP with Aruba Instant AP

Estimated reading time: 1 minute, 7 seconds. Contains 224 words

So, this guy at WLAN Pros Conference says, “I wish I could do a packet capture on Aruba Instant”. This other guy says, “I don’t think they can do that”. I say, “Oh, yes, they can.” The other guy say, “Really? Are you sure?” And I say, “Absolutely. I think. Hold on.”

So, I proceed to login to my knowledge base, download, and then e-mail the first guy this PDF that PROVES - beyond a shadow of a doubt - that I am nobody’s fool!

I was wrong.

Wrong, wrong, wrong, wrong, wrong…

Or, so I thought! I sent him the wrong document. Turns out you CAN do pcap on Aruba Instant I just didn’t know that I didn’t know what I was talking about.

Anyways. here’s how it’s done. I stole it from Aruba AirHeads.

- - - - - - - - - - - - - - - - -

Make sure you’ve upgraded to the latest version of Instant OS so you can use the pcap command to do the wireless packet capture on the IAP.

Run the Aruba version of Wireshark on the PC, on the capture interface, select ARUBA udp-port=5555

SSH into IAP

Use “pcap start <base bssid> <ip address of PC with Aruba version of Wireshark installed> <port> 0 1518”

Use “show pcap” to check the active pcap session

Use “pcap stop <base bssid> <pcap-id> to stop the capture