This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

How would one go about identifying an access point when looking at packets through wireshark? From what I understand, it's the source mac adresss of a Beacon frame(which would also be the BSSID), is that right?

Thanks for any answers in advance.

asked 11 Feb '15, 12:58

Rokas%20Mackevi%C4%8Dius's gravatar image

Rokas Mackev...
6114
accept rate: 0%

edited 11 Feb '15, 13:19


There are several methods:

  • look for beacon frames (wlan.fc.type_subtype == 0x0008). The sender is an AP
  • look for association requests (wlan.fc.type_subtype == 0x0000). The destination is the AP
  • if the traffic is not encrypted: find a frame with a SYN and then look at the destination address (wlan.da) in the 802.11 header. That's the MAC of the AP.
  • if the traffic is encrypted, filter for EAPOL frames. The first Key messages comes from an AP

Regards
Kurt

permanent link

answered 11 Feb '15, 14:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks!

Just to be completely clear, in terms of beacon frames, by sender are you referring to the Transmitter adress or Source adress from the IEEE 802.11 Beacon frame packet header?

(11 Feb '15, 15:22) Rokas Mackev...

correct .

(11 Feb '15, 15:24) Kurt Knochner ♦

So Transmitter adress and Source adress are identical in this situation? My question was which one was it, source or transmitter heh.

(11 Feb '15, 16:40) Rokas Mackev...

For a beacon frame in 802.11, the transmitter address and the Source address are the same.

(12 Feb '15, 12:26) Amato_C
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×248
×12
×4
×3

question asked: 11 Feb '15, 12:58

question was seen: 11,144 times

last updated: 12 Feb '15, 12:26

p​o​w​e​r​e​d by O​S​Q​A