This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to identify an ap(access point)?

0

Hello,

How would one go about identifying an access point when looking at packets through wireshark? From what I understand, it's the source mac adresss of a Beacon frame(which would also be the BSSID), is that right?

Thanks for any answers in advance.

asked 11 Feb '15, 12:58

Rokas%20Mackevi%C4%8Dius's gravatar image

Rokas Mackev...
6114
accept rate: 0%

edited 11 Feb '15, 13:19

One Answer:

2

There are several methods:

  • look for beacon frames (wlan.fc.type_subtype == 0x0008). The sender is an AP
  • look for association requests (wlan.fc.type_subtype == 0x0000). The destination is the AP
  • if the traffic is not encrypted: find a frame with a SYN and then look at the destination address (wlan.da) in the 802.11 header. That's the MAC of the AP.
  • if the traffic is encrypted, filter for EAPOL frames. The first Key messages comes from an AP

Regards
Kurt

answered 11 Feb '15, 14:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks!

Just to be completely clear, in terms of beacon frames, by sender are you referring to the Transmitter adress or Source adress from the IEEE 802.11 Beacon frame packet header?

(11 Feb '15, 15:22) Rokas Mackev...

correct .

(11 Feb '15, 15:24) Kurt Knochner ♦

So Transmitter adress and Source adress are identical in this situation? My question was which one was it, source or transmitter heh.

(11 Feb '15, 16:40) Rokas Mackev...

For a beacon frame in 802.11, the transmitter address and the Source address are the same.

(12 Feb '15, 12:26) Amato_C