I am new to wireshark. To be honest, this is an assignment I have to do using Wireshark. Anyway, I have a pcap file which has the content of more than 4000 entries. I need to find the Beacons Interval. Is there a filter I need to use? asked 15 Apr '17, 13:42 cyberchaos |
One Answer:
Yes, a display filter will help quantify the beacon interval. Google shows this page with something very close: https://wiki.wireshark.org/Wi-Fi As this is an assignment, I leave it to you to determine the specific syntax to get the filter you need. If you have difficulty, show the filters you have come up and someone can provide more guidance. Do you know what to expect from an AP as it relates to beacons, i.e. the TBTT? Use this expectation to help determine if you might have the correct filter as you work on the filter syntax. This all assumes that you have a packet trace that actually includes beacons. It would be very difficult to infer TBTT from a trace without beacons. This usually requires that an 802.11 capture be obtained, but there can be alternatives from some vendors that may send wireless capture from an AP over a tunneled wired connection and these may or may not include beacons. Cisco, Aruba, Ruckus, Mikrotik, and many others support this in one way or another through various mechanisms and software packages. To capture wireless traffic, which, if done correctly, will show beacons, review this information: https://wiki.wireshark.org/CaptureSetup/WLAN If wireless traffic comes from the AP vendor through some mechanism, check with them to see what is included. It may take some configuration to understand the encapsulation so that the wireless information can be decoded properly. answered 15 Apr '17, 16:19 Bob Jones edited 16 Apr '17, 06:26 |
Bob, Thanks for your help. Now, I used wlan display filter yesterday and it didn't show me anything. Part of the assignment is the pcap was captured on the router. I don't know if that gonna make any difference. I tried every possible (Wi-Fi filters) and all of the filters were blank.
I updated the answer to clarify the assumption that you have a wireless trace with beacons in it, and need only find them.
I don't know exactly what this means, so cannot advise on how to show what you need. This could mean:
802.11 capture sitting next to the device
You took a wired capture of the traffic crossing the router that was created by wireless clients
The router is really an AP and has a mechanism for collecting capture files and forwarding them to a device on the LAN, encapsulated
And others...
You could upload a trace in a publicly accessible location (i.e. cloudshark, drive, etc) so we can see what you are dealing with. Or try to obtain another capture per a different technique.
Bob, in the assignment, it says the traffic in the pcap was captured on the network router. attackers used protocol buffers. I need to find the beaconing interval in this pcap. I don't know what filter to use. I used wlan display filter and it didn't give me any results.