#ATM15 |

Packets never lie: An in-depth overview of 802.11 frames

George M. Stefanick Jr

@ArubaNetworks

2 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

BIO

George M. Stefanick Jr.

Wireless Architect @ Houston Methodist Hospital – 6 years (7 WiFi Distros, 3,900 aps, 30,000 clients)

Previously worked for a Cisco Partner focused on Mobility for 8 years

Vendor and vendor neutral certifications

www.my80211.com and www.nostringsattachedshow.com (Desperate for friends)

Cisco VIP 2012,2013 and 2014 - Aruba MVP 2014 and 2015 (I have no life)

Consulting (training, site survey, deployment and troubleshooting) (Always indebt to the IRS)

Tech Editor:

Sybex: CCNA Wireless Study Guide; Todd Lammle

Cisco Press: Designing and Deploying 802.11 Wireless Networks: A Practical Guide to Implementing 802.11n and802.11ac; Jim Geier

@ArubaNetworks

3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Devices that are in my wheelhouse

• Cardiac Imaging

• Electronic Medical Record (EMR)

• Mobile Ultrasound

• Mobile Picture Archiving and Communications systems (PACS)

• RTLS

• Mobile Robots

• Infusion Pumps

• Cows (Computer on Wheels)

• Cisco 7925 Handsets

• Vocera Badges

• Mobile Cisco TelePresence VX Clinical Assistant

• Roche Diagnostics ACCU-CHECK

• Mobile EKG Carts

• Mobile Med Dispensing Carts

• WorkGroup Bridges (WGB)

• Mobile Deaf Response Devices

• DaVinci Simulators

• Laptops

• Tablets

• Smartphones

• Crestron

• Point to Point Links

• Wireless Door Locks

@ArubaNetworks

4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Quick Poll

1. Who has a WiFi Analyzer in their tool bag ?

2. How confident are you with reading and interpreting your captures ?

3. Who has solved a problem with packet analysis ?

4. Any CWNP Certified folks ?

@ArubaNetworks

5 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Agenda

• This session covers different 802.11 frame types as well as MSDU, MPDU, PSDU, PPDU and other terminology.

• We will explain and showcase some of the common problems you can solve with a packet analyzer.

@ArubaNetworks

6 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Management, Control, and Data frames

Management– Beacon, Association Request, Association

Response, Reassociation Request, ReassociationResponse, Probe Request, Probe Response, Disassociation, Authentication, Deauthentication, Action and Announcement Traffic Indication Message

– Management frames provide the foundation in how WiFi radios are able to detect, join and operate on a WiFi network.

Control– Power Save Poll (PS-Poll), Request to Send (RTS),

Clear to Send (CTS), Acknowledgement (ACK), CF-End +CF +ACK, Block ACK Request (BlockAckReq), and Block ACK (BlockAck).

– Control frames facilitate Data frame delivery. They

are the traffic cops of 802.11 data frames.

Data – Data, NULL, Data+CF-Ack, Data+CF-Poll,

Data+CF-ACK+CF-Poll, CF-ACK, CF-Poll, CF-ACK, Qos Data, QoD Null, QoS Data+CF-ACK, QoSData+CF-Poll, QoS Data +CF-ACK+CF-Poll and more ..

– Data frames are simple. They carry data payload from and to the upper layers.

@ArubaNetworks

7 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Frame Headers, Information Fields, and Information Elements Are Not Encrypted

Layer 2 is not encrypted

Visible to anyone within range of the transmission, on channel and with a protocol analyzer

With the right tools someone can easily ease drop on your network transmissions

WiFi DOS Attacks are easily achieved on Layer 1 and Layer 2

– Layer 2 MFP (Management Frame Protection)

Encryption secures Layer 3 and up (Data Frames)

– NULL Data frames aren’t encrypted because they don’t carry a data payload

@ArubaNetworks

8 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Management Frames

Management

– Beacon, Association Request, Association Response, Reassociation Request, Reassociation Response, Probe Request, Probe Response, Disassociation, Authentication, Deauthentication, Action and Announcement Traffic Indication Message

– Management frames provide the foundation in how WiFi radios are able to detect, join and operate on a WiFi network.

@ArubaNetworks

9 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: What’s inside a Beacon?

@ArubaNetworks

10 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: Broadcast vs NonBroadcast

@ArubaNetworks

11 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: Supported Rates

@ArubaNetworks

12 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: Interval

@ArubaNetworks

13 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: Cipher and AKM (CCMP/802.1X)

@ArubaNetworks

AKM

00-0F-AC-01: 802.1X

00-0F-AC-02: PSK

Cipher Suite

00-0F-AC-01: WEP 40

00-0F-AC-05: WEP 104

00-0F-AC-03: TKIP

00-0F-AC-04: CCMP

Pairwise Cipher

Encryption: Unicast

Group Cipher

Encryption: Multicast / Broadcast

14 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: Cipher and AKM (CCMP/TKIP/802.1X)

@ArubaNetworks

AKM

00-0F-AC-01: 802.1X

00-0F-AC-02: PSK

Cipher Suite

00-0F-AC-01: WEP 40

00-0F-AC-05: WEP 104

00-0F-AC-02: TKIP

00-0F-AC-04: CCMP

Group Cipher

Encryption: Multicast / Broadcast

Pairwise Cipher

Encryption: Unicast

15 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: Cisco Proprietary / Vendor Specific

@ArubaNetworks

AP Name

Station Count

16 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: TIM / DTIM / COUNTRY

@ArubaNetworks

17 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: QBSS Load Station Count / Channel Util.

@ArubaNetworks

Station Count

Channel Utilization

18 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: 802.11n (HT) High Throughput

@ArubaNetworks

19 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: 802.11n (HT) High Throughput

@ArubaNetworks

20 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Beacon: 802.11ac (VHT) Very High Throughput

@ArubaNetworks

21 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Probe: NULL Request

@ArubaNetworks

22 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Probe: Direct Request

@ArubaNetworks

23 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Probe: Request – Remembered Networks

@ArubaNetworks

24 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Probe / Auth / Assoc Flow

@ArubaNetworks

25 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Probe: Request

@ArubaNetworks

26 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Probe: Response

@ArubaNetworks

27 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11: Authentication

@ArubaNetworks

28 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11: Authentication

@ArubaNetworks

29 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11: Association Request

@ArubaNetworks

30 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11: Association Response

@ArubaNetworks

31 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 EAP Flow

@ArubaNetworks

32 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 EAP: ID

@ArubaNetworks

33 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

AirHeads

@ArubaNetworks

How secure is your EAP-PEAPv0 deployment ?

http://community.arubanetworks.com/t5/Technology-Blog/How-secure-is-

your-EAP-PEAPv0-deployment/ba-p/216683

34 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 EAP 4 Way Hand Shake

@ArubaNetworks

35 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Control Frames

@ArubaNetworks

Control

Power Save Poll (PS-Poll), Request to Send (RTS), Clear to Send (CTS), Acknowledgement (ACK), CF-End +CF

+ACK, Block ACK Request (BlockAckReq), and Block ACK (BlockAck).

Control frames facilitate Data frame delivery. Control frames are the traffic cops of 802.11 data frames.

36 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Frame Control Header Retry/To/From/NAV

@ArubaNetworks

37 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 RTS

@ArubaNetworks

38 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 CTS

@ArubaNetworks

39 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 ACK

@ArubaNetworks

40 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Block Acknowledgement Request

@ArubaNetworks

41 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Block Acknowledgement

@ArubaNetworks

42 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Data Frames

@ArubaNetworks

Data

Data, NULL, Data+CF-Ack, Data+CF-Poll, Data+CF-ACK+CF-Poll, CF-ACK, CF-Poll, CF-ACK, Qos Data, QoD Null,

QoS Data+CF-ACK, QoS Data+CF-Poll, QoS Data +CF-ACK+CF-Poll and more ..

Data frames are simple. They carry data payload from and to the upper layers.

43 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Data Encrypted

@ArubaNetworks

44 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Data Not Encrypted

@ArubaNetworks

45 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

802.11 Data NULL Frame

@ArubaNetworks

46 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Sniffing Challenges

@ArubaNetworks

802.11ac

Get close to the radio

Use Aps as sniffers

Build filter and use triggers

Know that you may miss frames

47 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Real World Example – Wireless is slow

@ArubaNetworks

48 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Real World Example – Wireless is slow

@ArubaNetworks

Retry (Frame

Retransmission)

49 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Real World Example – Clients dropping connection

@ArubaNetworks

50 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Real World Example – Clients dropping connection

@ArubaNetworks

NAV 18,800 us

51 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Real World Example – Slow connection lots of application drops

@ArubaNetworks

52 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Real World Example – Slow connection lots of application drops

@ArubaNetworks

NULL

FRAMES

PROBES

Channel

Scanning

53 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

LLC, MAC, PLCP, PMD

@ArubaNetworks

LLC, MAC, PLCP, PMD: Know the layers and what each layer does

54 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

LLC, MAC, PLCP, PMD

@ArubaNetworks

LAYER 2 LLC – Logical Link Control

LAYER 2 MAC – Media Access Control

LAYER 1 PLCP – Physical Layer Convergence Procedure

LAYER 1 PMD – Physical Medium Dependent

55 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

LLC, MAC, PLCP, PMD

@ArubaNetworks

LAYER 2 LLC – Logical Link Control (MSDU) *Packet

LAYER 2 MAC – Media Access Control (MPDU) * Frame

LAYER 1 PLCP – Physical Layer Convergence Procedure(PSDU/PPDU)

LAYER 1 PMD – Physical Medium Dependent (Bits)

56 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

LLC, MAC, PLCP, PMD – Encapsulated Headers

@ArubaNetworks

57 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Spectrum Masks – DSSS / OFDM

@ArubaNetworks

58 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Modulation – 802.11 PRIME and 802.11b

@ArubaNetworks

1 PHY DBPSK

2 PHY DQPSK

5.5 PHY CCK

11 PHY CCK

59 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Modulation – ERP-OFDM 802.11g

@ArubaNetworks

6 PHY BPSK

9 PHY BPSK

12 PHY QPSK

18 PHY QPSK

24 PHY QAM16

36 PHY QAM16

48 PHY QAM64

54 PHY QAM64

60 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Modulation – OFDM 802.11a

@ArubaNetworks

6 PHY BPSK

9 PHY BPSK

12 PHY QPSK

18 PHY QPSK

24 PHY QAM16

36 PHY QAM16

48 PHY QAM64

54 PHY QAM64

61 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Modulation MIMO-OFDM 802.11n/ac

@ArubaNetworks

62 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

How Bits Get Modulated

@ArubaNetworks

BPSK – 1 bit per modulation symbol at 180 degrees phase

2 wave forms (phases)

63 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

How Bits Get Modulated

@ArubaNetworks

QPSK – 2 bits per modulation symbol at 90 degrees phase

4 wave forms (phases)

64 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

How Bits Get Modulated

@ArubaNetworks

QAM64 – 6 bits per symbol / amplitude modulation

65 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

How Bits Get Modulated

@ArubaNetworks

QAM256 – 8 bits per symbol / amplitude modulation

66 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

How Bits Get Modulated

@ArubaNetworks

THANK YOU

67#ATM15 | @ArubaNetworks