Summary of the content on the page No. 1
Family of Wireless Capture
Adapters
User’s Guide
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Summary of the content on the page No. 2
Copyrights Copyright © 2007 CACE Technologies, LLC. All rights reserved. This document may not, in whole or part, be: copied; photocopied; reproduced; translated; reduced; or transferred to any electronic medium or machine-readable form without prior consent in writing from CACE Technologies, LLC. AirPcap Family of Wireless Capture Adapters User’s Guide Document Version: 3.1 Document Revision: August 2007 CACE Technologies, LLC Davis, CA 95616 (530) 758-27
Summary of the content on the page No. 3
Contents and Figures Contents The AirPcap Product Family........................................................................3 A Brief Introduction to 802.11.....................................................................4 Terminology............................................................................................4 802.11 Standards .....................................................................................4 Channels ..........................................
Summary of the content on the page No. 4
Figures Figure 1: The AirPcap Control Panel. Settings Tab.....................................9 Figure 2: AirPcap N and Extension ChannelSetting................................. 10 Figure 3: The AirPcap Control Panel. Keys Tab. ..................................... 12 Figure 4: Multi-Channel Aggregator......................................................... 13 Figure 5: The Wireshark Adapters List..................................................... 14 Figure 6: The Wireshark Wireless
Summary of the content on the page No. 5
The AirPcap Product Family The AirPcap offerings are the first open, affordable and easy-to-deploy packet capture solution for Windows. All of the AirPcap offerings will capture full 802.11 data, management, and control frames that can be viewed in Wireshark thereby providing in-depth protocol dissection and analysis capabilities. Below we provide a feature matrix that gives a high- level overview of the feature sets of the adapters in the AirPcap Product Family. More detailed informat
Summary of the content on the page No. 6
A Brief Introduction to 802.11 Terminology The terms Wireless LAN or WLAN are used to indicate a wireless local area network, e.g. a network between two or more “stations” that uses radio frequencies instead of wires for the communication. All components that can “connect” to a WLAN are referred to as stations. Stations fall into one of two categories: access points or wireless clients. Access points transmit and receive information to/from stations using radio frequencies. As we sha
Summary of the content on the page No. 7
18, 24, 36, 48 and 54 Mbps. 802.11i, ratified in 2004, defines an enhanced security mechanism based on AES. 802.11n, expected to be ratified in 2009, is backward compatible with 802.11a, b, and g, and will operate at 2.4 GHz and optionally 5 GHz. It can potentially support data rates up to 600 Mbps. Channels 802.11b and 802.11g divide the 2.4 GHz spectrum into 13 channels, beginning with channel 1 and ending with channel 13. The center frequency of channel 1 is 2,412MHz, channel 2
Summary of the content on the page No. 8
interference and accommodate good wireless coverage using multiple BSSs. A BSS is formed by wireless clients “associating” themselves with a particular access point. Naturally, a wireless client will have to “discover” whether there is an access point within range and its corresponding channel. For this purpose, access points advertise themselves with “beacon” frames and wireless clients can (passively) listen for these frames. Another discovery approach is for the wireless client to
Summary of the content on the page No. 9
The Control frames are used to improve the reliability characteristics of the link. The establishment of a BSS through the process of discovery and association is supported by the Management frames, including possible authentication steps in the process. It is beyond the scope of this brief introduction to describe the details of these frames and their usage in the 802.11 protocol. If you are interested in additional details, you can consult the following websites: http://standards.iee
Summary of the content on the page No. 10
section WEP Keys on page 11 and The Decryption Keys Management Dialog on page 18 for more information. Multiple Channel Capture (applies to USB adapters only) This section applies to all members of the AirPcap Product family except AirPcap N. When listening on a single channel is not enough, multiple AirPcap adapters can be plugged in a PC and used at the same time to capture traffic simultaneously from different channels. The AirPcap driver provides support for this operation through
Summary of the content on the page No. 11
Configuring the Adapters: the AirPcap Control Panel The AirPcap control panel (Figure 1) provides a convenient and intuitive way to configure the parameters of currently-connected AirPcap adapters. The changes made to an adapter using the AirPcap control panel will be reflected in all of the applications using that adapter. To start the AirPcap control panel, click on START→PROGRAMS→AirPcap→AirPcap Control Panel S Se elle ec ctt a an n A Ad da ap ptte er r ffr ro om m tth he e
Summary of the content on the page No. 12
Settings T Th he e A Aiir rP Pc ca ap p N N a ad da ap ptte er r IIs s S Se elle ec ctte ed d.. E Ex xtte en ns siio on n C Ch ha an nn ne ell D Dr ro op p- -d do ow wn n L Liis stt ffo or r A Aiir rP Pc ca ap p N N Figure 2: AirPcap N and Extension ChannelSetting The Basic Configuration box contains the following settings: • Channel: The channels available in the Channel list box depend upon the selected adapter. Since channel numbers 1, …, 14 in the 2.4GHz and 5GHz bands overl
Summary of the content on the page No. 13
specification). PPI and radio information includes additional information not contained in the 802.11 frame: transmit rate, signal power, signal quality, channel, and (for PPI) multiple antenna information. • Include 802.11 FCS in Frames: if checked the captured frames will include the 802.11 4-bytes Frame Check Sequence. This option can be disabled if an application has difficulty decoding the packets that have the Frame Check Sequence. • FCS Filter: this drop-down list allows you t
Summary of the content on the page No. 14
consideration, since the driver uses the keys in the order they appear in this list. The currently configured keys are shown in the “Keys” list. It is possible to turn WEP decryption on and off at any time by using the “Enable WEP Decryption” check box. Figure 3: The AirPcap Control Panel. Keys Tab. The keys are applied to the packets in the same order they appear in the keys list. Therefore, putting frequently used keys at the beginning of the list improves performance. Note:
Summary of the content on the page No. 15
the traffic from all the installed USB AirPcap adapters, as if it was coming from a single device (this feature does not include traffic from the AirPcap N adapter). T Th he e A Ag gg gr re eg ga atto or r U Us se es s tth he e G Gllo ob ba all L Liis stt o off W WE EP P K Ke ey ys s L Liis stt o off A Ag gg gr re eg ga atte ed d C Ch ha an nn ne ells s S Sp pe ec ciiffiic c S Se ettttiin ng gs s ffo or r tth he e M Mu ullttii- -C Ch ha an nn ne ell A Ag gg gr re eg ga atto o
Summary of the content on the page No. 16
AirPcap and Wireshark The user interface of Wireshark is completely integrated with AirPcap. This increases your productivity, and allows you to get the best from the network analyzer you are used to. Identifying the AirPcap Adapters in Wireshark Figure 5 shows the Wireshark Capture Interfaces dialog (Capture→Interfaces). The AirPcap Interfaces are easly identified by icon next to them. M Mu ullttii- -C Ch ha an nn ne ell A Ag gg gr re eg ga atto or r A Aiir rP Pc ca ap p N N A Ad d
Summary of the content on the page No. 17
When Wireshark starts, the active interface is the default one (Edit→Preferences→Capture→Default Interface). During Wireshark usage, the active interface is the last one used for packet capture. C Ch ha an nn ne ell o offffs se ett ffo or r A Aiir rP Pc ca ap p N N E Ed diitt tth he e d de ec cr ry yp pttiio on n k ke ey ys s lliis stt C Ch ha an ng ge e tth he e a ad da ap ptte er r’’s s S Se ett tth he e a ad da ap ptte er r tto o c ca ap pttu ur re e C Ch ha an ng ge e t
Summary of the content on the page No. 18
• Decryption mode: can be one of the following: o None: no decryption is performed, neither at the driver level nor in Wireshark. o Wireshark: the driver doesn’t perform any decryption of the captured packets, and they are decrypted by Wireshark while displaying them. This has the advantage of minimizing the CPU load during the capture process. Moreover, the driver doesn’t manipulate the packets, so the captured data is a precise picture of the network traffic. However, capture filte
Summary of the content on the page No. 19
Figure 7: Wireless Settings Dialog in Wireshark The parameters that can be configured are: • Channel: the channels are specified in terms of their center frequencies and the range of channels varies from adapter to adapter. • Channel Offset: set to -1, 0, or +1 for AirPcap N. This allows the use of “wide” channels. • Capture Type: 802.11 frames only, or 802.11 frames plus Radio information (Radiotap header), or 802.11 frames plus the Per Packet Information (PPI) header. Radiotap
Summary of the content on the page No. 20
The Decryption Keys Management Dialog This dialog window (shown in Figure 8) can be used to organize the keys that will be used to decrypt the wireless packets. It is possible to decrypt packets encrypted with WEP, WPA and WPA2. however, notice that: • In order to decrypt WPA and WPA2 you will need to capture the 4-way EAPOL handshake used to establish the pairwise transient key (PTK) used for a session. • Wireshark can only decrypt “WPA personal” sessions, which use pre-shared keys.
