Friday, November 25, 2016

Cisco AP Sniffer Mode and 802.11 Frame Types

Beacon Management Frame

One of the most important frame types is the beacon management frame, commonly referred to as the beacon. Beacons are essentilly the heartbeat of the wireless network. The AP of a basic service set sends the beacons while the clients listen for the beacon frames. Client stations only transmit beacons when participating in an independent basic service set (IBSS), also known as Ad Hoc mode. Each beacon contains a time stamp, which client stations use to keep their clocks synchronized with the Ap. Because so much of successful wireless communications is based on timing, it is imperative that all stations be in sync with each other.

Information Type                          Description

Time Stamp                                     Synchronization information

Spread Spectrum Parameter Sets    FHSS-, DSSS-, HR-DSSS, ERP-, OFDM-, HT-, or VHT-specific

Channel Information                       Channel used by the AP or IBSS

Data Rates                                       Basic and supported rates

Service Set Capabilities                  Extra BSS or IBSS parameters

SSID                                               Logical WLAN name

Traffic Indication Map (TIM)        A field used during the Power Save process

QoS Capabilities                           Quality of service and Enhanced Distributed Channel Access
                                                      (EDCA) information

Robust Security Network (RSN)    TKIP or CCMP cipher information and authentication method

Vendor Proprietary Information     Vendor-unique or vendor-specific information

The beacon frame contains all the necessary information for a client station to learn about the parameters of the basic service set before joining the BSS. Beacons are transmitted about 10 times per second. This interval can be configured on some APs, but it cannot be disabled.


In order for a client station to participate in a BSS, it must be able to communicate with the AP. This is a straightforward and logical; however, it is possible for the client station to be able to communicate with the AP but no tbe able to hear or be heard by any of the other client stations. This can be a problem because, as you may recall, a station performs collision avoidance by setting its NAV when it hears another station transmitting (virtual carrier sense) and by listening for RF (physical carrier sense). If a station cannot hear the other stations, or cannot be heard by the other stations, there is a greater likelihood that a collision can occur. Request to send/clear to send (RTS/CTS) is a mechanism that performs a NAV distribution and helps prevent collisions from occuring. This NAV distribution reserves the medium prior to the transmission of the data frame.

Data Frames

The most common data frame is the simple data frame, which has MSDU upper-layer information encapsulated in the frame body. The integration service that resides in APs and WLAN controllers takes the MSDU payload of a simple data frame and transfers the MSDU into 802.3 Ethernet frames. For data privacy reasons, the MSDU data payload should usually be encrypted.

The null function frame is used by client stations to inform the AP of changes in Power save status by changing the Power Management bit. When a client station decides to go off-channel for active scanning purposes, the client station will send a null function frame to the AP with the Power Management bit set to 1. As demonstrated in Excercise 9.7, when the Power management bit is set to 1, the AP buffers all of that client's 802.11 frames. When the client station returns to the AP's channel, the station sends another null function frame with the Power Management bit set to 0. The AP then transmits the client's buffered frames. Some vendors also use the null function frame to implement proprietary power management methods.

In my wireless lab, I've configured my AIR-CAP2602I to Sniffer mode by going to Wireless > Access Points > click AP name > General > AP Mode > choose Sniffer > Apply. It will cause the AP to reboot for few minutes (mine took 3 minutes) and it will also disassociate wireless clients.

To redirect wireless frames to a Wireshark PC, go to Wireless > Access Points > Radios > 802.11b/g/n. Under the AP name > Antenna > click the blue arrow > choose Configure.

Tick Sniff, leave Channel in default (Current Channel is 1) and type the IP address of the PC running Wireshark > click Apply.

Open Wireshark > click Capture > Start > and choose the LAN (wired) adapter. Run for few minutes and then go to Capture > Stop (or click Stop icon, which is a red/square icon that’s beside the shark blue/fin icon). The WLC management IP is and the Wireshark PC is

To further analyze and narrow down the captured frames, click on any sequence number > right-click > choose Decode As > under Current > choose PEEKREMOTE (displays AiroPeek/OmniPeek encapsulated 802.11 frames)

This is what a beacon frame (frame 7) looks like.

This is what a request to send (RTS) frame looks like (frame 10).

This is what a clear to send (CTS) frame looks like (frame 11).

This is what an ACK frame (frame 16) looks like.

This is what a data frame (frame 25) looks like.