THE UNIVERSITY OF THE WEST INDIES

ST. AUGUSTINE, TRINIDAD & TOBAGO, WEST INDIES

FACULTY OF ENGINEERING
Department of Electrical & Computer Engineering
BSc. in Electrical & Computer Engineering

ECNG 3002
Data Communication Systems

Wireshark Lab #1- 802.11

813001122
Ronald Ramsaroop

Course Lecturer: Dr. Tricia Ragoobar-Prescod

Date Performed: September 19, 2015

Date Submitted: October 2nd,2015

Wireshark Lab #1
802.11

Wireshark Lab Exercise #1

1.4.2.1 Beacon Frames
The two access points issuing the majority of the beacon frames are:
1. 30 Munroe St
2. linksys_ses_24086
1.4.2.2a
The beacon intervals for the access points linksys_ses_24086 and 30 Munroe St. are given in
the respective beacon frames themselves. Both intervals are 102.4 milliseconds.
1.4.2.3
The source address on the beacon frame from 30 Munroe St. is: 00:16:b6:f7:1d:51

Figure 1: Source MAC address for beacon frame from 30 Munroe St.

1.4.2.4
The destination MAC address on the beacon frame from 30 Munroe St. is: ff: ff: ff: ff: ff: ff

Figure 2: Destination MAC address on beacon frame

Wireshark Lab #1
802.11
1.4.2.5
The MAC BSS Id on the beacon frame from 30 Munroe St. is: 00:16:b6:f7:1d:51

Figure 3: MAC BSS id on beacon frame

1.4.2.6
The four data rates supported by the 30 Munroe St. Access point are as follows: 1(B), 2(B),
5.5(B), 11(B). These rates are given in Mbit/sec.
The eight additional "extended supported rates" are as follows: 6(B), 9, 12(B), 18, 24(B), 36, 48,
54. These rates are given in Mbit/sec.
Both sets of rates are shown in the screenshot below.

Figure 4: Data rates supported by the beacon frame from access point 30 Munroe St.

1.4.3 Data Transfer

1.4.3.7

The 802.11 frame containing a SYN TCP segment for the first TCP session is shown highlighted in
blue in the screenshot below. This TCP SYN segment was sent at 24.811093 seconds.

Wireshark Lab #1
802.11

Figure 5: TCP SYN segment

This segment is known to be the SYN TCP segment because the SYN flag has been set to 1, as
shown in the screenshot below.

Figure 6: SYN flag set to 1 for a SYN TCP segment

1.4.3.7a
The three MAC address fields are the BSSid, the source address and the destination address.
These are the standard three addresses in an 802.11 frame.
1.4.3.7b
The MAC address corresponding to the host is given by the source address (00:13:02:d1:b6:4f)

Figure 7: MAC address for wireless host

1.4.3.7c
The MAC address corresponding to the access point is given by the BSSID: (00:16:b6:f7:1d:51)

Figure 8: MAC address for access point

Wireshark Lab #1
802.11
1.4.3.7d
The MAC address corresponding to the first -hop router is given by the destination address
(00:16:b6:f4:eb:a8)

Figure 9: MAC address corresponding to first-hop router

1.4.3.7e
IP address of wireless host is as follows: 192.168.1.109.
1.4.3.7f
Destination IP address is as follows: 128.199.245.12
1.4.3.7g
The destination address corresponds to that of the server gaia.cs.umass.edu. This corresponds
to the first-hop router (00:16:b6:f4:eb:a8).
1.4.3.8
The 802.11 frame with the SYNACK segment for this session was received at 24.827751 seconds
into the trace. It is highlighted in blue in the screenshot below.

Figure 10: 802.11 frame containing SYNACK segment

1.4.3.8a
The three MAC address fields are as follows:
BSSid: 00:16:b6:f7:1d:51
Destination address: 91:2a:b0:49:b6:4f
Source address: 00:16:b6:f4:eb:a8

Wireshark Lab #1
802.11

Figure 11: MAC address fields for the SYN ACK 802.11 frame

1.4.3.8b
The MAC address corresponding to the host is given by the destination address:
91:2a:b0:49:b6:4f
1.4.3.8c
The MAC address corresponding to the access point is given by the BSS id: 00:16:b6:f7:1d:51
1.4.3.8d
The MAC address corresponding to the first-hop router is given by the source address:
00:16:b6:f4:eb:a8
1.4.3.8e
No, the sender MAC address for this SYNACK frame is different to that of the SYN frame
previously explored. The sender address of the frame is 128.119.245.12 (which was the
destination address previously). The destination address is given by 192.168.1.109 (which was
the source address previously)

Wireshark Lab #1
802.11
1.4.4 Association/Disassociation
1.4.4.9
The two frames sent by the host to end the association with 30 Munroe St. are
1. The DHCP release frame sent to the DHCP serve with address 192.168.1.1 (sent at
49.583615 s)

Figure 12: DHCP release frame

2. The Deauthentication frame sent at 49.609617.

Figure 13: Deauthentication frame

1.4.4.10
A disassociation request was expected to be seen.
1.4.4.11
The host sends three authentication frames to the AP links_ses_24806, starting from
49.638857. The remaining requests are shown in the screenshot below.

Figure 14: Authentication frame requests

1.4.4.12
The host wants that open access be given by the AP linkys_ses_24806.

Wireshark Lab #1
802.11
1.4.4.13
The host receives acknowledgement frames from linksys_ses_24806, but is not given
authentication at any point in time. No authentication frame is sent from linksys_ses_24806 to
the host.
1.4.4.14
The host sends an authentication frame to the AP 30 Munroe St. at 63.168087 seconds. An
authentication reply is sent from the AP back to the host at 63.169071 seconds.

1.4.4.15
The associate request from the host to the AP 30 Munroe St. is sent at 63.169910. The
corresponding associate reply is sent from the AP back to the host at 63.192101. Both of the
aforementioned frames are shown in the screenshot below.

Figure 15: Association request and corresponding association response frame

1.4.4.16
The transmission rates are as follows:
1, 2, 5.5, 11, 6, 9, 12, 18, 24, 32, 48 Mb/second.
This set of rates is supported by both the host and the AP.

Figure 16: Transmission rates for both the host and AP

Wireshark Lab #1
802.11

1.4.5 Other frame types

1.4.5.17a
An example of a Probe Request/Response frames is shown in the screenshot below.

Figure 17: Probe request and response frames

The sender, receiver and BSS id MAC addresses are as follows:

For the Probe Request Frame:
Source or Sender Address:00:13:02:d1:b6:4f
Destination or Receiver Address: ff:ff:ff:ff:ff:ff
BSS id:ff:ff:ff:ff:ff:ff

Figure 18: Probe request frame MAC addresses

For the Probe Response Frame:

Source or Sender Address:00:16:b6:f7:1d:51
Destination or Receiver Address: 00:13:02:d1:b6:4f
BSS id: 00:16:b6:f7:1d:51

Figure 19: Probe response frame MAC addresses

1.4.5.17b

Wireshark Lab #1
802.11
Probe request frames are used in scanning an area to discover available networks. In the probe
request frame, there are two particularly important pieces of information (SSID and supported
rates). The AP receiving these probe requests then decides whether the host sending the probe
request can join its network. The rates supported by the host should be compatible with the
rates supported by the AP it wishes to connect to. The AP then sends a probe response frame
back to the host if both host and AP are compatible. If a probe response is received, the host
can then continue the process by sending an authentication request.

1.5 Summary and Conclusion

Summary
This lab covered the topic of 802.11 wireless connection. It provided an opportunity for further
research into the protocols involved within 802.11. It also aimed to enlighten the student on
the different MAC specifications. A Packet Sniffer application (Wireshark) was used to detect
the various frames sent and received by the host during activities that were very familiar to any
WiFi user. These activities were downloading information from a webpage, disconnecting from
a network, attempting to connect to another network (unsuccessfully), and reconnecting to the
previous network.
Conclusion
This lab exercise assisted me in understanding all the processes involved in using 802.11. The
use of Wireshark for viewing the individual frames assisted in breaking up the process, and
greatly improved my understanding of how a WiFi connection is accessed. Some initial difficulty
was faced in absorbing all of the information provided on 802.11, but this was overcome by
personally browsing WebPages, connecting to networks,

downloading files, and then

inspecting the relevant packets on Wireshark.

10

Wireshark Lab #1
802.11
References
Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer (PHY) Specifications.
1999. Ebook. 1st ed. http://gaia.cs.umass.edu/wireshark-labs/802.11-1999.pdf.

Rfwireless-world.com,. 2015. 'WLAN Probe Request Frame | Probe Response Frame'.

http://www.rfwireless-world.com/Terminology/WLAN-probe-request-and-responseframe.html.

Technet.microsoft.com,. 2015. 'What Is DHCP?'. https://technet.microsoft.com/enus/library/dd145320(v=ws.10).aspx.

Wi-fiplanet.com,. 2002. 'Understanding 802.11 Frame Types'. http://www.wifiplanet.com/tutorials/article.php/1447501.

11