Ask Your Question
0

Decoding IP payload in Unencrypted WiFi Packet

asked 2020-04-26 12:33:50 +0000

Stuart Kendrick gravatar image

I'm capturing on an Open SSID, predicting that I would be see the IP payload. But I don't.

I see frames RTS & CTS frames ... and I see frames which are 1702 bytes in length, which suggest to me that they are carrying a payload ... the Decode window shows me these layers PPI 802.11 Radio Informaion IEEE 802.11 QoS Data Data

No IP layer

What might be happening?

Hypothesis #1 Perhaps this SSID isn't as open as I believe it is (although, I've configured it to be Open, my AirCheck G2 tells me that it is Open, and I'm not challenged for credentials when I connect from a WiFi client). I'm comparing this pcap with one taken against an SSID employing WPA2 -- I don't see anything in the PPI / 802.11 / IEEE 80211 Radio Information layers which would tip me off to whether or not encryption is employed. Am I missing something? Or are there in fact no flags in the lower layers to signal encryption?

Hypothesis #2 Perhaps I'm just seeing Mgmt & Control Plane traffic ... no payloads. So I apply this Display Filter: wlan.fc.type_subtype in {0x20 0x28} And now all I see are 1702 Byte frames, emitted from the WAP to the Client. I have a suspicion, BTW, that the only IP-layer frames I will see in this pcap are DHCP Offers, emitted from the WAP to the Client ... but the 1702 byte length puzzles me, as I don't see how a weenie little DHCP Offer would consume so many bytes in the air. But in any case, this suggests that I do have Data packets in this pcap

Suggestions?

A sample pcap taken on the open SSID is visible at: https://drive.google.com/drive/folder...

--sk

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-26 17:26:39 +0000

Bob Jones gravatar image

I see encrypted payload traffic, some of it smaller that 1702 bytes as well. The protected bit is set and the CCMP field shows the IV and the key index to use to decrypt (fields surrounded by **):

IEEE 802.11 QoS Data, Flags: .p....F.
    Type/Subtype: QoS Data (0x0028)
    Frame Control Field: 0x8842
        .... ..00 = Version: 0
        .... 10.. = Type: Data frame (2)
        1000 .... = Subtype: 8
        Flags: 0x42
            .... ..10 = DS status: Frame from DS to a STA via AP(To DS: 0 From DS: 1) (0x2)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            **.1.. .... = Protected flag: Data is protected**
            0... .... = Order flag: Not strictly ordered
    .000 0000 0011 0000 = Duration: 48 microseconds
    Receiver address: EdimaxTe_f0:8f:39 (74:da:38:f0:8f:39)
    Transmitter address: 72:3a:0e:84:5f:d4 (72:3a:0e:84:5f:d4)
    Destination address: EdimaxTe_f0:8f:39 (74:da:38:f0:8f:39)
    Source address: Cisco_ab:fd:57 (00:a2:ee:ab:fd:57)
    BSS Id: 72:3a:0e:84:5f:d4 (72:3a:0e:84:5f:d4)
    STA address: EdimaxTe_f0:8f:39 (74:da:38:f0:8f:39)
    .... .... .... 0000 = Fragment number: 0
    0111 1001 0010 .... = Sequence number: 1938
    Qos Control: 0x0000
    **CCMP parameters
        CCMP Ext. Initialization Vector: 0x0000007BA290
        Key Index: 0**

You stripped out the beacons and any probe responses so I can't verify the RSN element that shows this SSID is protected. Perhaps you are looking at the wrong BSSID/device/channel?

edit flag offensive delete link more

Comments

I am filtering on 74:da:38:f0:8f:39, which I suppose excludes Beacons & Probe Responses

OK, so what I'm learning here: the setting of the Protected bit tells me that the data is encrypted, the specifics of the CCMP field support that state

And yes, on inspection, it turns out that I've been connecting to the Open SSID using my tools ... but 74:da:38:f0:8f:39 has not been: it has been connecting to a WPA2 Enterprise SSID

Thank you,

--sk

Stuart Kendrick gravatar imageStuart Kendrick ( 2020-04-27 10:20:24 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-04-26 12:33:50 +0000

Seen: 525 times

Last updated: Apr 26 '20

Related questions

No Data Packets in Monitor Mode Capture

No wireless after reconfig

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2