Ask Your Question
0

How does wireshark read TCP headers

asked 2019-06-09 20:28:13 +0000

foobar gravatar image

I'm running tcpdump on an Openwrt Wi-Fi Access Point (AP). I read the file using Wireshark. After Wireshark opens the file, I can see that it can read all the TCP headers as well. I tried one more experiment where I configured my workstation as a Linux Access Point and ran wireshark on the wireless interface. Even in this case, Wireshark can read all the TCP headers of associated devices.

I've the following questions:

  1. My textbook knowledge tells me that the AP is a layer 2 device. So how does the trace collected from the AP provide access to layer 4 (TCP) headers?

  2. I assumed that there would some kind of layer 4 encryption that would only allow decryption at the end-points (i.e. either the server or the client). The AP is an intermediate point (neither the server nor the client). I can also see TLS label on the packets. So how was the TCP header decrypted?

If anyone can point me to any reliable references that explain why and how this happens that would be great. I know the principles and math behind encryption but not the protocol details.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-06-09 22:30:19 +0000

Guy Harris gravatar image

My textbook knowledge tells me that the AP is a layer 2 device. So how does the trace collected from the AP provide access to layer 4 (TCP) headers?

The trace contains the entire contents of the packet; the AP might not look at headers above layer 2, but it does have to forward them to the end station, so they have to be present in the packets, and, as such, they get written to the pcap file by tcpdump.

I assumed that there would some kind of layer 4 encryption that would only allow decryption at the end-points (i.e. either the server or the client). The AP is an intermediate point (neither the server nor the client). I can also see TLS label on the packets. So how was the TCP header decrypted?

No, TLS doesn't encrypt TCP headers, it encrypts headers above the TCP layer, if it's running atop TCP.

The wireless network may also be doing layer 2 encryption (WEP/WPA), which encrypts at layer 3 (IP) and above, but either that's not the case or the AP is decrypting the packets itself and saving them to the capture file.

edit flag offensive delete link more

Comments

Hi Guy

Thanks for your reply. Very helpful and appreciate you taking the time! I do have layer 2 encryption. But I assume that since the AP is encrypting, layer 2 encryption should not stop it from viewing layer 3, 4 headers. Then it makes perfect sense - TLS is not encrypting layer 4 headers and the AP should be able to view the headers prior to layer 2 encryption. So layer 3 and layer 4 headers should be visible at the AP as they are in my case. But I wonder if I am missing any other encryption here besides TLS and WEP/WPA? And is there any reference textbook that I can cite for TLS not encrypting TCP headers?

foobar gravatar imagefoobar ( 2019-06-09 22:56:01 +0000 )edit
0

answered 2019-06-09 22:03:51 +0000

Bob Jones gravatar image

I think you are trying to capture 802.11 traffic and expect it to be encrypted. To access this type of traffic, you need to collect the traffic using some type of monitor mode interface that can do an OTA (over the air) capture. A good starting reference: https://wiki.wireshark.org/CaptureSetup/WLAN

The AP bridges wireless to wired traffic at layer 2 as you say; so it is true that layer 3 and above would be encrypted, if encryption is in use. So, be sure you have encryption turned on as this could be one of your causes.

Another possible issue is the interface you are capturing on. For best results, capture in monitor mode / promiscuous mode on an adapter not in use by the communications. Avoid using the actual AP interface until you know how it behaves, and avoid the bridge interface it may be on, or the wired interface that is bridged to it. If you just capture on the wireless interface not in monitor mode, the driver will decrypt the traffic and convert it to EthernetII, hiding what you are looking for.

edit flag offensive delete link more

Comments

Hi Bob, Thanks for your reply. Appreciate you taking the time. I want to capture and process each packet that passes through the AP. I assumed that layer 4 encryption (e.g. TLS) would prevent viewing TCP headers. However, in my case packets are labeled as TLS and still all TCP header info (seq, ack number, etc.) can be viewed in Wireshark. So my question was how/why is this possible?

foobar gravatar imagefoobar ( 2019-06-09 22:33:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-06-09 20:28:13 +0000

Seen: 2,610 times

Last updated: Jun 09 '19