OSQA is unmaintained. Help us figure out where to go from here.

I am new to wireshark. To be honest, this is an assignment I have to do using Wireshark. Anyway, I have a pcap file which has the content of more than 4000 entries. I need to find the Beacons Interval. Is there a filter I need to use?

asked 15 Apr, 13:42

cyberchaos's gravatar image

cyberchaos
5112
accept rate: 0%


Yes, a display filter will help quantify the beacon interval. Google shows this page with something very close:

https://wiki.wireshark.org/Wi-Fi

As this is an assignment, I leave it to you to determine the specific syntax to get the filter you need. If you have difficulty, show the filters you have come up and someone can provide more guidance.

Do you know what to expect from an AP as it relates to beacons, i.e. the TBTT? Use this expectation to help determine if you might have the correct filter as you work on the filter syntax.

This all assumes that you have a packet trace that actually includes beacons. It would be very difficult to infer TBTT from a trace without beacons. This usually requires that an 802.11 capture be obtained, but there can be alternatives from some vendors that may send wireless capture from an AP over a tunneled wired connection and these may or may not include beacons. Cisco, Aruba, Ruckus, Mikrotik, and many others support this in one way or another through various mechanisms and software packages.

To capture wireless traffic, which, if done correctly, will show beacons, review this information:

https://wiki.wireshark.org/CaptureSetup/WLAN

If wireless traffic comes from the AP vendor through some mechanism, check with them to see what is included. It may take some configuration to understand the encapsulation so that the wireless information can be decoded properly.

permanent link

answered 15 Apr, 16:19

Bob%20Jones's gravatar image

Bob Jones
8692515
accept rate: 20%

edited 16 Apr, 06:26

Bob, Thanks for your help. Now, I used wlan display filter yesterday and it didn't show me anything. Part of the assignment is the pcap was captured on the router. I don't know if that gonna make any difference. I tried every possible (Wi-Fi filters) and all of the filters were blank.

(15 Apr, 18:19) cyberchaos

I updated the answer to clarify the assumption that you have a wireless trace with beacons in it, and need only find them.

pcap was captured on the router

I don't know exactly what this means, so cannot advise on how to show what you need. This could mean:

  1. 802.11 capture sitting next to the device

  2. You took a wired capture of the traffic crossing the router that was created by wireless clients

  3. The router is really an AP and has a mechanism for collecting capture files and forwarding them to a device on the LAN, encapsulated

  4. And others...

You could upload a trace in a publicly accessible location (i.e. cloudshark, drive, etc) so we can see what you are dealing with. Or try to obtain another capture per a different technique.

(16 Apr, 06:32) Bob Jones

Bob, in the assignment, it says the traffic in the pcap was captured on the network router. attackers used protocol buffers. I need to find the beaconing interval in this pcap. I don't know what filter to use. I used wlan display filter and it didn't give me any results.

(17 Apr, 12:59) cyberchaos
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×3

question asked: 15 Apr, 13:42

question was seen: 379 times

last updated: 17 Apr, 12:59

p​o​w​e​r​e​d by O​S​Q​A