Category: Uncategorized

Wireshark 802.11 Filters

During the reading of CWNA and looking at packet capture there are some useful filters that can be used. For reference there is the official page on Wireshark Link : https://www.wireshark.org/docs/dfref/w/wlan.html

Some of the filters I have used so far:

Looking at an example of a QoS data Frame:

  • To filter the frames just to show the QoS data frames use the following filter : wlan.fc.type_subtype == 0x0028

Then looking at the screenshot it shows when you expand the QoS Control under the QoS Data Field that it is best effort

On seeing the above I decided to filter just on the Priority Field under the QoS Control:

  • wlan.qos.priority == 0 — Best Effort (Best Effort)
  • wlan.qos.priority == 1 — Background (Background)
  • wlan.qos.priority == 2 — Spare (Background)
  • wlan.qos.priority == 3 — Excellent Effort (Best Effort)
  • wlan.qos.priority == 4 — Controlled Load (Video)
  • wlan.qos.priority == 5 — Video (Video)
  • wlan.qos.priority == 6 — Voice (Voice)
  • wlan.qos.priority == 7 — Network Control (Voice)

Check retransmissions : tcp.analysis.retransmission
Filter on Association Frames : wlan.fc == 0x0000
Filter on Probe Request : wlan.fc == 0x4000
Filter on Probe Response : wlan.fc == 0x5000
Filter on Wildcard Probe Requests and Response : wlan.tag.number == 0
To show the WLAN Frame has been transmitted without re-transmission : wlan.fc.retry == 0
Use 1 to show the retransmissions : wlan.fc.retry == 1
Use the following combination to show the wireless sent to a wireless client without retransmissions : (wlan.fc.retry == 0) && (wlan.ra == <enter client MAC address>)
And to show with retransmissions : (wlan.fc.retry == 1) && (wlan.ra == <enter client MAC address>)

Virtual 9800 WLC Setup – Virtual Box

I wanted to test and experience the new 9800 WLC and had seen a few guides using VMWare. With no access to VMware on my laptop I decided to try Virtual Box. This guide will walk you through the process.

Pre-requisites

  • Laptop / Desktop with at least 8GB of Ram, 16GB is better
  • 64 bit Version of Virtual Box
  • Wave 1 Cisco Access Point 3700 Series or Wave 2 3800 or 1542
  • POE injector, POE switch or Power supply for the AP
  • Access point running lightweight image and reset to factory defaults.
  • Static IP address Assigned to the Access Point on the same subnet as your home / lab network
  • Access Point assigned the Wireless LAN controller IP Address
  • Laptop connected with Ethernet cable

VirtualBox Setup

After installing VirtualBox carry out the following steps:

  • Assign a static IP Address to the Virtual Adaptor, click on network adaptor and then select Network & Internet Settings
  • Click on Change adaptor options
  • Find the VirtualBox Host Only Adaptor
  • Right click on the adaptor and open properties
  • Disable TCP/IPv6
  • Edit TCP/IPv4 address and enter static, you can choose your own IP Address and subnet or just use as shown in the example below
  • Create new machine type As Linux and Version Other Linux (64-bit):
  • Set Memory to 4096 MB as a minimum but 8096 is best if you have enough resources.
  • Create Virtual Hard Disk
  • Select VDI Image
  • Allow it to grow dynamically
  • Create the new disk image
  • Open the settings of the new machine and go to the network settings, click on adaptor 1 enable the adaptor and change the settings below. Note your attached adaptor might be different to the one shown, but make sure its attached to the on board wired ethernet adaptor.
  • Click on adaptor 2 and apply the settings shown below, note your attached adaptor name might be different to the one shown, but make sure its attached to the virtual adaptor.
  • With a CCO account download the latest Virtual ISO for the 9800 WLC from Cisco

https://software.cisco.com/download/home/286322605/type/282046477/release/Amsterdam-17.1.1s

  • Once downloaded mount the ISO to the New image, open up storage settings, click on Empty and then Choose Virtual Optical Disk File…
  • Find the downloaded ISO and select open and you should see it as a Disk as shown below
  • Click OK and then Start the new machine, it will then go through the install process.
  • When the installation has completed, the new machine will reboot and you will be prompted with the installation Wizard. Follow as per the screenshot below.

It doesn’t take long to just go through setting it up without the wizard and these will be  the Next steps

  • Set logging to synchronous on the console (This just stops the logging messages over writing config as you type on the screen:

conf t

line con 0

logging synchronous

end

  • Configure hostname

conf t

hostname LAB-WLC

  • Configure the enable secret password

enable secret level 15 0 <enter password here>

  • Create an admin account

username admin privilege 15 secret 0 <enter password here>

  • Configure the network interface GigabitEthernet2 that is connected to Host Only VM Adaptor, used for GUI access.

conf t

int g2

no switchport

ip address 192.168.56.253 255.255.255.0 (Put in address applicable to your setup)

no shut

end

  • Configure network interface GigabitEthernet1 that is bridged to real Network interface on home network. This will be used as the wireless management interface that APs will use to join the WLC.

conf t

int g1

no switchport

ip address 192.168.1.253 255.255.255.0 (Put in address applicable to your setup)

end

  • Configure a default route

conf t

ip default-gateway 192.168.1.254 (Put in address applicable to your setup)

  • Set NTP Server

conf t

ntp server 192.168.1.254  (Put in address applicable to your setup)

end

  • Configure the country code, the wireless interface must be shut in order to configure the country code. You can have multiple country codes set separated by commas.

Disable the 2.4 and 5GHz radios on the WLC and set country code

conf t

ap dot11 5ghz shutdown

y

ap dot11 24ghz shutdown

y

ap country GB (Use the 2 letter short code for your country )

y

Re-enable the 2.4 and 5GHz radios

no ap dot11 24ghz shutdown

no ap dot11 5ghz shutdown

show wireless country channels

  • Configure which interface will be used for wireless management, we already configured GigabitEthernet1 with an IP Address. Now assign its role as wireless management

wireless management interface GigabitEthernet 1

  • Configure a certificate trustpoint that will be used to establish DTLS connections with the APs when they try to join the WLC. This is done in global exec and not in configuration mode. ** Note the password used must be a minimum of 8 characters

LAB-WLC# wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <enter password of your choice here>

  • Verify the trustpoint has been created

show wireless management trustpoint

  • Save WLC config

copy running-config startup-config

or

wr

  • Now you can log into the GUI of the WLC

https://192.168.56.253

Ignore the certificate warnings and login with the admin account you created earlier.

Commands on the LWAPP’s

  • Factory reset the AP running LWAPP image
  • Configure ip address details on the AP, default login for AP is username cisco and password Cisco

capwap ap ip address 192.168.1.200 255.255.255.0

capwap ap ip default-gateway 192.168.1.254

Verify the config:

  • Set the controller IP Address from the console CLI:
  • WAVE 1 Type AP : capwap ap controller ip address <enter IP Address>
  • WAVE 2 Type AP : capwap ap primary-base <name of wlc> <enter IP Address>
  • Verify the WLC has been set : sh capwap ip config

Verify controller address has been set:

Wireshark Filter for Association Frames

I was trying to find out how to see the capabilities of a client. Looking at the association frames for the client in Wireshark I could see what channels the client supported.

Sniff the wireless traffic the open capture file, apply the following filter to look for association requests from the client:

wlan.fc.type_subtype == 0x0000

We can then look at the association frame for the client and check what their supported channels are:

The following output shows the output when joining a 2.4GHz BSSID: