Classroom Glossary Public page

WIR-101 Lab 2 — 802.11 Monitor Mode and Frame Dissection

634 words

Prerequisites: Week 2 lecture; Alfa AWUS036ACM in monitor mode verified; Wireshark installed Duration: ~90 min Points: 100

Authorization

  • Lab Authorization Form signed
  • Capture from authorized lab AP only (SSID: VCA-WIR101-LAB)
  • No deauthentication or injection in this lab (receive only)
  • Capture is for analysis only; do not share outside the lab

Objective

Enter 802.11 monitor mode, capture live traffic from the authorized lab AP, and dissect the key frame types in Wireshark. Understand the radiotap header, the 802.11 MAC header structure, and the Association sequence.

Part A — Enable Monitor Mode and Capture Beacons (20 min)

Steps

  1. Enable monitor mode:
sudo airmon-ng check kill
sudo airmon-ng start wlan0
iwconfig wlan0mon  # verify Mode: Monitor
  1. Run airodump-ng to confirm the lab AP is visible:
sudo airodump-ng wlan0mon

Find VCA-WIR101-LAB in the output. Record its BSSID and channel.

  1. Lock airodump-ng to the lab AP's channel and save a capture:
sudo airodump-ng -c CHANNEL --bssid BSSID -w lab2_capture --output-format pcap wlan0mon

Run for 60 seconds, then Ctrl+C.

  1. Open the resulting PCAP in Wireshark.

Part A Deliverable

Screenshot of airodump-ng output showing VCA-WIR101-LAB with its BSSID, channel, and encryption type.

Part B — Beacon Frame Dissection (30 min)

Steps

  1. In Wireshark, filter for Beacon frames:

    wlan.fc.type_subtype == 0x08

  2. Select the first Beacon frame in the list. Expand the following layers in the packet detail pane:

    • Radiotap Header
    • IEEE 802.11 Management Frame > Frame Control Field
    • IEEE 802.11 Management Frame > Fixed Parameters (timestamp, beacon interval, capability info)
    • IEEE 802.11 Management Frame > Tagged Parameters (find: SSID, Supported Rates, DS Parameter Set, RSN Information)

  3. Record the following values from the Beacon:

    • BSSID
    • SSID
    • Beacon interval (in TUs, where 1 TU = 1.024 ms)
    • Channel (from DS Parameter Set IE)
    • Supported Rates
    • RSN Group Cipher Suite (e.g., CCMP-128)
    • RSN AKM Suite(s) (e.g., PSK)
    • Radiotap signal strength (dBm)

  4. Take a screenshot of the fully expanded Beacon frame in Wireshark.

Part B Deliverable

Table of the values listed above + screenshot of the expanded frame.

Part C — Association Sequence (20 min)

The provided PCAP file (association_sequence.pcap) on the course portal contains a complete Association Request + Response sequence. Open it in Wireshark.

Steps

  1. Find the Authentication frames (filter: wlan.fc.type_subtype == 0x0b). How many are there? What authentication algorithm is used?

  2. Find the Association Request (filter: wlan.fc.type_subtype == 0x00). Expand the Tagged Parameters. What RSN capabilities does the client advertise?

  3. Find the Association Response (filter: wlan.fc.type_subtype == 0x01). What status code did the AP return? What does that status code mean?

  4. Construct a sequence diagram showing the order of frames: Authentication(1) → Authentication(2) → Association Request → Association Response.

Part C Deliverable

Answers to the three questions above + the sequence diagram.

Part D — Deauthentication Frame Analysis (10 min)

The provided PCAP also contains a Deauthentication frame.

Steps

  1. Filter: wlan.fc.type_subtype == 0x0c
  2. Find the Deauthentication frame. What is the source address? The destination? The reason code?
  3. Look up the reason code in the IEEE 802.11 reason code table (Wikipedia has a complete list). What does it mean?
  4. If this Deauthentication frame were forged by an attacker (with the AP's BSSID spoofed as the source), what would happen to the client?

Part D Deliverable

Answers to the four questions above.

Write-up Questions (10 min)

  1. The Radiotap header is not part of the 802.11 specification. Where does it come from, and why is it useful for analysis?
  2. A client's 802.11 frame carries the BSSID in Address 3 when the frame is sent from the DS (ToDS=0, FromDS=1). Draw the address field layout for: (a) a STA-to-AP data frame, (b) an AP-to-STA data frame.
  3. Why does the 802.11 Association Request include the client's RSN capabilities? What happens if the client's RSN capabilities are incompatible with the AP's?

Return Monitor Mode to Managed

sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Confirm internet connectivity before leaving the lab.

Submission

Zip the following into lab2_YOURNAME.zip:

  • deliverable_A.png (airodump-ng screenshot)
  • deliverable_B_table.md (Beacon fields) + deliverable_B_frame.png (Wireshark screenshot)
  • deliverable_C.md (answers + sequence diagram)
  • deliverable_D.md (Deauth analysis)
  • writeup.md (write-up question answers)