Tech Juice

Introduction

When using a wireless network card in monitor mode (using airmon-ng), Wireshark will not just pick up Ethernet-level frames, but also the raw wireless 802.11 frames. This data is very interesting, but the volumes can be large: wireless Access Points send out a lot of “beacon frames” that you might want to filter.

In this post we provide a list of the most useful Wireshark display filters for 802.11 frames. Use them in Wireshark in the filter field displayed below.

802.11 Frame Format

The generic 802.11 frame structure is displayed below. Most of the interesting values are in the Frame Control section, because this section determines the type of the frame.

Display Filters

wlan.fc.type == 0           Management frames
wlan.fc.type == 1           Control frames
wlan.fc.type == 2           Data frames
wlan.fc.type_subtype == 0   Association request
wlan.fc.type_subtype == 1   Association response
wlan.fc.type_subtype == 2   Reassociation request
wlan.fc.type_subtype == 3   Reassociation response
wlan.fc.type_subtype == 4   Probe request
wlan.fc.type_subtype == 5   Probe response
wlan.fc.type_subtype == 8   Beacon
 
wlan.addr = 12:34:56:AB:CD:EF  Select frames where any of 

In this post we discuss the Internet Control Message Protocol (ICMP), one of the core protocols of the TCP/IP suite [Wikipedia] [RFC 792]. Many common networking utilities are based on ICMP, including tracert and ping.

ICMP messages are typically generated in response to errors in IP datagrams or for diagnostic or routing purposes. ICMP errors are always reported to the original source IP address of the originating datagram. The protocol is implemented by both hosts and routers, albeit in different ways.

A version of ICMP for IPv6 exists: ICMPv6. The scope of this article is limited to ICMP for IPv4 (ICMPv4).

ICMP Packet Structure

Each ICMP message is encapsulated directly within a single IP datagram, and thus, like UDP, ICMP is unreliable. The structure of ICMP packets is displayed below:

Header Fields

The Type and Code fields are the first two fields in the header of the ICMP packet. Together these fields designate the meaning of the packet.

Type/Code Fields

The most common combinations of Type and Code are displayed below.

As can be seen in the table, an ICMP message can either be an error message or a query message. Query messages are two-way: when an ICMP request …

The DNS Protocol

The Domain Name System protocol translates domain names into IP addresses (Wikibooks page). When a client wants to open a webpage at www.google.com, a query is sent to a DNS server (a.k.a. name server) to fetch the corresponding IP address. The IP returned by the name server is used to contact the Google web server – the server that hosts the actual website contents. In this post we explain the DNS protocol and the packets involved.

Usually, a client will know the IP address of one or more DNS servers after the DHCP boot process is completed. In order to resolve a hostname, a DNS query packet is sent. All DNS traffic between clients and name servers is encapsulated in UDP, and name servers always run on UDP port 53.

DNS Packet Structure

The structure of DNS packets looks like this:

The flags field (16 bits) has the following structure:

    a)  The first (0th)bit indicates query(0) or response(1)
    b) Next three bits (1-4) indicates ‘Standard Query (0)’,
       ‘Inverse Query (1)’ and ‘Server Status Request (2)’.
    c) The 5th bit field indicates Authoritative answer. The
       name server is authoritative for the domain in the
       question section.
    d) The 6th bit field is set if