Networking
25 November 2011 0 Comments

Wireshark: 802.11 Frame Display Filters

Introduction

When using a wireless network card in monitor mode (using airmon-ng), Wireshark will not just pick up Ethernet-level frames, but also the raw wireless 802.11 frames. This data is very interesting, but the volumes can be large: wireless Access Points send out a lot of “beacon frames” that you might want to filter.

In this post we provide a list of the most useful Wireshark display filters for 802.11 frames. Use them in Wireshark in the filter field displayed below.

802.11 Frame Format

The generic 802.11 frame structure is displayed below. Most of the interesting values are in the Frame Control section, because this section determines the type of the frame.

Display Filters

wlan.fc.type == 0           Management frames
wlan.fc.type == 1           Control frames
wlan.fc.type == 2           Data frames
wlan.fc.type_subtype == 0   Association request
wlan.fc.type_subtype == 1   Association response
wlan.fc.type_subtype == 2   Reassociation request
wlan.fc.type_subtype == 3   Reassociation response
wlan.fc.type_subtype == 4   Probe request
wlan.fc.type_subtype == 5   Probe response
wlan.fc.type_subtype == 8   Beacon
 
wlan.addr = 12:34:56:AB:CD:EF  Select frames where any of

Tags: 802.11, 802.11 frame, , beacon, display filters, fc.type, frame control, pocket reference, subtype, , ,
Linux
2 October 2011 4 Comments

Fixing Ralink 3090 Wireless Problems on Linux

Introduction

If you have a Ralink 3090 (RT3090) wireless network card, you can run into problems when running Linux. These problems manifest themselves as a connection that is unreliable and slow, or even completely broken.

The Linux kernel decides which modules (drivers) should be loaded for your hardware setup, but it can get it wrong. If you are having lots of wireless networking problems, you probably don’t have the correct modules loaded. The included-by-default kernel module that seems to give the best results with the RT3090 is called rt2860sta. If you are running Ubuntu, you can try the rt3090-dkms package, which might give better results than the rt2860sta module.

List Modules

To see your currently loaded kernel modules:

$ lsmod | less

Using the rt3090-dkms Module

If you are running Ubuntu, this module might give better results than rt2860. In my case Ubuntu would no longer shut down, but there are many positive stories about the module too.

First, install the package from the Markus Heberling’s personal package archive.

$ sudo add-apt-repository ppa:markus-tisoft/rt3090
$ sudo apt-get update
$ sudo apt-get install dkms rt3090-dkms

Now you should …

Tags: , , , , , , , , ,