MRL WikiMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy

Wireless Scan

From MRL Wiki

Wireless Scan is the process of identifying wireless access point located within the vicinity of a radio performing the scan. Both Active and Passive wireless scanners exist. Active Scanners such as Netstumbler perform continuous broadcast probe requests in hopes to receive probe responses from participating access points. Passive Scanners such as Kismet passively analyze all wireless data in order to extract relevant information about surrounding wireless infrastructure. It is important to note that Passive Scanners are known to present a much more complete picture of surrounding access points as well as additional information such as associated clients, network addressing scheme, etc.

Contents

[edit] Active Wireless Scan

[edit] Probe Requests/Responses

[edit] Passive Wireless Scan

[edit] Beacons

Beacon frames are sent out periodically by APs in order to announce their existence and contains a wealth of information useful for identification of a wireless network. Below is a packet capture of a beacon frame:

IEEE 802.11
    Type/Subtype: Beacon frame (8)
    Frame Control: 0x0080 (Normal)
    Duration: 0
    Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
    Source address: Netgear_99:80:a2 (00:14:6c:XX:XX:XX)
    BSS Id: Netgear_99:80:a2 (00:14:6c:XX:XX:XX)
    Fragment number: 0
    Sequence number: 248
    Frame check sequence: 0xfc94a275 [correct]
IEEE 802.11 wireless LAN management frame
    Fixed parameters (12 bytes)
        Timestamp: 0x0000000009E34181
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0431
    Tagged parameters (126 bytes)
        SSID parameter set: "netgear"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 6.0 12.0 24.0 36.0 
        DS Parameter set: Current Channel: 1
        (TIM) Traffic Indication Map: DTIM 0 of 1 bitmap empty
        ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
        Extended Supported Rates: 9.0 18.0 48.0 54.0 
        Vendor Specific: WPA
        Vendor Specific: AtherosC
        Vendor Specific: AtherosC
        Vendor Specific: WME

From the above frame we can immediately learn both AP's SSID 'netgear', BSSID '00:14:6c:XX:XX:XX' and channel '1' on which the AP is operating. Upon further examination we can learn that the access point is operating in 802.11b and 802.11g modes based on Supported Rates parameter. Even more information can be learned by analyzing timestamp value, Capability Information parameter, and other content in the frame.

[edit] Data Packets

Retrieved from "http://midnightresearch.com/wiki/index.php/Wireless_Scan"

This page has been accessed 7,025 times. This page was last modified on 7 August 2008, at 12:16.


Find

Browse
Main Page
Community portal
Current events
Recent changes
Random page
Help
Edit
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
Moreā€¦