- 1.1 Capture 802.11 frames using the appropriate methods and locations
- 1.2 Analyze 802.11 frame captures to discover problems and find solutions
- 1.3 Understand and apply the common capture configuration parameters available in protocol analysis tools
- 1.4 Utilize additional tools that capture 802.11 frames for the purposes of analysis and troubleshooting
- 1.5 Ensure appropriate troubleshooting methods are used with all analysis types
1.1
1.1.1 Install monitor mode drivers
- What OS are you using
- What software and drivers are available
- Select the right hardware for the job
1.1.2 Select appropriate capture device
- Be in the location of where traffic is needed
- Adapters must support the protocol you need to capture meaning that an 802.11g adapter is not going to capture all information in an 802.11n environment.
- Adapters must support the spatial streams needed, 1×1:1 can’t see all traffic in 3×3:3
1.1.3 Select appropriate capture location
- Near client
- In case of a single client or group of close clients having issues.
- Used to check for client receive issues
- Near AP
- When issue has group of clients not located near each other
- Used to check for AP receive issues such as power level to high
1.1.4 Capture for an appropriate amount of time based on the problem scenario
- Capture during the issue
- If reproducible then capture while reproducing
- If sporadic then do constant capture overtime to catch the issue.
- Sync all device times using the same NTP server
1.1.5 Scanning channels vs. capturing on a single channel
- Issues connecting you would scan all channels to catch beacon frames
- Multiple channels is also used when roaming but not as effective as you could lose information while channel hopping.
1.1.6 Capturing in roaming scenarios
- Capture multiple channels at the same time
- Move with the client
- Most services require 300ms roam but voice applications need 150ms or less
1.1.7 Capture with portable protocol analyzers (laptops)
- Most commonly a laptop with analysis software, wireless cards and drivers
- Use of supported adapters
- Port types and adapters needed
- Body attenuation may cause CRCs
1.1.8 Capture with APs, controllers, and other management solutions
- Travel not needed to perform analysis
- Unable to troubleshoot failed roams
- Additional hardware and license cost
1.1.9 Capture with specialty devices such as handheld analyzers
- Often more expensive than laptop-based tools
- Can be stored at a remote location and easy to use by others
1.2
1.2.1 Use appropriate display filters to view relevant frames and packets
- Used before or after the capture to display desired frames
- Better to use after as needed information could be missed
1.2.2 Use colorization to highlight important frames and packets
- Allows for coloring different frames to make analysis easier for spotting error
1.2.3 Configure and display columns for analysis purposes
- Allows for easy sorting of different frames
- Most of the time is preference over necessity
1.2.4 View frame and packet decodes and understand the information shown and apply it to
the analysis process
- Determine the SRC and DST
- 802.11 communication types
- Retransmission bit set 1 one is a retry
- Information in the header is always in clear text
- Addresses
- Frame type and subtype
- Protocol version
- Fragmented or not
- Fragment number if fragmented
- Power management info
1.2.5 Use multiple adapters and channel aggregation to view captures from multiple channels
- Use with bonded channels
- Capture all desired channels an view the output as one
1.2.6 Implement protocol analyzer decryption procedures
- Can only be done on networks using a share key auth
- The 4-way handshake needs to be captured (EAPoL EAP over LAN)
1.2.7 View and use captures statistical information for analysis
- Run reports to crate statistical graphs based on filters
- Packet size
- Traffic per device
1.2.8 Use expert mode for analysis
- Often a presentation of anomalies found
- Some can track events and provide symptoms and remedies
1.2.9 View and understand peer maps as they relate to communications analysis
- Know what station are communicating with each other by illustrating the connections
- Unable to view layer 3 map in wpa and wpa2 unless you can decrypt layer 3
- Capture on the wired side of the ap ingress and egress can help build peer map
1.3
1.3.1 Save to disk
- Capture has to be stopped to save
- Some will let you write as it captures but the system must be able to write as fast as the capture
- Save to the network when using APs due to limited capacity for the AP storage
1.3.2 Packet slicing
- Used when the capture may be too long
- You get the frame headers but the data payload is not captured
- 400Bytes recommended to capture large beacon frames
- If encryption is in use the payload is of no use anyway
1.3.3 Event triggers
- Integrated and distributed can have event triggers set
- Laptop based can begin truncating based on events and stop when file reaches a certain size
1.3.4 Buffer options
- Used to store capture packets/frames in memory as they are captured
- Limited to the amount of RAM
- When the file exceeds available space it gets overwritten
- May be configure to stop at max size
1.3.5 Channels and channel widths
- Management frames are on the base channel for bonded channels
1.3.6 Capture filters
- Information that is not captured can never be viewed
1.3.7 Channel scanning and dwell time
- Dwell time is the amount of time spend on each channel before hoping to the next
1.4
1.4.1 WLAN scanners and discovery tools
- Often low-cost or free
- Can be simple like a key chain or shirt
- Discovers available WLANs
1.4.2 Protocol capture visualization and analysis tools
- Excellent for making reports
- Visual of captured information
1.4.3 Centralized monitoring, alerting and forensic tools
1.5
- Define a clear problem statement with symptoms and potential causes
- Define clear problem statement
- Foundation of troubleshooting process
- Without it the wrong problem could be solved
- Gather the facts to help isolate the possible cause
- Clarify the details and expand on the problem statement
- Consider possible problems based on the facts
- List likely causes
- Create and action plan based on the remaining potential problems and most likely cause
- Action plan based on the most likely cause
- Implement the action plan
- Perform actions to verify theoretical cause
- As changes are made gather results
- As steps are taken record the given results
- Analyze the results and determine whether the problem is resolved
- Verify all problems are resolved
- If the problem is not resolved repeat 5-7