CWAP – Protocol Analysis

1.1

1.1.1 Install monitor mode drivers

• What OS are you using
• What software and drivers are available
• Select the right hardware for the job

1.1.2 Select appropriate capture device

• Be in the location of where traffic is needed
• Adapters must support the protocol you need to capture meaning that an 802.11g adapter is not going to capture all information in an 802.11n environment.
• Adapters must support the spatial streams needed, 1×1:1 can’t see all traffic in 3×3:3

1.1.3 Select appropriate capture location

• Near client
  • In case of a single client or group of close clients having issues.
  • Used to check for client receive issues
• Near AP
  • When issue has group of clients not located near each other
  • Used to check for AP receive issues such as power level to high

1.1.4 Capture for an appropriate amount of time based on the problem scenario

• Capture during the issue
• If reproducible then capture while reproducing
• If sporadic then do constant capture overtime to catch the issue.
• Sync all device times using the same NTP server

1.1.5 Scanning channels vs. capturing on a single channel

• Issues connecting you would scan all channels to catch beacon frames
• Multiple channels is also used when roaming but not as effective as you could lose information while channel hopping.

1.1.6 Capturing in roaming scenarios

• Capture multiple channels at the same time
• Move with the client
• Most services require 300ms roam but voice applications need 150ms or less

1.1.7 Capture with portable protocol analyzers (laptops)

• Most commonly a laptop with analysis software, wireless cards and drivers
• Use of supported adapters
• Port types and adapters needed
• Body attenuation may cause CRCs

1.1.8 Capture with APs, controllers, and other management solutions

• Travel not needed to perform analysis
• Unable to troubleshoot failed roams
• Additional hardware and license cost

1.1.9 Capture with specialty devices such as handheld analyzers

• Often more expensive than laptop-based tools
• Can be stored at a remote location and easy to use by others

1.2

1.2.1 Use appropriate display filters to view relevant frames and packets

• Used before or after the capture to display desired frames
• Better to use after as needed information could be missed

1.2.2 Use colorization to highlight important frames and packets

• Allows for coloring different frames to make analysis easier for spotting  error

1.2.3 Configure and display columns for analysis purposes

• Allows for easy sorting of different frames
• Most of the time is preference over necessity

1.2.4 View frame and packet decodes and understand the information shown and apply it to

the analysis process

• Determine the SRC and DST
• 802.11 communication types
• Retransmission bit set 1 one is a retry
• Information in the header is always in clear text
  • Addresses
  • Frame type and subtype
  • Protocol version
  • Fragmented or not
  • Fragment number if fragmented
  • Power management info

1.2.5 Use multiple adapters and channel aggregation to view captures from multiple channels

• Use with bonded channels
• Capture all desired channels an view the output as one

1.2.6 Implement protocol analyzer decryption procedures

• Can only be done on networks using a share key auth
• The 4-way handshake needs to be captured (EAPoL EAP over LAN)

1.2.7 View and use captures statistical information for analysis

• Run reports to crate statistical graphs based on filters
• Packet size
• Traffic per device

1.2.8 Use expert mode for analysis

• Often a presentation of anomalies found
• Some can track events and provide symptoms and remedies

1.2.9 View and understand peer maps as they relate to communications analysis

• Know what station are communicating with each other by illustrating the connections
• Unable to view layer 3 map in wpa and wpa2 unless you can decrypt layer 3
• Capture on the wired side of the ap ingress and egress can help build peer map

1.3

1.3.1 Save to disk

• Capture has to be stopped to save
• Some will let you write as it captures but the system must be able to write as fast as the capture
• Save to the network when using APs due to limited capacity for the AP storage

1.3.2 Packet slicing

• Used when the capture may be too long
• You get the frame headers but the data payload is not captured
• 400Bytes recommended to capture large beacon frames
• If encryption is in use the payload is of no use anyway

1.3.3 Event triggers

• Integrated and distributed can have event triggers set
• Laptop based can begin truncating based on events and stop when file reaches a certain size

1.3.4 Buffer options

• Used to store capture packets/frames in memory as they are captured
• Limited to the amount of RAM
• When the file exceeds available space it gets overwritten
• May be configure to stop at max size

1.3.5 Channels and channel widths

• Management frames are on the base channel for bonded channels

1.3.6 Capture filters

• Information that is not captured can never be viewed

1.3.7 Channel scanning and dwell time

• Dwell time is the amount of time spend on each channel before hoping to the next

1.4

1.4.1 WLAN scanners and discovery tools

• Often low-cost or free
• Can be simple like a key chain or shirt
• Discovers available WLANs

1.4.2 Protocol capture visualization and analysis tools

• Excellent for making reports
• Visual of captured information

1.4.3 Centralized monitoring, alerting and forensic tools

1.5

1. Define a clear problem statement with symptoms and potential causes
   1. Define clear problem statement
   2. Foundation of troubleshooting process
   3. Without it the wrong problem could be solved
2. Gather the facts to help isolate the possible cause
   1. Clarify the details and expand on the problem statement
3. Consider possible problems based on the facts
   1. List likely causes
4. Create and action plan based on the remaining potential problems and most likely cause
   1. Action plan based on the most likely cause
5. Implement the action plan
   1. Perform actions to verify theoretical cause
6. As changes are made gather results
   1. As steps are taken record the given results
7. Analyze the results and determine whether the problem is resolved
   1. Verify all problems are resolved
8. If the problem is not resolved repeat 5-7