Difference between revisions of "RTS/CTS and Network Analysis using Wireshark"
(Created page with "The purpose of this lab is to investigate RTS/CTS and CTS-to-self messaging in the Wild. By doing this we will also learn about monitor mode and what it does, as well as gaini...") |
|||
Line 27: | Line 27: | ||
ifconfig -a | ifconfig -a | ||
− | Compare the outputs to | + | Compare the outputs to determine the name of your wireless adaptor. Then you can proceed with the commands below. |
sudo iwconfig [adaptor_name] mode monitor | sudo iwconfig [adaptor_name] mode monitor | ||
Line 82: | Line 82: | ||
*What is a drawback of the RTS/CTS process? | *What is a drawback of the RTS/CTS process? | ||
*Why can't we see the DCF process? Why can't we see interframe spacing? | *Why can't we see the DCF process? Why can't we see interframe spacing? | ||
− | *What do you think the difference is | + | *What do you think the difference is between an 802.11 ack and a Block Ack. What do you think the block ack bitmap does? Does wired Ethernet use Acks? Why/Why not? |
**If you are seeing more acks than data frames, why do you think this is the case? | **If you are seeing more acks than data frames, why do you think this is the case? | ||
*Can you see any instances where there is a CTS, without an RTS. What is going on here? | *Can you see any instances where there is a CTS, without an RTS. What is going on here? | ||
Line 98: | Line 98: | ||
== Restore Factory Defaults == | == Restore Factory Defaults == | ||
− | At the end of every lab you should restore factory defaults to remove the previous | + | At the end of every lab you should restore factory defaults to remove the previous group's settings. To do this, Administration->Factory Defaults->Yes, apply, ok. |
Revision as of 06:48, 13 February 2020
The purpose of this lab is to investigate RTS/CTS and CTS-to-self messaging in the Wild. By doing this we will also learn about monitor mode and what it does, as well as gaining some familiarity with Wireshark.
Contents
Initial Setup
You should start by setting up a network as shown below. Remember that at the beginning of every lab you should restore factory defaults to remove the previous group's settings. To do this, Administration->Factory Defaults->Yes, apply, ok.
To limit the number of computers required, you may wish to make the Windows Wireless device, in the diagram below, your phone or laptop.
Wireshark
Wireshark is an application that is used for troubleshooting and studying networks. I hope that you will become very familiar with it as it is an excellent learning/diagnostic tool.
Under standard operation, wireless devices are only able to see frames that are either sourced by them or destined for them. Open wireshark on either Windows or Linux and start capturing on your wifi adapter. Ping your access point over the link and ensure that you have captured these frames. Save your packet capture as we will return to this later. What can you see? What is do you think might be missing?
Note that we are unable to see important management frames like beacons, probe requests and probe responses. To use monitor mode we need a Linux OS and to put a wireless adaptor in a special mode called monitor mode.
Monitor Mode on Linux
Ensure that wifi is disabled on your computer. Click the network icon in the top right and check that WiFi is off. This will stop the OS from controlling our network device. Issue an:
ifconfig
and a:
ifconfig -a
Compare the outputs to determine the name of your wireless adaptor. Then you can proceed with the commands below.
sudo iwconfig [adaptor_name] mode monitor sudo ifconfig [adaptor_name] up sudo rfkill unblock all sudo ifconfig [adaptor_name] up sudo wireshark
You can change the channel of your monitor mode adaptor by opening a terminal and typing:
sudo iwconfig [adaptor_name] channel [Channel your AP is using]
You should be able to capture traffic in monitor mode on your wireless interface. What is different in the output monitor mode output? What do you think that monitor mode does? Compare the previous output that you saved earlier. Discuss with your group and chat with your tutor.
RTS/CTS Messaging
Turn on RTS/CTS messaging:
- On your AP, this is under Wireless->Basic-Settings->Advanced-Settings. You should set the threshold to 1.
- On a Windows device: Device Manager->Wireless NIC->Mixed Mode Protection
- On a Linux device:
sudo iwconfig [wireless_adapter_name] RTS 100
Start some continual pings from your wired to your wireless host. Check to see if and RTS/CTS or RTS-to-self messages are being sent. Depending on what channel you use, you will potentially pick up transmissions from many different APs and it may be difficult to find one. Locating the specific data within a large packet capture file is a very important skill for networking professionals. If you are having trouble locating your ICMP ping messages, try disabling the frequency or radio on the 5 GHz band.
Troubleshooting
You may not be able to see all of your frames. Why/Why not? Can you see a higher proportion of BlockAcks, Acks, Beacons or Probe Requests/Response? Why do you think this is?
The following diagrams on the right show what you should see when you have identified the appropriate frames:
RTS
CTS
Ping
Ack
Questions
See if you can answer the following questions.
- What is the benefit of the RTS/CTS process? What problem does it solve?
- What is a drawback of the RTS/CTS process?
- Why can't we see the DCF process? Why can't we see interframe spacing?
- What do you think the difference is between an 802.11 ack and a Block Ack. What do you think the block ack bitmap does? Does wired Ethernet use Acks? Why/Why not?
- If you are seeing more acks than data frames, why do you think this is the case?
- Can you see any instances where there is a CTS, without an RTS. What is going on here?
- What is the proportion of Block Acks to Data frames. Why do you think this ratio occurs.
- What percentage of your total frames are data frames
- What data rates are 802.11 acks sent at?
- What is the distribution of packet sizes? Break into:
- < 500 bytes
- < 1000 bytes
- >= 1000 bytes
- Do you believe that your captured distribution is normal? Why, why not?
- What percentage of data frames are retransmitted?
- Why do you think packets are being lost?
Restore Factory Defaults
At the end of every lab you should restore factory defaults to remove the previous group's settings. To do this, Administration->Factory Defaults->Yes, apply, ok.