Wireshark-users: Re: [Wireshark-users] capturing 802.11 management frames

From: Loris Degioanni <loris.degioanni@xxxxxxxxxxxx>
Date: Tue, 07 Aug 2007 09:05:14 -0700
Xu Yao wrote:

Hello,

I have met several problems when trying to capture 802.11 management frames. Could anyone who has such experience help me?

1. A card in monitor mode is said to capture frames on a given channel, however, I have also noticed frames from other channels.

802.11a/b/g channels are 20Mhz in width, but their distance is only 5Mhz. This means that two transmitters on contiguous channels (like 3 and 4) share good part of their spectrum. Therefore, it's pretty common for traffic on channel 4 to be recognized by a receiver on channel 3, especially if the transmitter is powerful and/or close.

2. I have also noticed frame losses, but I don't know whether it's due to the driver of the card or the processing capacity of the machine.

Wireless capture is not an exact science like wired capture. There are much more factors that cause frame loss, among which:

- position of the capture adapter and distance from the transmitter and the receiver. It's very common to capture only one sides of the conversation because the other one is too far.
- gain of the antenna of the capture adapter.
- orientation of the antenna of the capture adapter. Even omnidirectional antennas normally don't work on their vertical axis. - external conditions that decrease the reception: walls, cordless phones, microwave ovens, and so on. - and of course, software problems too, like drivers that don't configure the card properly.

Note that, with wireless, processing capacity is normally not an issue, because even at full rate the traffic is so low that a modern machine handles it easily even without optimized capture pipes. And in real life you're always very far from full rate.

3. Is there a way to capture all "probe request" packets sent on different channels when a station tries to attach itself to an AP?

You need a capture system that supports multi-channel capture. My company, CACE Technologies, sells a product called AirPcap 3-Pack (http://www.cacetech.com/products/airpcap.htm), that allows capturing on 3 channels at the same time with Wireshark.

Loris

Thanks.
Yao


------------------------------------------------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users