OPEN ========= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section <80211ng_open_1>` * :ref:`Version Info <80211ng_open_2>` * :ref:`Packet flow in OPEN mode <80211ng_open_3>` * :ref:`Connection steps in open mode <80211ng_open_4>` * :ref:`STEP 1: Bring up AP <80211ng_open_5>` * :ref:`STEP 2: Bring up STA <80211ng_open_6>` * :ref:`Wireshark capture <80211ng_open_7>` * :ref:`Wireshark capture Analysis <80211ng_open_8>` .. _80211ng_open_1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow * How to run wpa_supplicant and hostapd in open mode .. _80211ng_open_2: .. tab-set:: .. tab-item:: Version Info =============================== ======================================= # Version =============================== ======================================= Supplicant wpa_supplicant 2.10 Hostapd hostapd 2.10 =============================== ======================================= .. _80211ng_open_3: .. tab-set:: .. tab-item:: Packet flow in OPEN mode .. plantuml:: :scale: 130 % == Scanning == STA -> AP: **Probe Request** AP -> STA: **Probe Response** == Authentication == STA -> AP: **Authentication Request** AP --> STA: ACK AP -> STA: **Authentication Response** STA --> AP: ACK == Association == STA -> AP: **Association Request** AP --> STA: ACK AP -> STA: **Association Response** STA --> AP: ACK == PING AP from STA == STA -> AP: **ARP Request** AP --> STA: ACK AP -> STA: **ARP Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK .. _80211ng_open_4: .. tab-set:: .. tab-item:: Connection steps in open mode .. _80211ng_open_5: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./open/open_ap.csv :class: tight-table .. _80211ng_open_6: .. tab-set:: .. tab-item:: STEP 2: Bring up STA using supplicant .. csv-table:: :file: ./open/open_sta.csv :class: tight-table .. _80211ng_open_7: .. tab-set:: .. tab-item:: Wireshark capture * Download file to check wireshark output :download:`Packet capture in OPEN mode <./open/802.11ng_open_ping.pcapng>` .. _80211ng_open_8: .. tab-set:: .. tab-item:: Wireshark capture Analysis * In this section, you will verify connectivity and frame exchange using the Wireshark capture. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Beacon Packet Analysis** 1. Check if AP is Beaconing * The AP periodically transmits **Beacon frames** to announce its Basic Service Set (BSS). * These include fields such as **SSID**, **Supported Rates**, **Channel Number**, and **Capabilities Information**. * The **Beacon frame** is fundamental for STA discovery and association. 2. Verify the **Beacon Interval** (100 ms). * Beacon frames are transmitted periodically — typically every **100 ms** (0.102 seconds). * In Wireshark, you can check this in the **“Time delta from previous captured frame”** column or in the Beacon’s **fixed parameters**. * Consistent 100 ms intervals indicate a stable AP timing and proper beacon scheduling. .. image:: ./open/802.11ng_open_beacon/beacon_1.png :alt: Beacon interval (100ms) in Wireshark :scale: 95 % 3. Check the **Subtype** field in the Beacon frame. * The Subtype identifies the frame as a **Beacon** (Subtype = 8). * Correct Subtype ensures Wireshark is recognizing the management frame correctly. .. image:: ./open/802.11ng_open_beacon/beacon_2.png :alt: Beacon frame subtype in Wireshark :scale: 95 % 4. Verify that the **Data Rate** includes **1 Mbps** (mandatory for 802.11ng). * 802.11ng supports both **legacy rates (1, 2, 5.5, 11 Mbps)** and **OFDM rates (6, 9, 12, 18, 24, 36, 48, 54 Mbps)**. * Check that **1 Mbps** and other mandatory basic rates are included for backward compatibility. * Ensures both old (b) and new (g) devices can associate properly. .. image:: ./open/802.11ng_open_beacon/beacon_3.png :alt: Beacon frame data rate check in Wireshark :scale: 95 % 5. Check if the **Receiver Address (RA)** is **Broadcast address**. * Beacon frames are sent to the broadcast address **FF:FF:FF:FF:FF:FF** so that all nearby STAs can receive them. * This confirms that the beacon is not targeted to a specific STA but intended for all devices in range. * **No ACK is sent** for Beacon frames because they are broadcast. .. image:: ./open/802.11ng_open_beacon/beacon_4.png :alt: Receiver address in Beacon frame :scale: 95 % 6. **Capabilities Information (0x0401)** * Describes features supported by the AP. * **Key Bits:** - **ESS Capable (bit 0):** AP operates in infrastructure mode. - **IBSS (bit 1):** 0 → Not an ad-hoc network. - **Privacy (bit 4):** 0 → Open network (no encryption). - **Short Slot Time (bit 10):** In use → 802.11g optimization. - **QoS:** Not implemented. .. image:: ./open/802.11ng_open_beacon/beacon_5.png :alt: Capabilities Information field :scale: 95 % 7. Verify **Supported Rates**. * Lists data rates supported by the AP: - **Basic (B)**: 1, 2, 5.5, 11 Mbps (802.11b) - **Additional:** 6, 9, 12, 18 Mbps * Ensures backward compatibility with legacy 802.11b devices. .. image:: ./open/802.11ng_open_beacon/beacon_6.png :alt: Supported rates in Beacon frame :scale: 95 % 8. **Extended Supported Rates** * Adds higher OFDM rates: **24, 36, 48, 54 Mbps** * Enables faster data transmission under 802.11g PHY. .. image:: ./open/802.11ng_open_beacon/beacon_7.png :alt: Extended Supported Rates in Beacon frame :scale: 95 % 9. Check the **DS Parameter Set (Channel Information)** * The DS Parameter Set element indicates the current channel number on which the AP is operating. * It confirms that the STA should tune to the same channel for communication. * The DS parameter helps verify correct AP channel configuration during beaconing * 802.11ng operates in the **2.4 GHz band (channels 1–13)** similar to 802.11b. .. image:: ./open/802.11ng_open_beacon/beacon_8.png :alt: DS Parameter Set in Beacon frame :scale: 95 % 10. **Traffic Indication Map (TIM)** * **DTIM Count = 0**, **DTIM Period = 2** * Indicates buffered data for power-saving STAs. * Part of the beacon that manages power-save delivery. .. image:: ./open/802.11ng_open_beacon/beacon_9.png :alt: TIM field in Beacon frame :scale: 95 % 11. **Check for ERP Information Element** * 802.11ng uses the **ERP (Extended Rate PHY) element** to manage coexistence with older 802.11b devices. * It tells the AP and STAs whether special protection mechanisms are needed in a mixed 802.11b/g network. * You can find it in Wireshark under **Tagged Parameters**, Tag Number 42 (0x2A). * **Important bits:** * **Non-ERP Present (bit 0)** → Shows if 802.11b stations exist. * **Use Protection (bit 1)** → Enables protection (RTS/CTS or CTS-to-Self). * **Barker Preamble (bit 2)** → Indicates use of Barker preamble for compatibility. .. image:: ./open/802.11ng_open_beacon/beacon_10.png :alt: ERP Information Element in Beacon frame :scale: 95 % 12. **HT Capabilities (802.11n D1.10)** * Indicates partial support for 802.11n high-throughput features: - **A-MPDU Parameters** – Aggregation capability - **MCS Set** – Supported Modulation and Coding schemes - **Tx Beamforming and ASEL** – Not supported (0x00) * Shows backward compatibility with later PHY standards. .. image:: ./open/802.11ng_open_beacon/beacon_11.png :alt: HT Capabilities element in Beacon frame :scale: 95 % 13. **HT Information (802.11n D1.10)** * Describes the AP’s HT operation settings: - **Primary Channel:** 6 - **HT Information Subsets:** 0x00, 0x0000, 0x0000 * Confirms compatibility with HT (802.11n) devices. .. image:: ./open/802.11ng_open_beacon/beacon_12.png :alt: HT Information element :scale: 95 % 14. **Vendor Specific – WMM/WME (Microsoft Corp.)** * **OUI:** 00:50:f2 (Microsoft Corp.) * Advertises **QoS support** through Wireless Multimedia Extensions (WME). * Provides four access categories: - **AC_BE (Best Effort)** - **AC_BK (Background)** - **AC_VI (Video)** - **AC_VO (Voice)** * Enables priority handling for multimedia traffic. .. image:: ./open/802.11ng_open_beacon/beacon_13.png :alt: WMM/WME element in Beacon frame :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Request Packet Analysis** 1. Check if STA is sending Probe Request packet * Probe Request frames are sent by STAs to discover available 802.11ng (and backward-compatible 802.11b) APs. * Verifying Probe Requests ensures the STA is actively scanning for networks. * **No ACK is expected** for broadcast Probe Requests. 2. Check the **Frame Subtype** to confirm it is a **Probe Request**. * In Wireshark, the Frame Control field indicates the subtype. * Probe Request frames should have subtype **0x0004**. * This confirms the STA is in the scanning phase. .. image:: ./open/802.11ng_open_probe_req/probe_req_1.png :alt: Probe Request subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Request. * Source Address should match the STA’s MAC address. * This ensures the frame is indeed coming from the correct STA. .. image:: ./open/802.11ng_open_probe_req/probe_req_2.png :alt: Probe Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Probe Request. * Receiver Address should be the **broadcast address** (FF:FF:FF:FF:FF:FF). * This allows all APs on the channel to receive the request. * **No ACK is expected** for broadcast Probe Requests. .. image:: ./open/802.11ng_open_probe_req/probe_req_3.png :alt: Probe Request receiver address :scale: 95 % 5. Check the **SSID field** in the Probe Request. * For general network discovery, SSID should be set to **Wildcard SSID(empty)**. * A specific SSID can limit scanning to only that AP. * In 802.11ng, wildcard probing is common during passive and active scans. .. image:: ./open/802.11ng_open_probe_req/probe_req_4.png :alt: Probe Request SSID field :scale: 95 % 6. verify the **Supported Rates** * STA advertises its supported data rates: - **1, 2, 5.5, 11 Mbps (802.11b)** - **6, 9, 12, 18 Mbps (802.11a/g/n)** * Ensures backward compatibility with legacy APs. .. image:: ./open/802.11ng_open_probe_req/probe_req_5.png :alt: Supported Rates field in Probe Request :scale: 95 % 7. verify the **Extended Supported Rates** * Additional OFDM rates: - **24, 36, 48, 54 Mbps** * Confirms support for higher throughput in 802.11a/g/n PHYs. .. image:: ./open/802.11ng_open_probe_req/probe_req_6.png :alt: Extended Supported Rates element in Probe Request :scale: 95 % 8. verify the **HT Capabilities (802.11n D1.10)** * Advertises 802.11n-specific capabilities: - **HT Capabilities Info = 0x19ef** - **A-MPDU Parameters = 0x13** - **MCS Set:** Indicates supported Modulation and Coding Schemes. - **Short GI (400 ns):** Reduces inter-symbol delay. - **Channel Width (20/40 MHz):** HT operation flexibility. * Confirms STA supports **High Throughput (HT)** features. .. image:: ./open/802.11ng_open_probe_req/probe_req_7.png :alt: HT Capabilities field in Probe Request :scale: 95 % 9. verify the **Extended Capabilities** * Contains additional feature flags (11 octets). * Indicates optional support such as: - QoS/WMM extensions - 20/40 MHz BSS coexistence - Interworking or QoS Map * Confirms that STA supports advanced 802.11n+ capabilities. .. image:: ./open/802.11ng_open_probe_req/probe_req_8.png :alt: Extended Capabilities field in Probe Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Response Packet Analysis** 1. Check if AP is sending Probe Response packet * Probe Response frames are sent by the AP in reply to a Probe Request from a STA. * Analyzing Probe Response frames ensures the AP is correctly responding and broadcasting its network capabilities. * **Note:** Probe Responses are **unicast to the requesting STA**, so an ACK is expected from the STA. 2. Check the **Frame Subtype** to confirm it is a **Probe Response**. * Subtype identifies the frame as a **Probe Response** (Subtype = 5). * Ensures Wireshark is correctly capturing AP responses. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_1.png :alt: Probe Response subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Response. * Source Address should be the MAC of the AP. * Confirms the frame is coming from the correct AP. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_2.png :alt: Source address in Probe Response :scale: 95 % 4. Verify the **Receiver Address** in the Probe Response. * Receiver Address should be the MAC of the requesting STA. * Confirms the response is unicast and directed to the correct STA. * Probe Responses are **unicast to the requesting STA**, so an ACK is expected from the STA. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_3.png :alt: Receiver address in Probe Response :scale: 95 % 5. Check the **SSID field** in the Probe Response. * SSID must match the AP configuration. * Confirms the AP is broadcasting the expected network name. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_4.png :alt: SSID in Probe Response :scale: 95 % 6. Check **Capability Information** field for **ESS=1** in the Probe Response. * ESS bit indicates the AP is part of an infrastructure BSS. * Must be set to 1 for proper STA-AP communication. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_5.png :alt: ESS bit in Capability Information in Probe Response :scale: 95 % 7. Check **Capability Information** field for **Privacy=0** in the Probe Response. * Privacy bit indicates whether encryption is enabled. * In Open mode, this should be 0, showing no encryption. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_6.png :alt: Privacy bit in Capability Information in Probe Response :scale: 95 % 8. verify the **Supported Rates** * AP advertises these data rates: **1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18 Mbps** * The “(B)” flag marks Basic rates required for legacy 802.11b clients. * Ensures backward compatibility with older stations. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_7.png :alt: Supported Rates in Probe Response :scale: 95 % 9. verify the **Extended Supported Rates** * Additional OFDM rates: **24, 36, 48, 54 Mbps** * Indicates AP’s support for higher-throughput 802.11g/n PHY operation. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_8.png :alt: Extended Supported Rates element in Probe Response :scale: 95 % 10. Verify **DS Parameter Set** (channel assignment) in the Probe Response. * DS Parameter indicates the AP’s operating channel. * Confirms the STA knows which channel to use to associate with the AP. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_9.png :alt: DS Parameter Set (channel) in Probe Response :scale: 95 % 11. Verify **ERP Information Element** in the Probe Response. * 802.11ng uses the **ERP (Extended Rate PHY) element** to manage coexistence with older 802.11b,g devices. * It tells the AP and STAs whether special protection mechanisms are needed in a mixed 802.11b/g network. * You can find it in Wireshark under **Tagged Parameters**, Tag Number 42 (0x2A). * **Important bits:** * **Non-ERP Present (bit 0)** → Shows if 802.11b stations exist. * **Use Protection (bit 1)** → Enables protection (RTS/CTS or CTS-to-Self). * **Barker Preamble (bit 2)** → Indicates use of Barker preamble for compatibility. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_10.png :alt: ERP Information Element in Probe Response :scale: 95 % 12. verify the **HT Capabilities (802.11n D1.10)** * Advertises 802.11n HT support. - **HT Capabilities Info = 0x000c** - **A-MPDU Parameters = 0x17** - **MCS Set:** Supported Modulation & Coding Schemes - **Short GI:** Supported - **40 MHz Channel Width:** Supported * Confirms AP supports **High Throughput (HT)** operation. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_11.png :alt: HT Capabilities field in Probe Response :scale: 95 % 13. verify the **HT Information (802.11n D1.10)** * **Primary Channel:** 6 * **HT Information Subset:** Indicates channel and protection settings. * **Basic MCS Set:** Defines mandatory HT data rates. * Ensures HT operation parameters are shared with STA. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_12.png :alt: HT Information field in Probe Response :scale: 95 % 14. verify the **Extended Capabilities** * Contains additional 802.11n/11e feature flags (8 octets). * Indicates support for: - QoS/WMM - 20/40 MHz coexistence - Management frame enhancements * Enhances interoperability with advanced STAs. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_13.png :alt: Extended Capabilities field in Probe Response :scale: 95 % 15. verify the **Vendor-Specific (WMM/WME) Element** * **OUI:** `00:50:f2` → Microsoft Corp. * **Type:** WMM/WME (0x02) * Advertises **Quality of Service (QoS)** parameters for 802.11e. * Defines AC (Access Category) parameters for Voice, Video, Best Effort, and Background. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_14.png :alt: WMM/WME Parameter Element in Probe Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Probe Response Packet Analysis** * After the **AP sends a Probe Response**, the **STA must acknowledge** it with an **Acknowledgement frame**. * This ACK confirms successful reception of the Probe Response. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the Acknowledgement - Frame Subtype * When the AP sends a unicast Probe Response, the STA sends an **ACK frame** * ACK frames have **Subtype = 13** in 802.11. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_15.png :alt: ACK frame subtype in Wireshark :scale: 95 % 2. Check the Acknowledgement - Receiver Address * Receiver Address of the ACK is the **AP’s MAC address** (i.e., the source of the Probe Response). * Confirms that the ACK is directed to the correct transmitting AP. .. image:: ./open/802.11ng_open_probe_resp/probe_resp_16.png :alt: ACK receiver address in Wireshark :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication Request Packet Analysis** 1. Check if STA is sending **Authentication Request** packet * The Authentication Request frame is sent by the STA to initiate authentication with the AP. * In **Open System Authentication**, the exchange consists of two frames: 1. STA → AP: Authentication Request 2. AP → STA: Authentication Response * This is a **management frame**, unicast to the AP. * **ACK** is expected from the AP after receiving this unicast frame. 2. Check the **Frame Subtype** * The Subtype identifies the frame as an **Authentication** frame (**Subtype = 11**). * Confirms that this packet is part of the authentication management exchange. .. image:: ./open/802.11ng_open_auth_req/auth_req_1.png :alt: Authentication Request frame subtype :scale: 95 % 3. Verify the **Source Address** in the Authentication Request packet. * The Source Address should be the **STA’s MAC address**. * Confirms the authentication initiation is coming from the STA. .. image:: ./open/802.11ng_open_auth_req/auth_req_2.png :alt: Authentication Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Authentication Request packet. * The Receiver Address should be the **AP’s MAC address**. * This confirms the STA is directly targeting the AP for authentication. .. image:: ./open/802.11ng_open_auth_req/auth_req_3.png :alt: Authentication Request receiver address :scale: 95 % 5. Check the **Authentication Algorithm** field in the Authentication Request packet. * The **Authentication Algorithm** value should be **0** for Open System Authentication. * This indicates no encryption or challenge-response is used (unlike WEP-Shared mode). .. image:: ./open/802.11ng_open_auth_req/auth_req_4.png :alt: Authentication Algorithm in Authentication Request :scale: 95 % 6. Check the **Authentication Sequence Number** in the Authentication Request packet. * Sequence number **1** indicates this is the first (request) message in the authentication exchange. * Helps verify proper ordering between Request (1) and Response (2). .. image:: ./open/802.11ng_open_auth_req/auth_req_5.png :alt: Authentication sequence number in Wireshark :scale: 95 % 7. Verify the **Status Code** in the Authentication Request packet. * For the Authentication Request, the **Status Code** is typically **0 (Successful)** or may be absent. * Confirms that the STA is requesting authentication without errors. .. image:: ./open/802.11ng_open_auth_req/auth_req_6.png :alt: Authentication status code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Request Packet Analysis** * After the **STA sends an Authentication Request**, the **AP must acknowledge** it with an **ACK frame**. * This ACK confirms successful reception of the Authentication Request before the AP sends the **Authentication Response**. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the **ACK Frame Subtype**. * Since the Authentication Request is **unicast**, the AP responds with an **ACK frame**. * The ACK has **Subtype = 13** in 802.11. * Confirms that the AP successfully received the Authentication Request. .. image:: ./open/802.11ng_open_auth_req/auth_req_7.png :alt: ACK frame subtype for Authentication Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The ACK frame’s **Receiver Address** should match the **STA’s MAC address** (the source of the Authentication Request). * Confirms the AP has acknowledged the STA correctly. .. image:: ./open/802.11ng_open_auth_req/auth_req_8.png :alt: ACK frame Receiver address :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication Response Packet Analysis** 1. Check if AP is sending Authentication Response * After receiving the **Authentication Request**, the **AP replies with an Authentication Response** frame. * This frame confirms whether the STA’s authentication attempt is **successful or failed** based on the **Status Code** field. * The Authentication Response is a **Management Frame** with **Subtype = 11**. 2. Check the **Frame Subtype** * The **Subtype field = 11** indicates it is an **Authentication frame**. * Ensures that the AP has correctly responded to the STA’s authentication attempt. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_1.png :alt: Authentication Response frame subtype :scale: 95 % 3. **Verify Source Address** * The **Source Address** should be the **AP’s MAC address**. * Confirms the Authentication Response is sent by the Access Point. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_2.png :alt: Source address of Authentication Response :scale: 95 % 4. Check the **Receiver Address** * The **Receiver Address** should be the **STA’s MAC address** (the device being authenticated). * Confirms that the AP is addressing the correct station. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_3.png :alt: Receiver address of Authentication Response :scale: 95 % 5. Check the **BSSID Field** * The **BSSID** must match the **AP’s MAC address**. * Confirms that this frame belongs to the correct Basic Service Set (BSS). .. image:: ./open/802.11ng_open_auth_resp/auth_resp_4.png :alt: BSSID in Authentication Response :scale: 95 % 6. Check the **Authentication Algorithm Number** * The **Authentication Algorithm Number = 0** indicates **Open System Authentication**. * Ensures the AP is using the expected authentication method. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_5.png :alt: Authentication Algorithm field :scale: 95 % 7. Check the **Authentication Sequence Number** * The **Sequence Number = 2** in the Authentication Response. * Confirms this frame is the **second step** of the authentication handshake. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_6.png :alt: Authentication Sequence Number field :scale: 95 % 8. Check the **Status Code** * The **Status Code = 0** means **successful authentication**. * Any non-zero value indicates failure, and the STA will not proceed to Association. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_7.png :alt: Authentication Response Status Code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Response Packet Analysis** * Once the **AP sends the Authentication Response**, the **STA acknowledges** it using an **ACK frame**. * This ensures reliable delivery of the Authentication Response before moving on to the Association stage. 1. Check the **ACK Frame Subtype**. * The ACK frame has **Subtype = 13**, identifying it as an acknowledgment. * Confirms the STA received the Authentication Response correctly. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_8.png :alt: ACK subtype after Authentication Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * The **Receiver Address** should be the **AP’s MAC address** (source of the Authentication Response). * Confirms that the STA is acknowledging the correct transmitter. .. image:: ./open/802.11ng_open_auth_resp/auth_resp_9.png :alt: Receiver address of ACK after Authentication Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Request Packet Analysis** 1. Check if STA is sending Association Request * After successful authentication, the STA sends an **Association Request** frame to the AP. * This frame contains STA capabilities and HT (High Throughput) information for 802.11n operation. * It allows the AP to determine if the STA supports 802.11n features and can join the BSS. * The frame is a **Management frame** (Subtype = 0). * Being **unicast**, the AP will acknowledge it with an **ACK**. 2. Check the **Frame Subtype** * Subtype = 0 identifies the frame as an **Association Request**. * Ensures Wireshark captures the correct management frame. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_1.png :alt: Association Request Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is sent by the correct STA. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_2.png :alt: Source address in Association Request :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the frame is targeted to the correct AP. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_3.png :alt: Receiver address in Association Request :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms the frame is part of the correct Basic Service Set. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_4.png :alt: BSSID in Association Request :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 0 for Open mode (no encryption). * Confirms the network does not require WEP/WPA. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_5.png :alt: Privacy bit in Capability Information :scale: 95 % 7. Verify **Capability Information – Short Preamble and Short Slot bit** * Short Preamble bit indicates whether STA supports short preamble. * Short Slot Time bit = 1 → available in 802.11ng for improved efficiency in OFDM mode. * These capabilities are new in 802.11ng and help optimize timing for higher data rates. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_6.png :alt: Short Preamble and short slot bit in Capability Information :scale: 95 % 8. Check the **Listen Interval** * Defines how often the STA wakes up to check for buffered frames at the AP. * **Listen Interval = 5** → Typical value for active STAs. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_7.png :alt: Listen Interval in Association Request :scale: 95 % 9. Verify **SSID Field** * SSID must match the AP’s network name. * Confirms that the STA is associating with the correct BSS. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_8.png :alt: SSID in Association Request :scale: 95 % 10. Check the **Supported Rates** * STA advertises **Legacy (DSSS/CCK)** and **OFDM** rates. * Supported: **1, 2, 5.5, 11, 6, 9, 12, 18 Mbps**. * Ensures backward compatibility with 802.11b/g. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_9.png :alt: Supported Rates in Association Request :scale: 95 % 11. Check the **Extended Supported Rates** * Includes **24, 36, 48, 54 Mbps** — the higher OFDM rates. * Confirms the STA can use full 802.11g/n throughput range. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_10.png :alt: Extended Supported Rates in Association Request :scale: 95 % 12. Check the **HT Capabilities (802.11n Element)** * Tag Number: 45 identifies **HT Capabilities**. * Includes parameters like: * **HT Capabilities Info:** (0x19ef) * **A-MPDU Parameters:** 0x13 * **MCS Set:** Defines supported Modulation and Coding Schemes. * Confirms the STA supports **MIMO**, **frame aggregation**, and **HT PHY** features of 802.11n. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_11.png :alt: HT Capabilities in Association Request :scale: 95 % 13. Verify **Extended Capabilities** * Tag Number: 127. * Lists optional STA features such as **QoS, coexistence, and 20/40 MHz support**. * Example values show extended support for HT coexistence. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_12.png :alt: Extended Capabilities in Association Request :scale: 95 % 14. Verify **Supported Operating Classes** * Tag Number: 59. * Defines supported channels and bands: * Primary: **2.407 GHz (Channels 1–13, Class 81)**. * Alternate classes for different regions. * Ensures the STA can legally operate on the AP’s frequency. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_13.png :alt: Supported Operating Classes in Association Request :scale: 95 % 15. Check the **Vendor Specific – WMM/WME Information Element** * Tag Number: 221, OUI: 00:50:F2 (Microsoft). * Advertises **WMM (Wi-Fi Multimedia)** support. * WME QoS Info = 0x00 → Indicates the STA supports QoS extensions for prioritizing voice/video traffic. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_14.png :alt: WMM/WME Information Element :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Request Packet Analysis** * Since the **Association Request** is a **unicast frame** from the STA to the AP,the AP responds with an **ACK frame** to confirm successful reception. * The ACK is a **Control frame** (Subtype = 13) and ensures reliable MAC-layer delivery. * This ACK is sent **immediately after a SIFS interval**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the Association Request correctly. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_15.png :alt: ACK subtype after Association Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The Receiver Address of the ACK should be the **STA’s MAC address** (source of the Association Request). * Confirms that the AP is acknowledging the correct station. .. image:: ./open/802.11ng_open_assoc_req/assoc_req_16.png :alt: Receiver address of ACK after Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Response Packet Analysis** 1. Check if AP is sending Association Response * After receiving the Association Request, the AP responds with an **Association Response** frame. * This frame contains the **status code** (success/failure) and assigns an **Association ID (AID)** to the STA. * It is a **Management frame** (Subtype = 1) and sent **unicast** to the STA. 2. Check the **Frame Subtype** * Subtype = 1 identifies the frame as an **Association Response**. * Confirms that the AP has acknowledged the STA’s request to join the BSS. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_1.png :alt: Association Response Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_2.png :alt: Source address in Association Response :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_3.png :alt: Receiver address in Association Response :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_4.png :alt: BSSID in Association Response :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 0 for **Open Authentication** (no encryption). * Confirms the network doesn’t require WEP/WPA keys. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_5.png :alt: Privacy bit in Association Response :scale: 95 % 7. Verify **Capability Information – Short Preamble bit & Short Slot** * Short Preamble = 0 → AP does not allow short preamble. * Short Slot Time = 1 → 802.11g/n timing optimization. * Confirms compatibility with STA’s capabilities. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_6.png :alt: Short Preamble bit in Association Response :scale: 95 % 8. Check the **Status Code** * Status Code = 0 indicates **Successful Association**. * Other values indicate denial reasons (e.g., unsupported rates or capacity limits). .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_7.png :alt: Status code in Association Response :scale: 95 % 9. Verify **Association ID (AID)** * AID uniquely identifies the STA within the BSS. * Typically a small integer (e.g., 1, 2, 3) assigned by the AP. * Confirms successful registration of the STA in the AP’s association table. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_8.png :alt: Association ID in Association Response :scale: 95 % 10. Check the **Supported Rates** * STA/AP agree on legacy DSSS and OFDM rates: * 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18 Mbps. * Ensures backward compatibility. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_9.png :alt: Supported Rates in Association Response :scale: 95 % 11. Verify **Extended Supported Rates** * Includes higher OFDM rates: 24, 36, 48, 54 Mbps. * Confirms full 802.11g/n throughput capability. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_10.png :alt: Extended Supported Rates :scale: 95 % 12. Check **HT Capabilities (802.11n Element)** * Tag 45 → HT Capabilities. * Includes: * HT Capabilities Info: 0x000c * A-MPDU Parameters: 0x17 * MCS Set → Defines supported MIMO/modulation schemes. * Confirms 802.11n MIMO, aggregation, and HT PHY features. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_11.png :alt: HT Capabilities in Association Response :scale: 95 % 13. Verify **HT Information Element** * Tag 61 → HT Information. * Provides: * Primary Channel: 6 * HT Info subsets (1-3) * Basic MCS Set → Defines compatible HT MCS rates. * Confirms AP advertises correct HT parameters to STA. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_12.png :alt: HT Information Element :scale: 95 % 14. Verify **Extended Capabilities** * Indicates additional optional features (e.g., QoS, HT support if present). * For 802.11ng, this shows extended PHY support over 802.11b. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_13.png :alt: Extended Capabilities in Association Response :scale: 95 % 15. Verify **Vendor Specific – WMM/WME Parameters** * Tag 221 → WMM/WME Parameter Element. * Provides QoS AC configuration for Best Effort, Background, Video, Voice. * Confirms AP supports QoS traffic prioritization. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_14.png :alt: WMM/WME Parameters :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Response Packet Analysis** * The **Association Response** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its association confirmation. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_15.png :alt: ACK subtype after Association Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./open/802.11ng_open_assoc_resp/assoc_resp_16.png :alt: Receiver address of ACK after Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Request Packet Analysis** * The ARP Request process in 802.11ng Open mode can involve two frames: 1.From STA to AP — the STA sends an ARP Request toward the AP. 2.From AP to Broadcast — the AP forwards the ARP Request to all stations in the BSS if needed. * This allows devices to resolve MAC addresses for given IPs on the network. 1. Check if STA is sending ARP Request to AP * This frame shows the STA sending an ARP Request to the AP. * The STA wants to resolve the MAC address for the target IP 192.168.1.10(IP of AP) * This is encapsulated inside an 802.11 Data frame (Subtype = 0) with broadcast destination. 1.1. Check the **Source Address** * MAC of the STA sending the ARP Request. * Identifies which device initiated the request. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_1.png :alt: STA to AP ARP Source Address :scale: 95 % 1.2. Verify **Destination Address** * Broadcast MAC: ff:ff:ff:ff:ff:ff * Data frame is intended for all devices in BSS to eventually deliver ARP. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_2.png :alt: STA to AP ARP Destination Address :scale: 95 % 1.3. Verify **Receiver Address** * Receiver = AP MAC address. * Confirms the AP is the frame’s immediate recipient. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_3.png :alt: STA to AP ARP Receiver Address :scale: 95 % 1.4. Verify **Transmitter Address** * Transmitter = STA MAC. * Indicates who physically transmitted the frame on the medium. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_4.png :alt: STA to AP ARP transmitter Address :scale: 95 % 1.5. Verify **Sender IP and MAC** * IP/MAC of the STA initiating the request * Identifies which device’s IP is being used to query the target. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_5.png :alt: STA to AP ARP Sender IP and MAC :scale: 95 % 1.6. Verify **Target IP and Target MAC** * IP of the device STA wants to reach. * Target MAC is unknown (00:00:00:00:00:00) in initial ARP Requests. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_6.png :alt: STA to AP ARP Target IP and MAC :scale: 95 % 1.7. Verify **QoS Control Field** * QoS Control: 0x0000 - TID: 0 - Priority: Best Effort (0) - Ack Policy: Normal Ack (0) - TXOP Duration Requested: 0 - MSDU / MPDU: Payload Type = MSDU * Confirms QoS parameters used in this ARP Request frame. .. image:: ./open/802.11ng_open_arp_req_1/arp_req_1_7.png :alt: STA to AP ARP QoS Control Field :scale: 95 % 2. Check if AP is sending ARP Request to Broadcast * This frame shows the AP forwarding the ARP Request from STA to all devices in the BSS (broadcast). * The AP sets Receiver Address = Broadcast so all stations can see it. * Still encapsulated in a 802.11 Data frame (Subtype = 0). 2.1. Check the **Source Address** * AP’s MAC address as the source of the forwarded ARP Request. * Shows that the AP is relaying the ARP. .. image:: ./open/802.11ng_open_arp_req_2/arp_req_2_1.png :alt: AP to Broadcast ARP Source Address :scale: 95 % 2.2. Verify **Destination Address** * Broadcast MAC: ff:ff:ff:ff:ff:ff * Sent to all stations in the BSS. .. image:: ./open/802.11ng_open_arp_req_2/arp_req_2_2.png :alt: AP to Broadcast ARP Destination Address :scale: 95 % 2.3. Verify **Receiver Address** * Broadcast: ff:ff:ff:ff:ff:ff * Confirms all stations are eligible to receive the ARP Request. .. image:: ./open/802.11ng_open_arp_req_2/arp_req_2_3.png :alt: AP to Broadcast ARP Receiver Address :scale: 95 % 2.4. Verify **Transmitter Address** * Transmitter = AP MAC. * Indicates which device physically transmitted this broadcast. .. image:: ./open/802.11ng_open_arp_req_2/arp_req_2_4.png :alt: AP to Broadcast ARP Transmitter Address :scale: 95 % 2.5. Verify **Sender IP and MAC** * IP/MAC of the STA initiating the request (carried inside AP’s forwarded ARP). * AP forwards this information so other stations know who is requesting. .. image:: ./open/802.11ng_open_arp_req_2/arp_req_2_5.png :alt: AP to Broadcast ARP Sender IP and MAC :scale: 95 % 2.6. Verify **Target IP and Target MAC** * IP of the device STA wants to reach. * Target MAC is unknown (00:00:00:00:00:00) in initial ARP Requests. .. image:: ./open/802.11ng_open_arp_req_2/arp_req_2_6.png :alt: AP to Broadcast ARP Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Reply Packet Analysis** 1. Check if AP is sending ARP Reply * After the STA sends an ARP Request, the device owning the target IP responds with an ARP Reply. * This is usually unicast from the AP to the STA. * The reply provides the MAC address corresponding to the target IP so the STA can update its ARP table. 2. Verify **Source Address** * AP MAC (BSSID) — the sender of the ARP Reply. * Identifies which device owns the requested IP (192.168.1.10). .. image:: ./open/802.11ng_open_arp_resp/arp_resp_1.png :alt: AP to STA ARP Reply Source Address :scale: 95 % 3. Verify **Destination Address** * STA MAC — unicast to the requesting STA. * Ensures only the requesting device receives this ARP Reply. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_2.png :alt: AP to STA ARP Reply Destination Address :scale: 95 % 4. Verify **Receiver Address** * STA MAC — confirms the intended recipient at the link layer. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_3.png :alt: AP to STA ARP Reply Receiver Address :scale: 95 % 5. Verify **Transmitter Address** * AP MAC — indicates who physically transmitted the frame. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_4.png :alt: AP to STA ARP Reply Transmitter Address :scale: 95 % 6. Verify **Sender IP and MAC** * IP: Target IP (AP's IP) * MAC: AP’s MAC * Provides the requested mapping for the STA’s ARP table. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_5.png :alt: AP to STA ARP Reply Sender IP and MAC :scale: 95 % 7. Verify **Target IP and MAC** * IP: STA IP * MAC: STA MAC * Confirms the reply is directed to the original requester. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_6.png :alt: AP to STA ARP Reply Target IP and MAC :scale: 95 % 8. Verify **QoS Control Field** * QoS Control: 0x0000 - TID: 0 - Priority: Best Effort (0) - EOSP: Service period - Ack Policy: Normal Ack (0x0) - Payload Type: MSDU - QAP PS Buffer State: 0x00 * Confirms QoS parameters used in this ARP Reply frame. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_7.png :alt: AP to STA ARP Reply QoS Control Field :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ARP Reply Packet Analysis** * The **ARP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ARP Reply successfully. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_8.png :alt: ARP Reply ACK Subtype :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address * Confirms the acknowledgment is directed to the AP. .. image:: ./open/802.11ng_open_arp_resp/arp_resp_9.png :alt: ARP Reply ACK Receiver Address :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Request Packet Analysis** 1. Check if STA is sending ICMP Echo (Ping) Request * The ICMP Echo Request is sent by the STA to the AP to test connectivity. * It is encapsulated inside an 802.11 Data frame and usually sent unicast to the AP. * This frame allows the STA to verify reachability and latency. 2. Verify **Radiotap / PHY Information** * PHY type: 802.11n (HT) * MCS index: 4 → Modulation and coding scheme * Bandwidth: 20 MHz → Channel bandwidth * Short GI: False → Long guard interval * Greenfield: True → No legacy preamble * FEC: BEC (0) * Data rate: 39 Mb/s → PHY transmission rate * Channel: 6 / 2437 MHz * Signal strength: -26 dBm * Noise level: -77 dBm * SNR: 51 dB * TSF timestamp: 113678078 * A-MPDU aggregate ID: 19451 .. image:: ./open/802.11ng_open_icmp_req/icmp_req_1.png :alt: Radiotap/PHY info in ICMP Echo Request :scale: 95 % 3. Verify **Source MAC** * STA MAC address (e.g., e8:6f:38:71:f1:e3). * Confirms the correct STA is sending the ping. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_2.png :alt: Source MAC in ICMP Echo Request :scale: 95 % 4. Verify **Receiver MAC** * AP MAC address. * Confirms the frame is directed to the correct AP. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_3.png :alt: Receiver MAC in ICMP Echo Request :scale: 95 % 5. Verify **Source and Destination IP** * Source IP: STA IP (e.g., 192.168.1.1) * Destination IP: AP IP (e.g., 192.168.1.10) * Ensures correct layer-3 addressing for ICMP. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_4.png :alt: Source and Destination IP in ICMP Echo Request :scale: 95 % 6. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms the packet is an ICMP message. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_5.png :alt: Protocol field in ICMP Echo Request :scale: 95 % 7. Verify **Type** * ICMP Type = 8 (Echo Request). * Identifies the frame as a ping request. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_6.png :alt: ICMP Type in Echo Request :scale: 95 % 8. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_7.png :alt: IP Version in ICMP Echo Request :scale: 95 % 9. Verify **QoS Control Field** * QoS Control: 0x0000 - TID: 0 - Priority: Best Effort (0) - EOSP: Service period - Ack Policy: Normal Ack (0x0) - Payload Type: MSDU - TXOP Duration Requested: 0 (no TXOP requested) * Confirms QoS parameters used in this ICMP Request frame. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_8.png :alt: QoS Control in ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Request Packet Analysis** * The **ICMP Request** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Request packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the ICMP Request successfully. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_9.png :alt: ACK Subtype after ICMP Echo Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = STA MAC. * Confirms that the acknowledgment is sent back to the STA. .. image:: ./open/802.11ng_open_icmp_req/icmp_req_10.png :alt: ACK Receiver Address after ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Reply Packet Analysis** 1. Check if AP is sending ICMP Echo (Ping) Reply * The ICMP Echo Reply is sent by the AP back to the STA in response to the Echo Request. * Encapsulated inside an 802.11 QoS Data frame and typically sent unicast. * Confirms that the AP is reachable and the network path is functioning correctly. 2. Verify **Radiotap / PHY Information** * PHY type: 802.11n (HT) * MCS index: 3 → Modulation and coding scheme * Bandwidth: 20 MHz → Channel bandwidth * Short GI: False → Long guard interval * Greenfield: True → No legacy preamble * FEC: BEC (0) * Data rate: 26 Mb/s → PHY transmission rate * Channel: 6 / 2437 MHz * Signal strength: -27 dBm * Noise level: -77 dBm * SNR: 50 dB * TSF timestamp: 113678544 * A-MPDU aggregate ID: 19452 .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_1.png :alt: Radiotap/PHY info in ICMP Echo Request :scale: 95 % 3. Verify **Source MAC** * AP MAC address (e.g., 0c:9a:3c:9f:17:71). * Confirms the reply originates from the correct AP. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_2.png :alt: Source MAC in ICMP Echo Reply :scale: 95 % 4. Verify **Receiver MAC** * STA MAC address. * Confirms the reply is delivered to the requesting STA. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_3.png :alt: Receiver MAC in ICMP Echo Reply :scale: 95 % 5. Verify **Source and Destination IP** * Source IP: AP IP (e.g., 192.168.1.10) * Destination IP: STA IP (e.g., 192.168.1.1) * Confirms correct layer-3 addressing for the ICMP reply. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_4.png :alt: Source and Destination IP in ICMP Echo Reply :scale: 95 % 6. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms that the packet is an ICMP message. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_5.png :alt: Protocol in ICMP Echo Reply :scale: 95 % 7. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_6.png :alt: IP Version in ICMP Echo Reply :scale: 95 % 8. Verify **Type** * ICMP Type = 0 (Echo Reply). * Identifies the frame as a ping reply. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_7.png :alt: ICMP Type in Echo Reply :scale: 95 % 9. Verify **QoS Control Field** * QoS Control: 0x0000 - TID: 0 - Priority: Best Effort (0) - EOSP: Service period - Ack Policy: Normal Ack (0x0) - Payload Type: MSDU - QAP PS Buffer State: 0x00 * Confirms QoS parameters used in this ICMP Reply frame. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_8.png :alt: QoS Control in ICMP Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Reply Packet Analysis** * The **ICMP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ICMP Reply successfully. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_9.png :alt: ACK Subtype after ICMP Echo Reply :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = AP MAC. * Confirms that the acknowledgment is sent back to the AP. .. image:: ./open/802.11ng_open_icmp_resp/icmp_resp_10.png :alt: ACK Receiver Address after ICMP Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Deauthentication Packet Analysis** 1. Check if STA is sending Deauthentication Frame * Deauthentication is a management frame sent by either the AP or STA to terminate an existing connection. * It contains information about why the device is being deauthenticated. * The frame is unicast and will be acknowledged by the recipient. 2. Verify **Frame Subtype** * Subtype = 12 identifies the frame as Deauthentication. * Ensures Wireshark captures the correct management frame. .. image:: ./open/802.11ng_open_deauth/deauth_1.png :alt: Deauthentication Subtype :scale: 95 % 3. Verify **Source MAC Address** * MAC address of the device sending the deauthentication frame (AP or STA). * Confirms which device initiated the deauthentication. .. image:: ./open/802.11ng_open_deauth/deauth_2.png :alt: Source MAC in Deauthentication :scale: 95 % 4. Verify **Receiver MAC Address** * MAC address of the recipient device. * Ensures the frame is targeted to the correct station or AP. .. image:: ./open/802.11ng_open_deauth/deauth_3.png :alt: Receiver MAC in Deauthentication :scale: 95 % 5. Verify **Fixed Parameters** * Includes Reason Code (e.g., 0x0001: Unspecified reason,0x0004 → Disassociated due to inactivity, 0x0008 → Deauthenticated because sending STA is leaving (or has left) BSS). * Helps determine why the deauthentication occurred. .. image:: ./open/802.11ng_open_deauth/deauth_4.png :alt: Fixed Parameters in Deauthentication :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Deauthentication Packet Analysis** * The **Deauthentication** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the recipient received the deauthentication frame. .. image:: ./open/802.11ng_open_deauth/deauth_5.png :alt: ACK Subtype after Deauthentication :scale: 95 % 2. Verify the **ACK Receiver Address**. * Destination MAC = sender of the deauthentication frame. * Confirms the acknowledgment is directed back to the sender. .. image:: ./open/802.11ng_open_deauth/deauth_6.png :alt: ACK Receiver Address after Deauthentication :scale: 95 %