Thursday, November 29, 2012

Google's - Test Anything Protocol



The Test Anything Protocol (TAP) is a protocol to allow communication between unit tests and a test harness. It allows individual tests (TAP producers) to communicate test results to the testing harness in a language-agnostic way. Originally developed for unit testing of the Perl interpreter in 1987, producers and parsers are now available for many development platforms.

Contents

  [hide

[edit]History

TAP was created for the first version of Perl (released in 1987), as part of the Perl's core test harness (t/TEST). The Test::Harness module was written by Tim Bunce and Andreas König to allow Perl module authors to take advantage of TAP.
Development of TAP, including standardization of the protocol, writing of test producers and consumers, and evangelizing the language is coordinated at the TestAnything website.[1]

[edit]Specification

Despite being about 20 years old and widely used, no formal specification exists for this protocol. The behavior of the Test::Harness module is the de facto TAP standard, along with a writeup of the specification on CPAN.[2]
A project to produce an IETF standard for TAP was initiated in August 2008, at YAPC::Europe 2008.[1]

[edit]Usage examples

TAP's general format is:
    1..N
    ok 1 Description # Directive
    # Diagnostic
    ....
    ok 47 Description
    ok 48 Description
    more tests....
For example, a test file's output might look like:
    1..4
    ok 1 - Input file opened
    not ok 2 - First line of the input valid.
        More output from test 2. There can be
        arbitrary number of lines for any output
        so long as there is at least some kind
        of whitespace at beginning of line.
    ok 3 - Read the rest of the file
    #TAP meta information
    not ok 4 - Summarized correctly # TODO Not written yet

[edit]

List of TAP Parsers

These are libraries which parse TAP and display the results.
  • Test::Harness is the oldest and most complete TAP parser. It is limited in how it displays TAP. Though it most often runs tests written in Perl, it can launch any process which generates TAP. Most of the TAP spec is taken from the behavior of Test::Harness.
    • The original Test::Harness has now been deprecated, the new Test::Harness provides a minimal compatibility layer with previous behavior, but any new development shouldn't use this module, rather the TAP::Harness module.
  • The t/TEST parser contained in the Perl source code.
  • Test::Harness is a new and more flexible parser being written by Curtis "Ovid" Poe, Andy Armstrong and other people. It is a wrapper around TAP::Parser.
  • Test::Run is a fork of Test::Harness being written by Shlomi Fish.
  • test-harness.php A TAP parser for PHP.
  • nqpTAP A TAP parser written in NotQuitePerl (NQP), a smaller subset of the Perl 6 language.
  • Tapir A TAP parser written in Parrot Intermediate Representation (PIR).
  • tap4j A TAP implementation for Java.

[edit]List of TAP Producers

These are libraries for writing tests which output TAP.
  • Test::More is the most popular testing module for Perl 5.
  • Test::Most puts the most commonly used Perl 5 testing modules needed in one place. It is a superset of Test::More.
  • PHPUnit is the xUnit implementation for PHP.
  • test-more.php is a testing module for PHP based on Test::More.
  • test-more-php implements Test::Simple & Test::More for PHP.
  • libtap is a TAP producer written in C.
  • libtap++ is a TAP producer for C++
  • ArduinoTap is a TAP producer written in C++ for Arduino board.
  • Test.Simple is a port of the Perl Test::Simple and Test::More modules to JavaScript by David Wheeler.
  • PyTAP A beginning TAP implementation for Python.
  • MyTAP MySQL unit test library used for writing TAP producers in C or C++
  • Bacon A Ruby library that supports a spec-based syntax and that can produce TAP output
  • PLUTO PL/SQL Unit Testing for Oracle
  • pgTAP PostgreSQL stored procedures that emit TAP
  • SnapTest A PHP unit testing framework with TAP v13 compliant output.
  • etap is a simple erlang testing library that provides TAP compliant output.
  • lua-TestMore is a port of the Perl Test::More framework to Lua.
  • tap4j A TAP implementation for Java.
  • lime A testing framework bundled with the Symfony PHP framework.
  • yuitest A JavaScript testing library (standalone)
  • Ahven An Ada unit testing library.
  • Mocha A JavaScript testing library

[edit]References

Tuesday, November 6, 2012

802.11 layer 2 dynamic encryption key generation



Contents

 [hide]

802.11 Layer 2 Dynamic encryption key generation

  • 802.1X/EAP also does the job of generation and distribution of dynamic encryption keys. This is not the purpose of 802.1x though.
  • Mutual authentication is required to generate dynamic encryption keys. i.e EAP-TLS,EAP-TTLS,EAP-FAST,EAP-LEAP and all versions of EAP-PEAP generate dynamic encryption keys.
    • EAP-MD5 cannot as it only involves unidirectional authentication
  • Prior to TKIP/RC4 or CCMP/AES (i.e the RSNA encryption algorithms), WEp offered dynamic key encryption
    • they were proprietary solutions though
    • Here using the mutual authentication credentials as a seed, matching dynamic encryption keys are generated for both the supplicant and the authentication server.
    • These keys are created per session, per user .
    • This key is the unicast key
    • The broadcast key can either be manually configured on the AP or randomly generated and this is used to encrypt/decrypt all broadcast/multicast 802.11 traffic.
    • The unicast key is unique per client, but the broadcast key for all must be the same.
    • The authenticator sends this key to the client using an EAPoL message (which is encrypted by the client's unicast key)
    • Note: The dynamic encryption keys are still weak and can still be cracked. Not recommended for usage

Robust Security network (RSN)

  • RSN involves 2 802.11 stations to establish procedures to authenticate and associate with each other as well as create dynamic encryption keys through a process known as 4-way handshake.
  • The association between the 2 stations is known as a RSNA.
  • After RSNA, the station shares a key with the AP known as a Pairwise Transient key which is used to encrypt unicast traffic.
  • All the stations also share a key called the Groupwise Temporal Key(GTK)" which is used to encrypt/decrypt all broadcast and multicast traffic
  • The 802.11-2007 standard allows for the creation of pre-RSNAs.
    • i.e legacy security methods are supported in the same BSS along with RSN security mechanisms.
    • Example : Dynamic WEP,static WEP.
    • Such a network is called Transition security network
    • Here the lowest common denominator key will be used as the broadcast/multicast key. (ex: in this case, it'll be WEP)
  • Controllers do the following
    • They can create multiple SSIDs for multiple WLANs in a single coverage cell area
    • For the multiple SSID's , they create multiple virtual BSSIDs
    • Each SSID is associated with a L3 VLAN interface on the DS.

RSN Information Element

  • This is used by the clients and the APs to notify one another of their RSN capabilities
  • optional field
  • Found in 4 different frames:
    • Beacon (AP to client)
    • Probe response (AP to client)
    • Association request (client to AP)
    • Reassociation request (client to AP)
  • This contains the following info:
    • Identifies the encryption capabilities of each station
    • will indicate whether 802.1X authentication or PSK is being used. (i.e supported authentication methods)
  • The client/AP will use one cipher suite for unicast traffic and another for broadcast/multicast traffic
    • Check figure 5.10 on Page 187 of the study guide for a view of how the RSN IE will look in a frame
  • The AKM(authentication key management) field is used to indicate whether the station supports 802.1X authentication or PSK authentication.

Authentication and Key Management(AKM)

  • AKM services consist of a set of one or more algorithms designed to provide authentication and key management,either individually or in combination with higer layer authentication and key-management algorithms.
    • These may include non-802 protocols
  • AKM services links together authentication and encryption
    • i.e an authentication process is necessary to generate dynamic encryption keys
  • Untill the dynamic encryption keys are crteated,the controlled port will not open
  • Refer to figure 5.14 on Page 190 of the study guide
  • Overview of AKM is as follows
    • Discovery:Active and Passive scanning
      • This includes->Discovery, authentication and association
    • Authentication: 802.1X/EAP or PSK
      • Starts when the EAP exchange starts
    • Master key creation: PMK/GMK
      • Supplicant and the authentication server generate a master encryption key called the PMK.
    • Temporal key creation : 4-way handshake creates GTK/PTK
    • Authorization : Controlled port unblocked
    • Encryption : The 802.11 data frames are encrypted

RSNA Key hierarchy

  • 5 keys make up a top-to-bottom hierarchy that is needed to establish a final RSNA
  • There are group-wise keys - used to protect a group of destinations
  • There are pair-wise keys - used to protect 2 entitites

Master session key(MSK)

  • Also called AAA key.
  • Generated from either the 802.1X/EAP process or the PSK process
  • This key is exported to both the supplicant and the authetnication server
  • Atleast 64 octects in length
  • We can think of this as a seeding material used to create other keys

Master keys

  • After MSK is created, 2 master keys are created
  • The MSK is used to create a master key called Pairwise Master Key(PTK)
  • This resides on both the supplicant and the AS
  • A new PMK is created everytime a client authenticates or reauthenticates
  • The PMK is also sent from the AS to the authenticator
  • Another master key, Group-wise Master Key(GMK) is generated on the Authenticator
  • These master keys are not used to encrypt/decrypt data traffic
  • These are the seeding material for the 4-way handshake
  • PMK helps create the PTK
  • GMK helps create the GTK

Temporal Keys

  • PTK is comprised of 3 sections
    • Key confirmation key(KCK)
      • provides data integrity during the 4-way handshake and group key handshake
    • Key Encryption Key (KEK)
      • Is used by EAPoL frames to encrypt the 4-way handshake and the group key handshake
    • Temporal Key (TK)
      • This is used for MSDU encryption
  • The PTK/GTKs are either CCMP/AES or TKIP/RC4.

4-way handshake

  • The 4-way handshake basically does the following:
    • Confirm the existence of the PMK at the peer session
    • Ensure that the PMK is current
    • Derive a new PTK from the PMK
    • Install the PTK on the supplicant and the authenticator
    • Transfer the GTK from the authenticator to the supplicant and install the GTK on the supplicant , and if necessary on the authenticator
    • Confirm the selction of cipher suites
  • The PMK along with a nonce is used to create the PTK
  • 2 nonces are created by the 4-way handshake
    • The Authenticator nonce
    • The Supplicant nonce
  • PMK+Authenticator nonce+supplicant nonce+Authenticator MAC address + Supplicant MAC address is fed into a pseudo-random function and the PTK is generated
  • The 4-way handshake consists of the following steps
    • Message 1
      • Authenticator -> Supplicant
      • The authenticator and supplicant create their respective nonces
      • The authenticator sends it's Athenticator nonce to the supplicant
      • The supplicant now has all the info it needs to derive the PTK from the PMK.
    • Message 2
      • Supplicant -> Authenticator
      • The supplicant sends it's supplicant nonce to the authenticator
      • The supplicant also sends its RSN IE and a MIC.
      • The authenticator derives a PTK and also validates the MIC.
    • Message 3
      • Authenticator -> Supplicant
      • The authenticator derives the GTK from the GMK
      • Authenticator sends a message to the supplicant with the following information
        • ANonce
        • RSN IE
        • MIC
        • GTK
      • This message is encrypted using the PTK
    • Message 4
      • Supplicant -> Authenticator
      • Tells the authenticator that the temporal keys are now available and installed and ready for use

Group Key Handshake

  • 2 frame handshake used to distribute new keys to client stations that already have a PTK and a GTK
  • Is exactly the last 2 frames of the 4-way handshake

Peer key handshake

  • 802.11-2007 gives a way for clients to talk to one another without involving the AP
  • After establsighing the individual security associations with the AP, a station-to-station link(STSL) can also be established
  • The clients use PeerKey Handshake management protocol to create peer keys.

RSNA Security Associations

  • A RSNA requires 2 802.11 stations to establish proceudres to authenticate and associate with each other as well as create dynamic encryption keys through a 4-WAY handshake

Passphrase-to-PSK matching

  • As discussed earlier, AKMP can either be derived using 802.1X/EAP or PSK
  • When using PSK, the AKM procedures are as follows
    • Discovery
    • Negotiation
      • The STA associates with the AP and negotiates a security policy.
      • The PSK becomes the PMK
    • Temporal Key Generation and Authorization
      • 4-way handshake to create temporal keys
  • Actually the RSNA PSK must be 256 bits in length when represented in hex.
  • Most end users prefer a smaller ASCII password
  • So a password-to-PSK mapping formula is defined
  • ASCII simple password is converted into a 64 character HEX RSNA PSK
  • In case of PSK AKM, the PMK of every station is the same because all of them use the same "pre-shared key" which is nothing but the PMK
  • This is a security risk
  • This allows the hacker , who captures to frames to duplicate the PTK and thereby decrypt the encrypted frames

Roaming and Dynamic Keys

  • Everytime a client roams to another AP, unique encryption keys must be generated using the 4-way handshake process
  • This means that everytime the client roams, the STA must perform the EAP process all over again
  • This leads to crappy VoWLAN and other time-sensitive applications when using a (WPA|WPA2)Enterprise solution
  • The 802.1x process takes about 700ms or greater!
  • PSK authentication is much faster when compared to Enterprise solutions
  • Recently ratified 802.11r-2008 also known as fast BSS tranisition defines faster handoffs when roaming occurs between cells in a WLAN using 802.1X/EAP.
Thanks to :

Sniffer traces of 802.11n frames




802.11 is a set of standards for WLAN (Wireless Local Area Network) defining Wireless data. It is currently mainly composed of three protocols: 802.11a, 802.11b and 802.11g.
A new protocol called 802.11n should be released in 2009. It is already implemented in some wireless card and access points in a draft state.

ProtocolRelease dateMax rate [Mbit/s]Frequency [GHz]
802.11a2001545
802.11b1999112.4
802.11g2003542.4
802.11n2009?3005 and/or 2.4
Note that this is not possible to reach the maximum data rate indicated by the manufacturers. In optimal conditions, about half this value can be reached for 802.11a/b/g and 1/3 for 802.11n.

It is not permitted to transmit Wireless data at any frequency, only some ranges around 2.4 Ghz and 5 GHz are allowed not to enter in conflict with other type of waves such as the one used for the mobile telephony (GSM) or the radio. Other rules are imposed to wireless hardware such as maximum transmission power.

Data can be transmitted through 13 channels. In a multi access-points environment, the channel number must be set carefully on each access point to avoid wave interference leading to poor transmission rate for the wireless users.

The wireless client devices communicate in two modes:
- Infrastructure:
- Ad-Hoc

The "infrastructure" mode is used when a wireless client such as a laptop is connected to a Wireless station called Access-Point. This mode is used most of the time. The "Ad-Hoc" mode is used when two hosts want to communicate directly between each other without traveling through an access point.


the 802.11 protocols operate at the layer 2 level of the OSI model and are composed of three different Wireless frame types:
- Control frames: Help the data frames delivery.
- Management frames: Establish and maintain wireless communications.
- Data frames: Transport the data.

Press the "p" key in the kismet main interface to see the captured wireless frames.

Management frames (Mx):

Kismet
Ma
MA
Mr
MR
Mp
MP
MB
MM
MD
Mt
MT
M?
Description
Association request
Association response
Reassociation request
Reassociation response
Probe request
Probe response (See example)
Beacon (See example)
ATIM
Disassociation
Authentication
Deauthentication
Unknown management frame
Physical (Control) frames (Px): (See example)

Kismet
Pt
PT
PA
Pc
PC
P?
Description
Request to send
Clear to send
Data Ack
CF End
CF End+Ack
Unknown phy frame
Data frames: (See example)

Kismet
DD
Dc
Dp
DP
DN
Da
PA
D?
Description
Data frame
Data+CF+ACK
Data+CF+Poll
Data+CF+ACK+Poll
Data Null
CF Ack
CF Ack+Poll
Unknown data frame
Check the wi-fiplanet website to get details about each frame type.



Here are examples of one control, data and management frames.

1.  Control Frame
2.  Data Frame
3.1 Management frame (Probe Response)
3.2 Management Frame(Beacon)

 1. Frame control - Acknowledgement

 Wireshark capture

wireshark wireless frame control

 Tshark capture.

Frame 4 (10 bytes on wire, 10 bytes captured)
 Arrival Time: Feb 5, 2008 19:27:18.873416000
 [Time delta from previous captured frame: 0.000003000 seconds]
 [Time delta from previous displayed frame: 0.000003000 seconds]
 [Time since reference or first frame: 0.055028000 seconds]
 Frame Number: 4
 Frame Length: 10 bytes
 Capture Length: 10 bytes
 [Frame is marked: False]
 [Protocols in frame: wlan]
IEEE 802.11
 Type/Subtype: Acknowledgement (0x1d)
 Frame Control: 0x00D4 (Normal)
  Version: 0
  Type: Control frame (1)
  Subtype: 13
  Flags: 0x0
   DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
   .....0..= More Fragments: This is the last fragment
   ....0...= Retry: Frame is not being retransmitted
   ...0....= PWR MGT: STA will stay up
   ..0.....= More Data: No data buffered
   .0......= Protected flag: Data is not protected
   0.......= Order flag: Not strictly ordered
 Duration: 0
 Receiver address: Aironet_91:91:91 (00:40:96:91:91:91)
 Top of the page     Frames menu


 2. Data frame

 Wireshark capture

wireshark wireless frame data

 Tshark capture

Frame 11 (82 bytes on wire, 82 bytes captured)
 Arrival Time: Feb 5, 2008 19:27:18.937491000
 [Time delta from previous captured frame: 0.000029000 seconds]
 [Time delta from previous displayed frame: 0.000029000 seconds]
 [Time since reference or first frame: 0.119103000 seconds]
 Frame Number: 11
 Frame Length: 82 bytes
 Capture Length: 82 bytes
 [Frame is marked: False]
 [Protocols in frame: wlan:data]
IEEE 802.11
 Type/Subtype: QoS Data (0x28)
 Frame Control: 0x4188 (Normal)
  Version: 0
  Type: Data frame (2)
  Subtype: 8
  Flags: 0x41
   DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01)
   .....0..= More Fragments: This is the last fragment
   ....0...= Retry: Frame is not being retransmitted
   ...0....= PWR MGT: STA will stay up
   ..0.....= More Data: No data buffered
   .1......= Protected flag: Data is not protected
   0.......= Order flag: Not strictly ordered
 Duration: 44
 BSS Id: Cisco_50:50:50 (00:1c:0e:50:50:50)
 Source address: Aironet_91:91:91 (00:40:96:91:91:91)
 Destination address: 01:00:5e:fa:fa:fa (01:00:5e:fa:fa:fa)
 Fragment number: 0
 Sequence number: 3847
 QoS Control
  Priority: 0 (Best Effort) (Best Effort)
  Ack Policy: Normal Ack (0x00)
  Payload Type: MSDU
  Transmit Opportunity (TXOP) Limit Requested: 0x00
 CCMP parameters
  CCMP Ext. Initialization Vector: 0x000000001469
  Key Index: 0
Data (48 bytes)
 
0000 eb 4d b5 5b 64 db ba 0b 54 4f 76 2b 05 00 a3 eb .M.[d...TOv+....
0010 ce 67 3d e8 68 30 6f 7a 5a 13 cc 38 89 a5 46 84 .g=.h0ozZ..8..F.
0020 e6 eb 5f 46 33 4b 2a 31 c1 98 3b 56 2d ae 61 24 .._F3K*1..;V-.a$
 Top of the page     Frames menu


 3.1 Management Frame (Probe response)

The Wireless clients send probe requests to determine which access points are within range. The access points answer to the clients with information about their capabilities such as the network name (SSID), supported rates, AP name, AP manufacturer, etc...
If the AP is set 
not to broadcast its SSID, it will answer to a probe request with a blank SSID field.

 Wireshark capture

wireshark wireless frame mangement probe  response

 Tshark capture

Frame 20275 (216 bytes on wire, 216 bytes captured)
 Arrival Time: Feb 5, 2008 19:37:51.688023000
 [Time delta from previous captured frame: 0.002035000 seconds]
 [Time delta from previous displayed frame: 0.002035000 seconds]
 [Time since reference or first frame: 632.869635000 seconds]
 Frame Number: 20275
 Frame Length: 216 bytes
 Capture Length: 216 bytes
 [Frame is marked: False]
 [Protocols in frame: wlan]
IEEE 802.11
 Type/Subtype: Probe Response (0x05)
 Frame Control: 0x0050 (Normal)
  Version: 0
  Type: Management frame (0)
  Subtype: 5
  Flags: 0x0
   DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
   .....0..= More Fragments: This is the last fragment
   ....0...= Retry: Frame is not being retransmitted
   ...0....= PWR MGT: STA will stay up
   ..0.....= More Data: No data buffered
   .0......= Protected flag: Data is not protected
   0.......= Order flag: Not strictly ordered
 Duration: 314
 Destination address: HonHaiPr_28:28:28 (00:1c:26:28:28:28)
 Source address: Cisco_c0:c0:c0 (00:0f:24:c0:c0:c0)
 BSS Id: Cisco_c0:c0:c0 (00:0f:24:c0:c0:c0)
 Fragment number: 0
 Sequence number: 1462
IEEE 802.11 wireless LAN management frame
 Fixed parameters (12 bytes)
  Timestamp: 0x00000C1BD675BB4C
  Beacon Interval: 0.102400 [Seconds]
  Capability Information: 0x0431
   .... ........ ...1= ESS capabilities: Transmitter is an AP
   .... ........ ..0.= IBSS status: Transmitter belongs to a BSS
   .... ..0..... 00..= CFP participation capabilities: No point coordinator at AP (0x0000)
   .... .......1 ....= Privacy: AP/STA can support WEP
   .... ......1. ....= Short Preamble: Short preamble allowed
   .... .....0.. ....= PBCC: PBCC modulation not allowed
   .... ....0... ....= Short Slot Time: Short slot time in use
   .... ...0.... ....= Spectrum Management: dot11SpectrumManagementRequired FALSE
   .... .1...... ....= PWR MGT: STA will stay up
   .... 0....... ....Automatic Power Save Delivery: apsd not implemented
   ..0. ........ ....= DSSS-OFDM: DSSS-OFDM modulation not allowed
   .0.. ........ ....= Delayed Block Ack: delayed block ack not implemented
   0... ........ ....= Immediate Block Ack: immediate block ack not implemented
 Tagged parameters (180 bytes)
  SSID parameter set: "OPENMANIAK"
   Tag Number: 0 (SSID parameter set)
   Tag length: 11
   Tag interpretation: OPENMANIAK
  Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0
   Tag Number: 1 (Supported Rates)
   Tag length: 8
   Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0 [Mbit/sec]
  DS Parameter set: Current Channel: 6
   Tag Number: 3 (DS Parameter set)
   Tag length: 1
   Tag interpretation: Current Channel: 6
  ERP Information: no Non-ERP STAs, use protection, short or long preambles
   Tag Number: 42 (ERP Information)
   Tag length: 1
   Tag interpretation: ERP info: 0x2 (no Non-ERP STAs, use protection, short or long preambles)
  RSN Information
   Tag Number: 48 (RSN Information)
   Tag length: 20
   Tag interpretation: RSN IE, version 1
   Tag interpretation: Multicast cipher suite: TKIP
   Tag interpretation: # of unicast cipher suites: 1
   Tag interpretation: Unicast cipher suite 1: AES (CCM)
   Tag interpretation: # of auth key management suites: 1
   Tag interpretation: auth key management suite 1: WPA
   RSN Capabilities: 0x0028
   .... ........ ...0= RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
   .... ........ ..0.= RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
   .... ........ 10..= RSN PTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
   .... ......10 ....= RSN GTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
  Vendor Specific: WPA
   Tag Number: 221 (Vendor Specific)
   Tag length: 24
   Tag interpretation: WPA IE, type 1, version 1
   Tag interpretation: Multicast cipher suite: TKIP
   Tag interpretation: # of unicast cipher suites: 1
   Tag interpretation: Unicast cipher suite 1: TKIP
   Tag interpretation: # of auth key management suites: 1
   Tag interpretation: auth key management suite 1: WPA
   Tag interpretation: Not interpreted
  Extended Supported Rates: 24.0 36.0 48.0 54.0
   Tag Number: 50 (Extended Supported Rates)
   Tag length: 4
   Tag interpretation: Supported rates: 24.0 36.0 48.0 54.0 [Mbit/sec]
  Cisco Unknown 1 + Device Name
   Tag Number: 133 (Cisco Unknown 1 + Device Name)
   Tag length: 30
   Tag interpretation: Unknown + Name: AP01 #Clients: 0
  Vendor Specific: Aironet Unknown
   Tag Number: 221 (Vendor Specific)
   Tag length: 6
   Aironet IE type: Unknown (1)
   Aironet IE data: 0100
  Vendor Specific: Aironet CCX version = 3
   Tag Number: 221 (Vendor Specific)
   Tag length: 5
   Aironet IE type: CCX version (3)
   Aironet IE CCX version?: 3
  Vendor Specific: Aironet Qos
   Tag Number: 221 (Vendor Specific)
   Tag length: 22
   Aironet IE type: Qos (4)
   Aironet IE QoS unknown 1: 0x00
   Aironet IE QoS paramset: 2
   CCX QoS Parameters??: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 10, TXOP 0
   CCX QoS Parameters??: ACI 1 (Background), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 10, TXOP 0
   CCX QoS Parameters??: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 4, TXOP 0
   CCX QoS Parameters??: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 3, TXOP 0
  Vendor Specific: WME
   Tag Number: 221 (Vendor Specific)
   Tag length: 24
   Tag interpretation: WME PE: type 2, subtype 1, version 1, parameter set 2
   Tag interpretation: WME AC Parameters: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 4, TXOP 0
   Tag interpretation: WME AC Parameters: ACI 1 (Background), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 4, TXOP 0
   Tag interpretation: WME AC Parameters: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 3, TXOP 94
   Tag interpretation: WME AC Parameters: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 2, TXOP 47
 Top of the page     Frames menu



 3.2 Management frame - Beacon

Beacon Frames are sent regularly by access points to help wireless clients to identify them.

In the beacon frame body, information similar to those found in "probe response" is displayed, such as the network name (SSID), supported rates, AP name, AP manufacturer, etc ... .

In an idle network, beacons dominate all other traffic.
If the AP is set not to broadcast its SSID, it will send beacons with a blank SSID field such as in the capture below.

 Wireshark capture

wireshark wireless frame management beacon

 Tshark capture

Frame 21 (212 bytes on wire, 212 bytes captured)
 Arrival Time: Feb 5, 2008 19:27:19.309692000
 [Time delta from previous captured frame: 0.007605000 seconds]
 [Time delta from previous displayed frame: 0.007605000 seconds]
 [Time since reference or first frame: 0.491304000 seconds]
 Frame Number: 21
 Frame Length: 212 bytes
 Capture Length: 212 bytes
 [Frame is marked: False]
 [Protocols in frame: wlan]
IEEE 802.11
 Type/Subtype: Beacon frame (0x08)
 Frame Control: 0x0080 (Normal)
  Version: 0
  Type: Management frame (0)
  Subtype: 8
  Flags: 0x0
   DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
   .....0..= More Fragments: This is the last fragment
   ....0...= Retry: Frame is not being retransmitted
   ...0....= PWR MGT: STA will stay up
   ..0.....= More Data: No data buffered
   .0......= Protected flag: Data is not protected
   0.......= Order flag: Not strictly ordered
 Duration: 0
 Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
 Source address: Cisco_b0:b0:b0 (00:14:f2:b0:b0:b0)
 BSS Id: Cisco_b0:b0:b0 (00:14:f2:b0:b0:b0)
 Fragment number: 0
 Sequence number: 3348
IEEE 802.11 wireless LAN management frame
 Fixed parameters (12 bytes)
  Timestamp: 0x00000C1BD675BB4C
  Beacon Interval: 0.102400 [Seconds]
  Capability Information: 0x0431
   .... ........ ...1= ESS capabilities: Transmitter is an AP
   .... ........ ..0.= IBSS status: Transmitter belongs to a BSS
   .... ..0..... 00..= CFP participation capabilities: No point coordinator at AP (0x0000)
   .... .......1 ....= Privacy: AP/STA can support WEP
   .... ......1. ....= Short Preamble: Short preamble allowed
   .... .....0.. ....= PBCC: PBCC modulation not allowed
   .... ....0... ....= Short Slot Time: Short slot time in use
   .... ...0.... ....= Spectrum Management: dot11SpectrumManagementRequired FALSE
   .... .1...... ....= PWR MGT: STA will stay up
   .... 0....... ....= Automatic Power Save Delivery: apsd not implemented
   ..0. ........ ....= DSSS-OFDM: DSSS-OFDM modulation not allowed
   .0.. ........ ....= Delayed Block Ack: delayed block ack not implemented
   0... ........ ....= Immediate Block Ack: immediate block ack not implemented
 Tagged parameters (176 bytes)
  SSID parameter set: "\000"
   Tag Number: 0 (SSID parameter set)
   Tag length: 1
   Tag interpretation:
  Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0
   Tag Number: 1 (Supported Rates)
   Tag length: 8
   Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0 [Mbit/sec]
  DS Parameter set: Current Channel: 11
   Tag Number: 3 (DS Parameter set)
   Tag length: 1
   Tag interpretation: Current Channel: 11
  Traffic Indication Map (TIM): DTIM 0 of 2 bitmap empty
   Tag Number: 5 (Traffic Indication Map (TIM))
   TIM length: 4
   DTIM count: 0
   DTIM period: 2
   Bitmap Control: 0x00 (mcast:0, bitmap offset 0)
  ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
   Tag Number: 42 (ERP Information)
   Tag length: 1
   Tag interpretation: ERP info: 0x0 (no Non-ERP STAs, do not use protection, short or long preambles)
  RSN Information
   Tag Number: 48 (RSN Information)
   Tag length: 20
   Tag interpretation: RSN IE, version 1
   Tag interpretation: Multicast cipher suite: TKIP
   Tag interpretation: # of unicast cipher suites: 1
   Tag interpretation: Unicast cipher suite 1: AES (CCM)
   Tag interpretation: # of auth key management suites: 1
   Tag interpretation: auth key management suite 1: WPA
   RSN Capabilities: 0x0028
   .... ........ ...0= RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
   .... ........ ..0.= RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
   .... ........ 10..= RSN PTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
   .... ......10 ....= RSN GTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
  Vendor Specific: WPA
   Tag Number: 221 (Vendor Specific)
   Tag length: 24
   Tag interpretation: WPA IE, type 1, version 1
   Tag interpretation: Multicast cipher suite: TKIP
   Tag interpretation: # of unicast cipher suites: 1
   Tag interpretation: Unicast cipher suite 1: TKIP
   Tag interpretation: # of auth key management suites: 1
   Tag interpretation: auth key management suite 1: WPA
   Tag interpretation: Not interpreted
  Extended Supported Rates: 24.0 36.0 48.0 54.0
   Tag Number: 50 (Extended Supported Rates)
   Tag length: 4
   Tag interpretation: Supported rates: 24.0 36.0 48.0 54.0 [Mbit/sec]
  Cisco Unknown 1 + Device Name
   Tag Number: 133 (Cisco Unknown 1 + Device Name)
   Tag length: 30
   Tag interpretation: Unknown + Name: AP02 #Clients: 1
  Vendor Specific: Aironet Unknown
   Tag Number: 221 (Vendor Specific)
   Tag length: 6
   Aironet IE type: Unknown (1)
   Aironet IE data: 0100
  Vendor Specific: Aironet CCX version = 3
   Tag Number: 221 (Vendor Specific)
   Tag length: 5
   Aironet IE type: CCX version (3)
   Aironet IE CCX version?: 3
  Vendor Specific: Aironet Qos
   Tag Number: 221 (Vendor Specific)
   Tag length: 22
   Aironet IE type: Qos (4)
   Aironet IE QoS unknown 1: 0x00
   Aironet IE QoS paramset: 2
   CCX QoS Parameters??: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 10, TXOP 0
   CCX QoS Parameters??: ACI 1 (Background), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 10, TXOP 0
   CCX QoS Parameters??: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 4, TXOP 0
   CCX QoS Parameters??: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 3, TXOP 0
  Vendor Specific: WME
   Tag Number: 221 (Vendor Specific)
   Tag length: 24
   Tag interpretation: WME PE: type 2, subtype 1, version 1, parameter set 2
   Tag interpretation: WME AC Parameters: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 4, TXOP 0
   Tag interpretation: WME AC Parameters: ACI 1 (Background), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 4, TXOP 0
   Tag interpretation: WME AC Parameters: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 3, TXOP 94
   Tag interpretation: WME AC Parameters: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 2, TXOP 47

Thanks to :