RTS/CTS and Network Analysis using Wireshark
The purpose of this lab is to investigate RTS/CTS and CTS-to-self messaging in the Wild. By doing this we will also learn about monitor mode and what it does, as well as gaining some familiarity with Wireshark.
Contents
Initial Setup
You should start by setting up a network as shown below. Remember that at the beginning of every lab you should restore factory defaults to remove the previous group's settings. To do this, Administration->Factory Defaults->Yes, apply, ok.
To limit the number of computers required, you may wish to make the Windows Wireless device, in the diagram below, your phone or laptop.
Wireshark
Wireshark is an application that is used for troubleshooting and studying networks. I hope that you will become very familiar with it as it is an excellent learning/diagnostic tool.
Under standard operation, wireless devices are only able to see frames that are either sourced by them or destined for them. Open wireshark on either Windows or Linux and start capturing on your wifi adapter. Ping your access point over the link and ensure that you have captured these frames. Save your packet capture as we will return to this later. What can you see? What is do you think might be missing?
Note that we are unable to see important management frames like beacons, probe requests and probe responses. To use monitor mode we need a Linux OS and to put a wireless adaptor in a special mode called monitor mode.
Monitor Mode on Linux
Follow the instructions here to put the Alpha USB Wifi adapter in monitor mode: Alpha_USB_in_monitor_mode
sudo iwconfig [adaptor_name] channel [Channel your AP is using]
You should be able to capture traffic in monitor mode on your wireless interface. What is different in the output monitor mode output? What do you think that monitor mode does? Compare the previous output that you saved earlier. Discuss with your group and chat with your tutor.
Normal monitor mode wireless behaviour
Lets talk about frames
There are 3 different types of WiFi Frames
- Management Frames
- Control Frames
- Data Frames
Some things for you to search for:
- Filter all the beacons in our traffic
- Find an SSID that has multiple BSSIDs. What does this mean
RTS/CTS Messaging
Turn on RTS/CTS messaging:
- On your AP, this is under Wireless->Basic-Settings->Advanced-Settings. You should set the threshold to 1.
- On a Windows device: Device Manager->Wireless NIC->Mixed Mode Protection
- On a Linux device:
sudo iwconfig [wireless_adapter_name] RTS 100
Start some continual pings from your wired to your wireless host. Check to see if and RTS/CTS or RTS-to-self messages are being sent. Depending on what channel you use, you will potentially pick up transmissions from many different APs and it may be difficult to find one. Locating the specific data within a large packet capture file is a very important skill for networking professionals. If you are having trouble locating your ICMP ping messages, try disabling the frequency or radio on the 5 GHz band.
Troubleshooting
You may not be able to see all of your frames. Why/Why not? Can you see a higher proportion of BlockAcks, Acks, Beacons or Probe Requests/Response? Why do you think this is?
The following diagrams on the right show what you should see when you have identified the appropriate frames:
RTS
CTS
Ping
Ack
Questions
See if you can answer the following questions.
- What is the benefit of the RTS/CTS process? What problem does it solve?
- What is a drawback of the RTS/CTS process?
- Why can't we see the DCF process? Why can't we see interframe spacing?
- What do you think the difference is between an 802.11 ack and a Block Ack. What do you think the block ack bitmap does? Does wired Ethernet use Acks? Why/Why not?
- If you are seeing more acks than data frames, why do you think this is the case?
- Can you see any instances where there is a CTS, without an RTS. What is going on here?
- What is the proportion of Block Acks to Data frames. Why do you think this ratio occurs.
- What percentage of your total frames are data frames
- What data rates are 802.11 acks sent at?
- What is the distribution of packet sizes? Break into:
- < 500 bytes
- < 1000 bytes
- >= 1000 bytes
- Do you believe that your captured distribution is normal? Why, why not?
- What percentage of data frames are retransmitted?
- Why do you think packets are being lost?
Restore Factory Defaults
At the end of every lab you should restore factory defaults to remove the previous group's settings. To do this, Administration->Factory Defaults->Yes, apply, ok.