Wifi packet - 連上AP

admin

下表是利用 omnipeek 抓下約 3 秒鐘的無線包9 [% z+ {! P5 |4 l

- P6 Z! m: P8 \" g. x動作:; P4 s, ]" j* q/ l  n" e5 F) i" X
1)  啟動 Cisco AP，host 名為 Openplatform，2.4G Mac 地址為 00:19:07:58:9F:20，沒有加密，頻道為 9
  a: V6 A! [* ]) R  ?& Z* b( p) t8 m2)  利用 Summit 無線卡，啟動 CCX，連上 Cisco AP, 2.4G Mac 地址為 00:17:23:0D:2C:7D1 L/ B' s; y: P9 C2 \3 v7 G
# c1 g) m5 `+ B4 Q
** 登入論壇後資料顯示更整齊 ***
! G+ F. a+ R9 d' a1 v% L& ?, Z- l0 c3 R- K$ tPacketSourceDestinationData RateRelative TimeProtocol, f8 ^9 Q5 F' o8 u3 _& i; B" W
100:19:07:58:9F:20Ethernet Broadcast10802.11 Beacon
* B1 ]: @% _  O$ y% }200:19:07:58:9F:20Ethernet Broadcast10.102401802.11 Beacon
+ X& n' o. m4 h% O: P300:19:07:58:9F:20Ethernet Broadcast10.204804802.11 Beacon, d$ K7 N( y# @- X" e8 s% y( L7 B
400:19:07:58:9F:20Ethernet Broadcast10.307203802.11 Beacon8 R% b2 t5 M) A+ \1 E  l9 k! v
500:19:07:58:9F:20Ethernet Broadcast10.409604802.11 Beacon! h, B% U: Q2 S5 c( Z( V# @1 I
600:19:07:58:9F:20Ethernet Broadcast10.512005802.11 Beacon
, `. q1 X% j5 y9 v" I, }700:19:07:58:9F:20Ethernet Broadcast10.614406802.11 Beacon
$ r; }, P0 V: A0 S. S' n& x5 a- S8 ^800:19:07:58:9F:20Ethernet Broadcast10.716807802.11 Beacon6 `/ \3 t0 z7 O" ~
900:19:07:58:9F:20Ethernet Broadcast10.819208802.11 Beacon+ Y0 [6 B5 t6 G& |
1000:19:07:58:9F:20Ethernet Broadcast11.024009802.11 Beacon
# ?$ j) y6 F/ c3 B% k: H+ {1100:19:07:58:9F:20Ethernet Broadcast11.12641802.11 Beacon
% g: W& z# N$ o3 s$ _7 Y$ E4 a) T1200:17:23:0D:2C:7DEthernet Broadcast11.175586802.11 Probe Req
" N5 m9 M& t4 c. o1300:17:23:0D:2C:7DEthernet Broadcast11.208822802.11 Probe Req
& O4 t9 [7 W/ W1400:19:07:58:9F:20Ethernet Broadcast11.228811802.11 Beacon
( ^$ w8 }- F4 P) \1500:19:07:58:9F:20Ethernet Broadcast11.331212802.11 Beacon
9 k0 L9 L/ V' ^# o( ?1600:17:23:0D:2C:7DEthernet Broadcast11.385512802.11 Probe Req4 m+ C& `  b: d# M0 T  h
17Ethernet Broadcast00:19:07:58:9F:2011.422788802.11 Ack$ O/ j# C6 \6 V' z! ^: K9 S* y
1800:19:07:58:9F:20Ethernet Broadcast11.433613802.11 Beacon
" p: _' N% v% G; P- x7 T( N$ M+ U  y1900:19:07:58:9F:2000:17:23:0D:2C:7D11.4586802.11 Probe Rsp
& b- e- _6 ]+ m2 K# j2 [2000:19:07:58:9F:2000:17:23:0D:2C:7D11.460278802.11 Probe Rsp
. Z& N0 _& d+ \/ ~/ M" S2100:17:23:0D:2C:7D00:19:07:58:9F:2011.460593802.11 Ack( H/ L( Z& O6 \* l
2200:17:23:0D:2C:7D00:19:07:58:9F:2011.527452802.11 Auth2 X) D! j+ J; F$ z& W8 O7 r
2300:19:07:58:9F:2000:17:23:0D:2C:7D11.527764802.11 Ack$ v* x8 t; z! V. J2 i- }
2400:19:07:58:9F:2000:17:23:0D:2C:7D111.528054802.11 Auth9 X5 n9 W, ]" U2 i0 j4 |: m
2500:17:23:0D:2C:7D00:19:07:58:9F:2011.528362802.11 Ack
5 I- b0 a  u% X1 }6 U2 S' X4 U2600:17:23:0D:2C:7D00:19:07:58:9F:2011.529416802.11 Assoc Req
+ B. o  y2 \6 h( {- e2700:19:07:58:9F:2000:17:23:0D:2C:7D11.529731802.11 Ack
# p3 B) \% L: h2 n0 [1 U2800:19:07:58:9F:2000:17:23:0D:2C:7D111.530343802.11 Assoc Rsp
* K4 y4 {1 h2 f* ?$ c2900:17:23:0D:2C:7D00:19:07:58:9F:2011.530655802.11 Ack1 o1 h) z1 H! W# d1 c
30192.168.21.54224.0.0.1111.531262IGMP
5 J* c# J  y  r) A1 Q31192.168.21.54224.0.0.1111.532943IGMP
$ F3 O, B  M* P/ s) m. n3200:17:23:0D:2C:7D00:19:07:58:9F:20111.533059802.11 Ack" p. c1 ~: Y. H9 b- c3 Y  h( X
3300:19:07:58:9F:2000:17:23:0D:2C:7D111.533673WLCCP
- L+ F. k$ M+ _: ~8 `3400:17:23:0D:2C:7D00:19:07:58:9F:20111.53379802.11 Ack
2 S5 J8 Z/ G- }/ D4 o# A9 D1 J3500:19:07:58:9F:20Ethernet Broadcast11.536016802.11 Beacon  v* s  ^$ w) k/ ~5 ^5 V( f
3600:19:07:58:9F:20Ethernet Broadcast11.638414802.11 Beacon
3 J- V$ Q1 L, c& i; R3700:19:07:58:9F:20Ethernet Broadcast11.740816802.11 Beacon
/ O* h$ ?4 B5 p5 {: Q3800:19:07:58:9F:20Ethernet Broadcast11.843218802.11 Beacon
1 `4 w7 f2 Q' Q" l+ M" R* G3900:19:07:58:9F:20Ethernet Broadcast11.945617802.11 Beacon! n, q( v# s! P9 b* N) Q
4000:19:07:58:9F:20Ethernet Broadcast12.048018802.11 Beacon1 H+ o2 i, L* L4 E" c: I
4100:19:07:58:9F:20Ethernet Broadcast12.150419802.11 Beacon
5 j/ N7 }1 R, Y$ f- ~7 p42192.168.21.54224.0.0.1112.172736IGMP
+ t4 j2 ~1 q/ l; o7 \9 J4300:17:23:0D:2C:7D00:19:07:58:9F:20112.172852802.11 Ack
) E5 W" W4 y' d4400:19:07:58:9F:20Ethernet Broadcast12.25282802.11 Beacon
% J) A+ F( \" N5 C! M4500:19:07:58:9F:20Ethernet Broadcast12.355221802.11 Beacon
, @) K* A$ I3 o) k5 X4 e+ X; `4600:19:07:58:9F:20Ethernet Broadcast12.457622802.11 Beacon$ w3 ]" M& e( }$ ]
+ ?0 W# l6 Q+ X; s' N
" b* t, P; ], ?3 Z8 k把一些無關痛癢的包不管，整個握手過程為包括 : j6 F' u  }! H' O' e
Beacon4 k# `/ ]6 }' Z. a$ d1 I
802.11 Probe Req  -> 802.11 Probe Rsp4 n" U% M5 B% x' ~/ A$ H( A
802.11 Auth -> 802.11 Auth
+ c/ ~# t& {) o8 ~5 J5 g802.11 Assoc Req -> 802.11 Assoc Rsp
2 r+ R6 w2 _) Q  |9 Y" o; g5 {  y2 t( _; g0 C8 n
而每當Source 傳一個包給 Destination, Destionation 都會向 source 回應 802.11 Ack，這個暫不理，那麼我們把上表簡化為下表，跟著會詳細把每個包的重點提出來。1 V9 [3 I8 p# ^  i9 }$ [
% W1 H5 ^9 G. r  [2 V
2 ?( [7 n8 i  D: ]" Z1 }3 y! |PacketSourceDestinationData RateRelative TimeProtocol
, e- ]6 j' T- z5 A100:19:07:58:9F:20Ethernet Broadcast10802.11 Beacon
5 H+ B5 J: W, \# l6 O7 ]1600:17:23:0D:2C:7DEthernet Broadcast11.385512802.11 Probe Req
- R/ _: i5 P* ]& b; ^+ ]5 [2000:19:07:58:9F:2000:17:23:0D:2C:7D11.460278802.11 Probe Rsp7 U" H/ n2 I) E" @  F, z! A7 x
2200:17:23:0D:2C:7D00:19:07:58:9F:2011.527452802.11 Auth5 k2 B4 b" F7 d% p, [( ]
2400:19:07:58:9F:2000:17:23:0D:2C:7D111.528054802.11 Auth. ]8 x) Q; {9 x, z7 Y) Y
2600:17:23:0D:2C:7D00:19:07:58:9F:2011.529416802.11 Assoc Req/ a- x4 `& U- X$ @
2800:19:07:58:9F:2000:17:23:0D:2C:7D111.530343802.11 Assoc Rsp
. W3 B. o* D+ g) ^# R$ e

admin

Packet 1 的詳細數據
9 F7 `  h: S: P2 M) D0 U% n
6 t" [4 x  `2 ]7 u8 q

admin

Packet 16 的詳細數據7 h" j- Q. F+ _# E- S

admin

Packet 20 的詳細數據4 N. [# P( w) `" W

admin

Packet 22 的詳細數據
& B$ f4 c3 d) K- ~

admin

Packet 24 的詳細數據8 t# D) C6 T8 y

admin

Packet 26 的詳細數據/ R: Z, P, n. ]. j
/ {1 M; ]! j4 ]! L* u+ W% d5 h
. W# \+ v2 C9 `0 v8 K
分析:
3 }/ t: Q, L4 s: D& h! {  G& p0 S5 N  V
如果無線卡啟動了 CCX，在802.11 management 實質體的 Supported Rate 後多了 Cisco Proprietary 內容傳給 Access Point ，Access Point 在隨後發出的 Association Response (packet 28) 中，也加入Cisco Proprietary 內容，其中一個重要信息為AP的名字 (AP name )，例子中為  "Openplatform"，無線卡收到此信息，便可在相連的客戶端軟件中顯示 AP name，這個AP name 對於無線網管理非常有用，如果沒有 AP name，客戶端軟件只能顯示 AP 的MAC  地址，我們很難從 MAC 地址去馬上意識到到底是哪一個AP，但如有了 AP name, 而我們又為不同 AP 設定容易理解的名字，例如位置，當無線客戶端在一個很多AP組成的無線網中不斷漫遊，從顯示的 AP 名字，我們便很易了解到底連上哪一個AP，這對於無線網管理及維護有極大幫助。
1 @6 K1 G$ u: {' r& x* b* f/ Q
* G2 C  r  x0 k; j. ^在 packet 26 中看到無線卡支持  CCX4，在 packet 28 中顯示 Cisco AP 支持  CCX5。3 Y* [  v2 ^* x& ~
* t" P* P, y" H  U! R
注意，如果無線卡支持  CCX，如果AP 並不是 Cisco ，也不會把 AP name 傳給無線卡。

admin

Packet 28 的詳細數據
' b& U! G1 j( [0 J3 }1 S7 q2 w
( J& Q3 T& B  b3 \/ ?

onlyone

这里都是比较高端的设备。

admin

回復 9# onlyone : w/ c1 ]; ^5 g2 E2 g8 ^- D1 _
3 N; T3 x' X! g& A

% q2 r4 F0 m/ |' w" l, K5 ]: E2 F! z    設備是什麼不重要，我只是大家能徹底研究 wifi 無線包，坊間所有介紹都是把書本的內容搬出來，我則會創新利用實例去介紹，請留意未來數個的內容，跟著我會分柝有線包及無線包，去說明漫遊時，到底戶用端與AP，及AP與AP 到底有什麼溝通