WLAN Analysis with Wireshark (802.11 Radio Information, Part 1)

We will continue our Wireshark wireless packet discussion, where this should be the first article talking about 802.11 Radio Information. The following diagram is an example of this 802.11 Radio Information session. As you can see, there are several sub-fields being covered here. The writer would like to take this opportunity to get more understandings on those sub-fields.

PHY type: describes type of PHY type being used on this network. The above packet indicates it is in 802.11a. Within IEEE 802.11 Standard, there are several types being defined:

• IEEE 802.11a provides wireless 54Mbps data rate
• Wireshark shows 5
• IEEE 802.11b provides wireless 11Mbps data rate
• IEEE 802.11g provides wireless 54Mbps data rate
• Wireshark shows 6
• IEEE 802.11n provides wireless 300Mbps data rate
• Wireshark shows 7
• IEEE 802.11ac (5-GHz) provides wireless 900Mbps data rate
• Wireshark shows 8

The following two screenshot should present one example on 802.11n, 802.11g, another one, 802.11ac.

Of course, you should be aware that the Wireshark display filter for "PHY type" is wlan_radio.phy.

In a Wireshark packet capturing file, for the same STA (the same MAC), it usually is transmitted by using the same 802.11 PHY type. For example, the underneath diagram describes a STA (MAC ended with 36:84:C1) is using 802.11a.

VRRP MAC Address: VRRP stands for Virtual Router Redundancy Protocol. The virtual router MAC address is usually in the following format:

00-00-5E-00-01-{VRID} (in hex in internet standard bit-order)

The first three octets are related to IANA's OUI. When you look into the next two octets (00-01), that indicates the address block assigned to the VRRP protocol. {VRID} is the VRRP Virtual Router Identifier, where 11 is an example in our lab facility.

The following image-shot presents another example, with the same source STA (MAC ended with 38:ff:22) and destination STA (MAC ended with VRID_11). As you can see, frame 478 attempts to utilize 802.11ac, however, it turns to 802.11n, as it may attempt to lower the speed and turn to be malformed frame.

In the source and destination, you may see TA/RA mark over there. TA stands for Transmission Address, where RA, Recipient Address. The following diagram shows frame#18,082, MAC address ended with 38:ff:22 is the Transmission Address (or Transmitter address) and Received address is the STA (MAC ended with 0c:67:58). (This is a 802.11 Block Acknowledgement frame) However, the frame#18,083, the Received address remains the STA (MAC ended with 0c:67:58). (This is a Clear-To-Send frame).

Review Session: If the PHY shows 4, which 802.11 technology is presented?

Review Session: According to the following capture, 802.11b is used. Does that mean 802.11b being utilized by those STAs with D-Link name in the source address, or the laptop being managed to collect all of those frames?