1 00:00:00,000 --> 00:00:08,044 2 00:00:08,045 --> 00:00:10,898 Ok, welcome back. In our next section, 3 00:00:10,907 --> 00:00:13,817 we will discuss the capturing of wireless traffic, 4 00:00:13,817 --> 00:00:17,938 what you can do with Wireshark and how to analyze 5 00:00:17,938 --> 00:00:21,698 wireless communications so that you can solve problems. 6 00:00:21,698 --> 00:00:25,572 So with wireless, one of the interesting things 7 00:00:25,572 --> 00:00:33,634 at least for our generations, current generation is that we moved from a 8 00:00:33,634 --> 00:00:40,468 completely cable-based or wire-based network topology to 9 00:00:40,468 --> 00:00:44,393 now more and more we see what we will call wireless 10 00:00:44,393 --> 00:00:47,569 which is in the most simplistic generic terms 11 00:00:47,569 --> 00:00:53,711 the use of radios to communicate on a network so that you do not need 12 00:00:53,711 --> 00:00:58,196 the basic cable technology that you were using in the past. 13 00:00:58,196 --> 00:01:01,178 This does not remove the need for cable. 14 00:01:01,178 --> 00:01:05,124 What I will say is that you cannot at this time 15 00:01:05,117 --> 00:01:09,446 achieve speed and efficiency that you can 16 00:01:09,446 --> 00:01:14,139 through cable that you, through wireless that you could with cable. 17 00:01:14,125 --> 00:01:18,985 As an example, I wouldn't set up a wireless backbone on my core network. 18 00:01:18,985 --> 00:01:23,300 But I will say is, as years go on it is evolving more and more 19 00:01:23,300 --> 00:01:30,037 and I could say at least at this point, most if not all clients deployed, 20 00:01:30,035 --> 00:01:34,114 PC's deployed today have a wireless card in them 21 00:01:34,114 --> 00:01:37,734 so, troubleshooting wireless network is 22 00:01:37,734 --> 00:01:41,146 pretty much one of the things, as engineers and analysts, 23 00:01:41,146 --> 00:01:44,087 we find ourselves doing very often. 24 00:01:44,087 --> 00:01:49,155 So wireless technology built upon standards 25 00:01:49,155 --> 00:01:53,209 from the I triple E 802.11 committee 26 00:01:53,209 --> 00:01:58,087 and you have some basic standards such as A, B, G and N 27 00:01:58,087 --> 00:02:01,291 that allow you to operate on different frequencies, 28 00:02:01,300 --> 00:02:05,947 operate at different speeds, you have different antennas. 29 00:02:05,947 --> 00:02:11,413 So there's certain things that you have to understand about wireless in general, 30 00:02:11,410 --> 00:02:14,915 to be able to troubleshoot wireless technologies. 31 00:02:14,915 --> 00:02:17,859 So that when you do capture them with Wireshark, 32 00:02:17,859 --> 00:02:21,151 you have a bit of an understanding of what you're looking for. 33 00:02:21,151 --> 00:02:24,463 For example, if you're going to troubleshoot 34 00:02:24,463 --> 00:02:29,598 an SSID, you would need to know what a basic service set is 35 00:02:29,605 --> 00:02:33,370 and understand what a service set identifier is, how all that works. 36 00:02:33,370 --> 00:02:39,862 But if you hearken back to normal, or older types of networking, 37 00:02:39,862 --> 00:02:46,328 basically you needed a domain for your clients to join that is similar to what an SSID is. 38 00:02:46,328 --> 00:02:50,973 You need to associate and then authenticate to a wireless network. 39 00:02:50,973 --> 00:02:56,949 And to do so, you need to do so by the SSID. 40 00:02:56,949 --> 00:03:03,584 Troubleshooting with Wireshark, you are now able to by default, open up Wireshark. 41 00:03:03,584 --> 00:03:10,374 It will find your wireless NIC. It will work with it to provide you capture information 42 00:03:10,373 --> 00:03:15,849 so that you can do deep dives into the data to find issues. 43 00:03:15,849 --> 00:03:20,397 There's AirPCap and there's other solutions that provide 44 00:03:20,397 --> 00:03:26,685 those who deal with wireless on a day by day basis some more granular information. 45 00:03:26,691 --> 00:03:32,571 However, with Wireshark out of the box, there's quite a few tools 46 00:03:32,571 --> 00:03:38,791 that you can use to capture wireless data and start to analyze it. 47 00:03:38,803 --> 00:03:44,445 So in this example, we see a simple capture of wireless data. 48 00:03:44,445 --> 00:03:49,431 And I will pull this up on the Wireshark window. 49 00:03:49,431 --> 00:03:53,314 And a couple of key things to notice is that by default 50 00:03:53,314 --> 00:03:59,842 when you want to view the wireless toolbar, you'll have to turn it on. 51 00:03:59,843 --> 00:04:03,029 And when you turn it on, you would be able to adjust it 52 00:04:03,029 --> 00:04:10,743 so that you can view specific things such as channeling information. 53 00:04:10,737 --> 00:04:15,285 In this toolbar as well, it allows you to set up a decryption key 54 00:04:15,276 --> 00:04:19,371 so if you have, let's say, WEP and you want to decrypt that data, 55 00:04:19,371 --> 00:04:24,717 you can add the ket in and it will work to decrypt the data for you. 56 00:04:24,717 --> 00:04:32,573 Again another security issue that you may want to get permission so that you don't go against 57 00:04:32,573 --> 00:04:36,559 the security policy for the client or the company that you're working for. 58 00:04:36,559 --> 00:04:41,044 But essentially, when you're working within the capture, one of, couple of things 59 00:04:41,044 --> 00:04:45,553 that you may want to isolate is exactly what's going on. 60 00:04:45,553 --> 00:04:49,615 And in this example, we see excessive beaconing. 61 00:04:49,615 --> 00:04:55,536 There's probably a wireless client attempting to join a wireless network. 62 00:04:55,544 --> 00:04:59,805 This is one of the reasons why when you leave wireless on your computer, 63 00:04:59,805 --> 00:05:05,144 your battery seems to drain out fairly quickly as well as your phone. 64 00:05:05,166 --> 00:05:12,438 This constant connecting or trying to connect to things puts a strain on your device. 65 00:05:12,438 --> 00:05:14,754 However, it is how the technology works. 66 00:05:14,754 --> 00:05:20,244 So that's how it will find and allow you to connect to 67 00:05:20,244 --> 00:05:25,880 a wireless station or an AP or a type of a 68 00:05:25,880 --> 00:05:32,280 consolidator to let you associate and then authenticate into a wireless network. 69 00:05:32,288 --> 00:05:36,789 So, problems you may encounter - common problems are 70 00:05:36,787 --> 00:05:39,529 when it's excessively trying to connect, 71 00:05:39,529 --> 00:05:42,709 you may have the incorrect SSID configured. 72 00:05:42,709 --> 00:05:47,490 It may be hidden from you and therefore, you don't see it and you have to edit manually. 73 00:05:47,490 --> 00:05:52,206 But if you can see them, you may have that configured incorrectly. 74 00:05:52,213 --> 00:05:56,046 You may have the wrong key, the wrong incryption type. 75 00:05:56,038 --> 00:05:59,265 For example, you may have settings that 76 00:05:59,265 --> 00:06:04,701 do not match for WPA 2, TKIP and other. 77 00:06:04,701 --> 00:06:06,395 You may have a channeling problem. 78 00:06:06,400 --> 00:06:09,194 You may have overlapping channels from 79 00:06:09,194 --> 00:06:12,966 2 networks that may be in a similar vicinity 80 00:06:12,966 --> 00:06:16,300 and your milliwatt's too high and they're kind of stepping on each other. 81 00:06:16,300 --> 00:06:22,053 You may have issue where you do not have correct coverage. 82 00:06:22,061 --> 00:06:26,365 and you have spots on your network that do not have coverage. 83 00:06:26,365 --> 00:06:29,493 You can use heat map to try to figure that out, 84 00:06:29,493 --> 00:06:33,340 to see where you need to either adjust and increase milliwatts 85 00:06:33,348 --> 00:06:39,242 or you need to provide an additional AP to have coverage. 86 00:06:39,242 --> 00:06:43,951 And some of the tools that you can use to start digging into this data, 87 00:06:43,951 --> 00:06:50,410 is specific to when you capture wireless data. Let me pull up the capture again. 88 00:06:50,410 --> 00:06:53,918 When you go into your statistics menu, 89 00:06:53,918 --> 00:06:57,858 you can pull up the wireless LAN traffic tool. 90 00:06:57,855 --> 00:07:03,883 It will analyze the wireless LAN traffic and provide some information to you about it, 91 00:07:03,881 --> 00:07:09,985 such as specifically, which SSID's are responding 92 00:07:09,985 --> 00:07:14,213 and what networks they're connecting and 93 00:07:14,213 --> 00:07:18,432 the data, amount of data that was sent, amount of data that was received, 94 00:07:18,432 --> 00:07:23,642 probing and other information that may be relevant 95 00:07:23,636 --> 00:07:27,376 to troubleshooting what the current issue may be. 96 00:07:27,369 --> 00:07:33,700 So as you can see, there's a specialized toolbar. 97 00:07:33,700 --> 00:07:38,015 There's a specialized tool, the wireless LAN traffic option 98 00:07:38,015 --> 00:07:42,848 in the statistics menu that will allow you to do a deeper dive of wireless. 99 00:07:42,848 --> 00:07:47,420 And specifically, in the capture itself, you can drill down into the data 100 00:07:47,420 --> 00:07:50,757 and start looking at what's going on here. 101 00:07:50,757 --> 00:07:59,190 So as an example here, we may have a beacon. 102 00:07:59,190 --> 00:08:04,895 We may want to drill down and to check out the wireless LAN management frame 103 00:08:04,894 --> 00:08:08,556 and see if we have specific parameters we need to check. 104 00:08:08,556 --> 00:08:13,245 Maybe there's something configured incorrectly such as the SSID and so on. 105 00:08:13,245 --> 00:08:18,823 So we can drill down into that data after we capture it within Wireshark. 106 00:08:18,823 --> 00:08:23,722