CCIE or Null!

My journey to CCIE!

Posts Tagged ‘Wireshark

Let’s look at: 802.11 Beacon Frames.

with 3 comments

Probably the most common 802.11 management frame is the beacon frame. This frame is broadcasted from the AP listing the capabilities of the WLAN, but what exactly is listed? Let’s take a quick look.

Beacon frame from a Cisco WLAN

Here we can easily make out some of the capabilities of the WLAN, for example the SSID is probably going to be the first thing you notice TestSSID in this case, this is what provides the name of the WLAN. As you know SSID broadcasting can be disabled (Also called Closed System) at which point the SSID field will be blank.

Beacon frame with SSID broadcasting disabled. The SSID Information is simply excluded from the Beacon frame.

Next we will take a look at the what data rates are supported by this WLAN:

Here you can see the a few supported data rates and the extended supported data rates. This tells us the WLAN is capable of supporting both 802.11b and 802.11g WLAN clients. You’ll notice the Data rate of 5.5 has a (B) next to it, it just so happens 5.5 is set a mandatory data for this WLAN, so if a WLAN client can not support a data rate of 5.5 it will not be able to successfully authenticate and associate to the WLAN.

Next up we are going to at the RSN (Robust Security Network) information for this WLAN.

As you can see from the RSN Information element (IE), this WLAN is 802.11i compliant, showing it’s capable of AES/CCMP which means your WLAN clients will need to support 802.11i/WPA2 with AES in order to successfully communicate with this WLAN.

A few other noticeable features we can find in this beacon frame is the WLAN supports High-Throughput (HT), which is 802.11n (Draft 1 in this case).  So this is an 802.11b/b/n WLAN in the 2.4 GHz RF range.

This access point did not have multiple antennas attached to it, which is why the TxBF and ASEL capabilities are currently at 0x0000 and 0x00.

You will also notice in the 6th line down that the WLAN is 802.11e compliant meaning some QoS will be performed, and the line after that states: no non-ERP STA’s, do not use protection this states no 802.11b clients are currently connected only 802.11g WLAN clients are currently connected to this WLAN so protection mechanism’s are not in use.

Now, at the end of the beacon frame you will notice all this Unknown information, as you have probably guessed (or read) this information is vendor specific, which is common for every vendor to have put their own proprietary information within the Beacon frames. The main thing is make sure this extra information does not create its own incompatible issues with older WLAN client devices.

So in conclusion there’s a basic Cisco WLAN beacon frame, it should be a mirror image of the configuration for your WLAN. Looking at the beacon is just a simple way to make sure the WLAN is doing what’s it’s configured to do.

Written by Stephen J. Occhiogrosso

June 22, 2011 at 8:00 AM

Configuring a SPAN session.

with 2 comments

A SPAN session is a way for you to have the traffic that is transmitted and/or received from one port or VLAN and have it forwarded out another port for analysis purposes. It’s very easily configured by a few small statements and the only thing you have to decide on is which port you want to monitor, the traffic flow you want to see from that port (egress, ingress, or both) and the destination port you want the traffic sent to. (See the configuration below)

Note: For this local SPAN session both the source port and destination port must be on the same switch. RSPAN allows SPAN sessions across remote switches, but I will not be covering RSPAN in this post.

Their isn’t much to consider concerning the source port since it will not be effected at all, the destination port however is treated a bit differently. First off the destination port will be put in a “Monitor” mode, meaning traffic received on this port will be dropped. Only traffic from the source port will be transmitted out of the destination port by the switch that’s it.

You can issue the sh monitor session # command to see if their are any active SPAN sessions on the switch, or if you want to see the details of a configured SPAN session. The source port (fa0/1), traffic flow (both), destination port (fa0/2), and the encapsulation, are all shown in the command. To close down a SPAN session simply issue the no monitor session # command.

Now your next question might be, what are you going to use this for or why are you going analyze the traffic? Well, if the station at the destination port is running Wireshark, it’s a real easy way to get a glimpse at the traffic traversing your network. From their you can look through the data and see if anything sticks out. Alternatively you can have a SPAN session provide data to a IDS/IPS system so it can monitor your network for any abnormalities.

Written by Stephen J. Occhiogrosso

April 4, 2011 at 2:21 PM

Let’s look at: Cisco Discovery Protocol (CDP)

leave a comment »

Yes, yes I know if you have ever worked or studied Cisco on any level you will already be aware of Cisco Discovery Protocol (CDP), and what it is and does. I just wanted to take the time and cover it for some of it’s finer points. While I know talking about CDP is a jump from previous articles, but I was using Wireshark recently and caught a glimpse of a few CDP frames crossing my network.

Now if you ever have to map out an all Cisco network then CDP in your road map, CDP will guide you to any neighboring Cisco devices providing you the below information:

Just look at that, the only thing it doesn’t give you is the amount the memory and flash in the neighboring device, so this also an easy way to inventory your network and see what devices are connected where and what IOS is running on that device.

To see this information from within a Cisco device you want to issue the sh cdp neighbors command

The output can easily be matched with the table posted above. Additionally you can issue the sh cdp neighbors detail command to go an addition step further and get the actual IOS version running the on the neighboring devices.

Along with the IOS version, addition details about the connected interfaces, and platform are displayed. So if you were in the process of mapping or auditing a network with only the tools available CDP is one that should never be overlooked.

Another thing to consider is which version of CDP is running on your Cisco devices, the screen shots above are both from devices running CDP versions 2. Obviously version 2 has a few additions that version 1 did not have, let’s compare the two shall we.

As you can see version 2 offers improvements with PoE negotiation, which is used with other Cisco devices (VoIP phones, and Cisco AP’s), as well as duplex settings, the native VLAN of the line, and the VTP management domain information.

The last thing I want to mention is the CDP packets I sniffed off my lab can be sniffed from any Cisco device if CDP is running on the interface, which can be security risk especially on edge devices. So on any edge devices or devices that do not have any other neighboring Cisco devices then you might as well disable CDP on the device, see my previous post concerning the 1-step router lockdown, concerning some basic security practices.

Written by Stephen J. Occhiogrosso

March 3, 2011 at 2:53 PM

%d bloggers like this: