Wireshark: How to check if a data frame is sent using 802.11n
Studying for the CWAP exam, I was using Wireshark and wondering how to see if the traffic (data frames) I was capturing was using HT (or 802.11n). So this article will show you how to find out!
Let’s start by talking about the Wi-Fi frames:
– PPDU (PLCP Packet Data Unit) : This is the frame at the physical layer (Layer 1 of the OSI Model).
– MPDU (Mac Protocol Data Unit) : This is the frame at the Data-Link layer (Layer 2 of the OSI Model).
The MPDU is encapsulated into the PPDU as shown in the drawing below (taken from the CWAP study guide):
There is 3 formats of PPDU introduced with the 802.11n technology (see image below taken from the CWAP study guide):
– non-HT Legacy: used with non 802.11n clients
– HT Mixed: used for both 802.11n and non 802.11n clients
– HT Greenfield: used and understood only by 802.11n clients
Looking at the name of these PPDUs, you can easily understand that if we could see them, we could determine if the frame is using 802.11n or not. However, it is not that simple. Since, these preambles are present at the Layer 1, they are trimmed by the NIC before reaching Wireshark.
However, Wireshark is still able to tell you if the frame is sent with 802.11n. Here is where to find it:
– Filter data frames using the following filter: “wlan.fc.type==2”
– Click on the frame you want to check
– Open the “Radiotap Header” tab in the packet detail view
So how does Wireshark do it? It uses a combination of information available to him from the RadioTap Header. This RadioTap Header is added in from of the MPDU by the Wireless NIC when capturing frames. (For more information on the RadioTap Header, read this great article written by Nigel Bowden). Wireshark uses the following information from this RadioTap Header:
- Type of modulation (OFDM in our case)
- Frequency Band (5GHz in our case)
- Channel width (40MHz in our case)
However, some data frames, like the “Null function” frames, are not sent with 40MHz width channels even if the network is configured that way. Therefore, Wireshark does not see these frames as 802.11n frames. Instead (because of the OFDM modulation and the use of the 5GHz band), Wireshark tags these frames as being 802.11a frames:
So looking at the RadioTap Header, Wireshark can have a good idea of the Wi-Fi technology used to transmit the frame. If you want to double check what technologies are supported for a specific SSID, the best is to have a look at the beacon frame (which is a management frame). To filter beacon frames in Wireshark, use the following filter: “wlan.fc.type==0 && wlan.fc.subtype==8”.