Họ tên: Đào Trọng Huân, MSSV: 1511191, chuyển lớp L05 sang L12

LAB 7: 802.11 WiFi v8.0

1. What are the SSIDs of the two access points that are issuing most of the beacon frames
in this trace?

An SSID is a one or two word identifiers of the access point. In this case, Cisco-Li’s
SSID is 30 Munroe St, and LinksysG_67:22:94’s SSID is linksys12.

2. What are the intervalsof time between the transmissions of the beacon frames the

linksys_ses_24086access point? From the30 Munroe St. access point?(Hint: this interval
of time is contained in the beacon frame itself).

Approximately 0.1024 seconds.

3. What (in hexadecimal notation) is the sourceMAC address on the beacon frame from
30 Munroe St? Recall from Figure 7.13 in the text that the source, destination, and BSS
are three addresses used in an 802.11 frame. For a detailed discussion of the 802.11 frame
structure, see section 7 in the IEEE 802.11 standards document (cited above).

00:16:b6:f7:1d:51.

4. What (in hexadecimal notation) is the destination MAC address on the beacon
framefrom 30 Munroe St??

Since it is a probing broadcast, it is addressed to ff:ff:ff:ff:ff:ff.

5. What (in hexadecimal notation) is the MAC BSS id on the beacon frame from 30
Munroe St?

The BSS Id for 30 Munroe is Cisco-LI-f7:1d:51 (00:16:b6:f7:1d:51) which is also the

source address.
6. The beacon frames from the 30 Munroe Staccess point advertise that the access point
can support four data ratesand eight additional “extended supported rates.”What are these
rates?

This data is found within the IEEE 802.11 wireless LAN management frame, within the
Tagged parameters subfield. The four supported rates are 1(B), 2(B), 5.5(B) AND 11(B).
The 8 Extended Unsupported Rates are 6(B), 9, 12(B), 18, 24(B), 36, 48 and 54. All these
rates are measured in Mbit/sec.

7. Find the 802.11 frame containing the SYN TCP segment for this first TCP session (that
downloads alice.txt). What are three MAC address fields in the 802.11 frame? Which
MAC address in this frame corresponds to the wireless host (give the hexadecimal
representation of the MAC address for the host)? To the access point? To the first-hop
router? What is the IP address of the wireless host sending this TCP segment? What is
the destination IP address? Does this destination IP address correspond to the host,
access point, first-hop router, or some other network-attached device? Explain.

The TCP SYN is sent at t = 24.811093 seconds into the trace. The MAC address for the
host sending the TCP SYN is 00:13:02:d1:b6:4f. The MAC address for the destination,
which the first hop router to which the host is connected, is 00:16:b6:f4:eb:a8. The MAC
address for the BSS is 00:16:b6:f7:1d:51. The IP address of the host sending the TCP
SYN is 192.168.1.109. Note that this is a NATed address. The destination address is
128.199.245.12. This corresponds to the server gaia.cs.umass.edu. It is important to
understand that the destination MAC address of the frame containing the SYN, is
different from the destination IP address of the IP packet contained within this frame.
Make sure you understand this distinction! (If you’re a bit hazy on this, re-read pages 468
and 469 in the 4th edition of the text).

8. Find the 802.11 frame containing the SYNACK segment for this TCP session. What
are three MAC address fields in the 802.11 frame? Which MAC address in this frame
corresponds to the host? To the access point? To the first-hop router?Does the sender
MAC address in the frame correspond to the IP address of the device that sent the TCP
segment encapsulated within this datagram? (Hint: review Figure 6.19 in the text if you
are unsureof how to answer this question, or the corresponding part of the previous
question. It’s particularly important that you understand this).

The TCP SYNACK is received at t = 24.827751 seconds into the trace. The MAC
address for the sender of the 802.11 frame containing the TCP SYNACK segment
is00:16:b6:f4:eb:a8, which is the 1st hop router to which the host is attached . The MAC
address for the destination, which the host itself, is 91:2a:b0:49:b6:4f.

9. What two actions are taken (i.e., frames are sent) by the host in the trace just after
t=49, to end the association with the 30 Munroe St AP that was initially in place when
trace collection began? (Hint: one is an IP-layer action, and one is an 802.11-layer
action).Looking at the 802.11 specification, is there another frame that you might have
expected to see, but don’t see here?

To end the association with 30 Munroe (at t = 49.614478) a Deauthentication is sent out,
and only after that is ACK’ed, does the probe request get sent out.

frame control = 0xc000

10. Examinethe trace file andlook for AUTHENICATION framessent from the host to
anAP and vice versa.How many AUTHENTICATION messages are sent from the
wireless hostto the linksys_ses_24086AP (which has a MAC address of
Cisco_Li_f5:ba:bb) starting at aroundt=49? .

The first AUTHENTICATION from the host to the AP is at t = 49.638857.

11.Does the host wantthe authentication to require a key or be open?

The host is requesting that the association be open

It indicates an Authentication Algorithm field of “Open System (0)”, and Authentication

SEQ of 0x0001, as well as a Status Code of Successful, or 0x0000. This is a shared key
system.

12. Do you see a reply AUTHENTICATION from the linksys_ses_24086APin the trace?

No

13.Now let’s consider what happens as the host gives up trying to associate with the
linksys_ses_24086APand now tries to associate with the 30 Munroe StAP. Look for
AUTHENICATION frames sent from the host to and AP and vice versa. At what times
arethere an AUTHENTICATION frame from the host to the 30 Munroe St.AP, and when
is there a reply AUTHENTICATION sent from that AP tothe host in reply? (Note that
you can use the filter expression “wlan.fc.subtype ==11and wlan.fc.type ==0 and
wlan.addr ==IntelCor_d1:b6:4f” to display only the AUTHENTICATIONframes inthis
tracefor this wireless host.)

AUTHENTICATION from Host to 30 Munroe (AP): t = 63.168087

Reply AUTHENTICATION from AP to Host: t = 63.169071

14. An ASSOCIATE REQUEST from hostto AP, and acorresponding ASSOCIATE
RESPONSE frame from AP to host are used for thehost to associatedwith an AP. At what
time is there an ASSOCIATE REQUEST from host to the30Munroe StAP? When is the
corresponding ASSOCIATE REPLY sent? (Note that you can use the filter expression
“wlan.fc.subtype < 2 and wlan.fc.type ==0 and wlan.addr ==IntelCor_d1:b6:4f” to
display only the ASSOCIATE REQUEST and ASSOCIATE RESPONSE framesfor this
trace.)

Associate Request: t = 63.169910

Associate Reply: t = 63.192101

15. What transmission rates is the host willing to use? The AP? To answer this question,
you will need to look into the parameters fields of the 802.11 wireless LAN management
frame.

In the ASSOCIATION REQUEST frame the supported rates are advertised as 1, 2, 5.5,
11, 6, 9, 12, 18, 24, 32, 48, and 54 Mbps. The same rates are advertised in the
ASSOCIATION RESPONSE
16. What are the sender, receiver and BSS ID MAC addresses in these frames? What is
the purpose of these two types of frames? (To answer this last question, you’ll need to dig
into the online references cited earlierin this lab).

At t = 2.297613 there is a PROBE REQUEST sent with source 00:12:f0:1f:57:13,

destination: ff:ff:ff:ff:ff:ff, and a BSSID of ff:ff:ff:ff:ff:ff. At t = 2.300697 there is a
PROBE RESPONSE sent with source: 00:16:b6:f7:1d:51, destination and a BSSID of
00:16:b6:f7:1d:51. A PROBE REQUEST is used by a host in active scanning to find an
Access Point (see Figure 6.9 on page 531 in the text). A PROBE RESPONSE is sent by
the access point to the host sending the request.