Probe Request Analysis

In this lab, you will utilize the WiFi adapter to sniff the probe request packets (by using scapy) and conduct analysis.

STEP 1: Capture Traffic

Since probe request packets can be sent on any channel, you need to hop on different channels to collect the packets. In order to switch channel, you can type iwconfig <wlan> chan <channel number> to change the WiFi adapter named wlan to channel channel number. To capture the traffic, you can use tcpdump.

  sudo tcpdump -i <wlan0> -w <filename>

Before starting to capture traffic, you need to know which channels offer abundant traffic for you to do the analysis. To do that, the tool horst is handy. You can install the tool by typing sudo apt install horst. Once installed, you can run it with sudo horst -i <wlan0>.

To find which channels have active traffic, you need to first make horst scanning thru all channels. To do this, simply press C to go to Channel, and s to select scan. In addition, it is recommended to set the dwell time (the time period it stays on each channel) to 500 ms. This can be done by pressing d (still in the menu of Channel) and typing 500 then hit Enter. Next, you want to observe the traffic volume across all channels. You can do this by pressing s. Use ctrl + - to zoom out to see more channels.

STEP 2: Analysis

There are various valuable information embedded in the probe request packets. At minimal, in this lab, you are asked to generate a list of the SSIDs captured. But there is certainly more interesting information you can parse, e.g., how many devices you observed, what is the average number of SSIDs each devices probed, what types of devices you observed, and etc.

Check out one of my publications that leverages the power of probe request analysis in a dense environment - Is There WiFi Yet?: How Aggressive Probe Requests Deteriorate Energy and Throughput

• An example scapy script:

  from scapy.all import Dot11, Dot11Elt, Dot11Beacon, sniff
  import sys
    
  IFACE = "wlan1"
    
    
    
  def PacketHandler(packet) :
      #mport pdb; pdb.set_trace()
      if packet.type == 1 and packet.subtype == 27 :
          channel = packet.getlayer(Dot11Beacon)[3].info
          channel = int.from_bytes(channel,byteorder='little')
          # get SSID
          SSID = packet.getlayer(Dot11Beacon)[1].info
          SSID = SSID.decode('ASCII')
          RSN = packet.getlayer(Dot11Elt,ID = 48)
    
  if __name__ == "__main__":
      sniff(iface=IFACE, prn = PacketHandler)
  

STEP 3: Deliverable

Craft a slide deck to report your analysis results. The report should cover the following things:

• What is the data size your collected - how big, how long
• What are the interesting result from your analysis
  • Why you think the observation is interesting
  • What further experiment or analysis you do to prove your conclusion
• What future works you think is excited