PACKETS™ - GETTING STARTED

Uploading the Trace File. 5

Selecting a MAC. 6

Analysis. 6

Appendix A - Bullet Colours & Y-Axis Levels. 9

Appendix B - Bullet Shapes & Sizes. 11

 

The Packets™ workflow is pretty simple and intuitive. Here we present a very quick guide which will get you started with the tool.

 

Uploading the Trace File

 

On a successful login you will be presented with the Home page as shown below.

 

The Home Page allows you upload new traces or to manage already uploaded traces.

 

To upload a new trace, simply drag and drop it in the Home Page or you can also click on the 'Add Files' button to browse and select a file using your file browser.

 

The file will be uploaded and processed automatically. Once the file has been processed, it will be indicated under the 'Info' column.

 

 

 

Clicking on the file name will then take you to the MAC selection screen.

 

 

 

Selecting a MAC

 

On the MAC selection screen we have the 'Client Dashboard', the 'Ad Hoc Client Dashboard' and the 'AP Dashboard' tabs. These dashboards allow you to view the statistics for each of the Client/AP MACs discovered in the trace. They can be quite useful in identifying the Client/AP MAC that you are interested in analyzing.





Just click on a MAC in either of the dashboards to view the graphs.

 

 

 

Analysis

 

Based on the selected MAC, the system will process the trace and present a Frame View graph and a Frame List table. Though there are a number of different types of graphs that the tool can generate, by default only the 'Frame View' graph is displayed. For our purpose let us focus only on this graph.



A number of quick points about the 'Frame View' graph:

1.   The graph is dynamic in nature and each bullet on the graph represents a frame in the trace. Frames corresponding to only the selected client MAC are displayed on the graph.

2.   One can hover over the bullets to see a tooltip which displays more information about that particular frame.


3.   Different frames with different types/subtypes are displayed with a different colour and at a different Y-axis level on the graph: the frame types/subtypes which occur later in a typical connection handshake are displayed at higher level than the ones which occur earlier. This concept is immensely useful in quickly understanding the connection handshake patterns in the trace.

4.   The X-axis shows the actual frame number of the frame as captured in the trace. The Y-axis corresponds to the different logical levels as assigned to the different frame types/subtypes.



5.   On the same page, apart from the graph, you can also view the Frame List table by clicking on the corresponding tab. The Frame List table displays a summary of the trace which has been generated based on the selected MAC. This summary contains only those frames which correspond to the selected Client/AP MAC and which are important for understanding the handshake patterns in the trace. The frames present in the summary are the ones which are depicted on the graph.



That's all for now from a getting started perspective and hopefully it was enough for you to appreciate the power of Packets™ in simplifying the trace analysis process using a visual approach. For a more detailed information please refer the sections that follow.


 

Appendix A - Bullet Colours & Y-Axis Levels

 

Assigned Y-Axis Logical Level

Colour

Frame Type

Wireshark Filter

 

 

 

 

 

0

000000

Beacon

wlan.fc.type_subtype==0x08

 

 

 

 

 

1

796B8F

ACK(Tx)

wlan.fc.type_subtype==0x1d

1

796B8F

ACK(Rx)

wlan.fc.type_subtype==0x1d

2

8A868F

PS-Poll(Tx)

wlan.fc.type_subtype==0x1a

2

624F7F

RTS(Tx)

wlan.fc.type_subtype==0x1b

2

876DAF

CTS(Tx)

wlan.fc.type_subtype==0x1c

2

583F7F

CF End(Tx)

wlan.fc.type_subtype==0x1e

2

5E536F

CF End+CF Ack(Tx)

wlan.fc.type_subtype==0x1f

 

 

 

 

 

3

8A868F

PS-Poll(Rx)

wlan.fc.type_subtype==0x1a

3

624F7F

RTS(Rx)

wlan.fc.type_subtype==0x1b

3

876DAF

CTS(Rx)

wlan.fc.type_subtype==0x1c

3

583F7F

CF End(Rx)

wlan.fc.type_subtype==0x1e

3

5E536F

CF End+CF Ack(Rx)

wlan.fc.type_subtype==0x1f

 

 

 

 

 

4

CC6600

NULL Data(Tx)

wlan.fc.type_subtype==0x2c ||
wlan.fc.type_subtype==0x2d ||
wlan.fc.type_subtype==0x2e ||
wlan.fc.type_subtype==0x24 ||
wlan.fc.type_subtype==0x25 ||
wlan.fc.type_subtype==0x26 ||
wlan.fc.type_subtype==0x27

4

DF9853

NULL Data(Rx)

wlan.fc.type_subtype==0x2c ||
wlan.fc.type_subtype==0x2d ||
wlan.fc.type_subtype==0x2e ||
wlan.fc.type_subtype==0x24 ||
wlan.fc.type_subtype==0x25 ||
wlan.fc.type_subtype==0x26 ||
wlan.fc.type_subtype==0x27

5

98AFC7

Action Frame(Tx)

wlan.fc.type_subtype==0x0d

5

12395F

Action Frame(Rx)

wlan.fc.type_subtype==0x0d

 

 

 

 

 

6

6699CC

Probe Request

wlan.fc.type_subtype==0x04

7

66CCCC

Probe Response

wlan.fc.type_subtype==0x05

8

E42217

Deauthentication(Tx)

wlan.fc.type_subtype==0x0c

9

E42217

Deauthentication(Rx)

wlan.fc.type_subtype==0x0c

 

 

 

 

 

10

3333CC

Authentication(Tx)

wlan.fc.type_subtype==0x0b

10

3333CC

Authentication(Rx)

wlan.fc.type_subtype==0x0b

 

 

 

 

 

11

E42217

Disassociation(Tx)

wlan.fc.type_subtype==0x0a

11

E42217

Disassociation(Rx)

wlan.fc.type_subtype==0x0a

 

 

 

 

 

12

C25283

Association Request

wlan.fc.type_subtype==0x00

13

7D2252

Association Response

wlan.fc.type_subtype==0x01

 

 

 

 

 

14

9966FF

Reassociation Request

wlan.fc.type_subtype==0x02

15

9933FF

Reassociation Response

wlan.fc.type_subtype==0x03

 

 

 

 

 

16

990000

ATIM

wlan.fc.type_subtype==0x09

 

 

 

 

 

17

009933

EAPOL(Tx)

eapol

18

009933

EAPOL(Rx)

eapol

 

 

 

 

 

19

3B9C9C

EAP(Tx)

eap

19

996633

SSL(Tx)

ssl

 

 

 

 

 

20

3B9C9C

EAP(Rx)

eap

20

996633

SSL(Rx)

ssl

 

 

 

 

 

21

009933

EAPOL-K(Tx)

eapol.type == 3

22

009933

EAPOL-K(Rx)

eapol.type == 3

 

 

 

 

 

23

660000

DATA(Tx)

data

24

660000

DATA(Rx)

data

 

 

 

Appendix B - Bullet Shapes & Sizes

 

 

Shapes

 

Shape

Usage/Meaning

Circle

This shape is used to depict frames which are exchanged before the Client authenticates with an AP.

 

Example: Probe Request, Probe Response

Square

This shape is used to depict frame which indicate any sort of failure.

 

Example: Deauthentication, Disassociation

Triangle - Up

This shape is used to depict frames which are exchanged on or after the Client authenticates with an AP (beyond the Probing phase)

 

Example: Authentication, Association Request etc

Triangle - Down

This shape is used in similar context as the Triangle-Up shape but is only used in scenarios when the Client has moved to a different BSSID for the duration of the trace capture. The Triangle-Up shape toggles to the Triangle-Down shape as soon as the BSSID changes and continues with it until the BSSID changes again. Thus, this shape is used in concert with the Triangle-Up shape to visually indicate Client hopping.

 

Example: Let us say Client hops from AP1 to AP2 to AP1. In this case all the frames exchanged with AP1 will be of Triangle-Up shape and all the frames exchanged with AP2 will be of Triangle-Down shape.

 

Star

This shape is used to depict those special Re-association frames where the 'Current AP' field has a MAC which is different from the MAC of the AP the Client is trying to associate to. In other words, this shape is used to depict those Re-association frames which indicate hopping.

 

 

Sizes

 

All the bullets are of the same size except in three cases:

  1. When the frame depicts a failure (like the Deauthentication and Disassociation frames)
  2. When the frame depicts a success (like the EAP-Success frame)
  3. When the frame is a retry frame (i.e. Retry bit set to 1)

 

In the first two cases, the bullet size is slightly larger than other bullets to emphasize the importance of such frames.

 

In the third case, the bullet size is slightly smaller than other bullets to represent that it is a retried version of previous frame.

 

Packets is a trademark of Arista Networks.