PACKETS™ - GETTING STARTED
Appendix A - Bullet Colours & Y-Axis Levels
Appendix B - Bullet Shapes & Sizes
The Packets™ workflow is pretty simple and intuitive.
Here we present a very quick guide which will get you started with the tool.
On a successful login you will be presented with the Home page as shown below.
The Home Page allows you upload new traces or to manage already
uploaded traces.
To upload a new trace, simply drag and drop it in the Home
Page or you can also click on the 'Add Files' button to browse and select a
file using your file browser.
The file will be uploaded and processed automatically. Once
the file has been processed, it will be indicated under the 'Info' column.
Clicking on the file name will then take you to the MAC
selection screen.
On the MAC selection screen we have the 'Client Dashboard',
the 'Ad Hoc Client Dashboard' and the 'AP Dashboard' tabs. These dashboards
allow you to view the statistics for each of the Client/AP MACs discovered in
the trace. They can be quite useful in identifying the Client/AP MAC that you
are interested in analyzing.
Just click on a MAC in either of the dashboards to view the graphs.
Based on the selected MAC, the system will process the trace
and present a Frame View graph and a Frame List table. Though there are a
number of different types of graphs that the tool can generate, by default only
the 'Frame View' graph is displayed. For our purpose let us focus only on this
graph.
A number of quick points about the 'Frame View' graph:
1.
The graph is dynamic in nature and each bullet on the
graph represents a frame in the trace. Frames corresponding to only the
selected client MAC are displayed on the graph.
2.
One can hover over the bullets to see a tooltip which
displays more information about that particular frame.
3.
Different frames with different types/subtypes are
displayed with a different colour and at a different
Y-axis level on the graph: the frame types/subtypes which occur later in a
typical connection handshake are displayed at higher level than the ones which
occur earlier. This concept is immensely useful in quickly understanding the
connection handshake patterns in the trace.
4.
The X-axis shows the actual frame number of the frame
as captured in the trace. The Y-axis
corresponds to the different logical levels as assigned to the different frame
types/subtypes.
5.
On the same page, apart from the graph, you can also
view the Frame List table by clicking
on the corresponding tab. The Frame List table
displays a summary of the trace which has been generated based on the selected
MAC. This summary contains only those frames which correspond to the selected
Client/AP MAC and which are important for understanding the handshake patterns
in the trace. The frames present in the summary are the ones which are depicted
on the graph.
That's all for now from a getting started perspective and
hopefully it was enough for you to appreciate the power of Packets™ in
simplifying the trace analysis process using a visual approach. For a more
detailed information please refer the sections that follow.
Appendix A - Bullet Colours &
Y-Axis Levels
Assigned Y-Axis Logical Level |
Colour |
Frame Type |
Wireshark Filter |
|
|
|
|
|
|
0 |
|
000000 |
Beacon |
wlan.fc.type_subtype==0x08 |
|
|
|
|
|
1 |
|
796B8F |
ACK(Tx) |
wlan.fc.type_subtype==0x1d |
1 |
|
796B8F |
ACK(Rx) |
wlan.fc.type_subtype==0x1d |
2 |
|
8A868F |
PS-Poll(Tx) |
wlan.fc.type_subtype==0x1a |
2 |
|
624F7F |
RTS(Tx) |
wlan.fc.type_subtype==0x1b |
2 |
|
876DAF |
CTS(Tx) |
wlan.fc.type_subtype==0x1c |
2 |
|
583F7F |
CF End(Tx) |
wlan.fc.type_subtype==0x1e |
2 |
|
5E536F |
CF End+CF Ack(Tx) |
wlan.fc.type_subtype==0x1f |
|
|
|
|
|
3 |
|
8A868F |
PS-Poll(Rx) |
wlan.fc.type_subtype==0x1a |
3 |
|
624F7F |
RTS(Rx) |
wlan.fc.type_subtype==0x1b |
3 |
|
876DAF |
CTS(Rx) |
wlan.fc.type_subtype==0x1c |
3 |
|
583F7F |
CF
End(Rx) |
wlan.fc.type_subtype==0x1e |
3 |
|
5E536F |
CF End+CF Ack(Rx) |
wlan.fc.type_subtype==0x1f |
|
|
|
|
|
4 |
|
CC6600 |
NULL
Data(Tx) |
wlan.fc.type_subtype==0x2c || |
4 |
|
DF9853 |
NULL
Data(Rx) |
wlan.fc.type_subtype==0x2c || |
5 |
|
98AFC7 |
Action
Frame(Tx) |
wlan.fc.type_subtype==0x0d |
5 |
|
12395F |
Action
Frame(Rx) |
wlan.fc.type_subtype==0x0d |
|
|
|
|
|
6 |
|
6699CC |
Probe
Request |
wlan.fc.type_subtype==0x04 |
7 |
|
66CCCC |
Probe
Response |
wlan.fc.type_subtype==0x05 |
8 |
|
E42217 |
Deauthentication(Tx) |
wlan.fc.type_subtype==0x0c |
9 |
|
E42217 |
Deauthentication(Rx) |
wlan.fc.type_subtype==0x0c |
|
|
|
|
|
10 |
|
3333CC |
Authentication(Tx) |
wlan.fc.type_subtype==0x0b |
10 |
|
3333CC |
Authentication(Rx) |
wlan.fc.type_subtype==0x0b |
|
|
|
|
|
11 |
|
E42217 |
Disassociation(Tx) |
wlan.fc.type_subtype==0x0a |
11 |
|
E42217 |
Disassociation(Rx) |
wlan.fc.type_subtype==0x0a |
|
|
|
|
|
12 |
|
C25283 |
Association
Request |
wlan.fc.type_subtype==0x00 |
13 |
|
7D2252 |
Association
Response |
wlan.fc.type_subtype==0x01 |
|
|
|
|
|
14 |
|
9966FF |
Reassociation Request |
wlan.fc.type_subtype==0x02 |
15 |
|
9933FF |
Reassociation Response |
wlan.fc.type_subtype==0x03 |
|
|
|
|
|
16 |
|
990000 |
ATIM |
wlan.fc.type_subtype==0x09 |
|
|
|
|
|
17 |
|
009933 |
EAPOL(Tx) |
eapol |
18 |
|
009933 |
EAPOL(Rx) |
eapol |
|
|
|
|
|
19 |
|
3B9C9C |
EAP(Tx) |
eap |
19 |
|
996633 |
SSL(Tx) |
ssl |
|
|
|
|
|
20 |
|
3B9C9C |
EAP(Rx) |
eap |
20 |
|
996633 |
SSL(Rx) |
ssl |
|
|
|
|
|
21 |
|
009933 |
EAPOL-K(Tx) |
eapol.type == 3 |
22 |
|
009933 |
EAPOL-K(Rx) |
eapol.type == 3 |
|
|
|
|
|
23 |
|
660000 |
DATA(Tx) |
data |
24 |
|
660000 |
DATA(Rx) |
data |
Appendix B - Bullet Shapes & Sizes
Shapes
Shape |
Usage/Meaning |
|
|
Circle |
This shape
is used to depict frames which are exchanged before the Client authenticates
with an AP. Example:
Probe Request, Probe Response |
|
Square |
This
shape is used to depict frame which indicate any sort of failure. Example: Deauthentication, Disassociation |
|
Triangle
- Up |
This
shape is used to depict frames which are exchanged on or after the Client
authenticates with an AP (beyond the Probing phase) Example:
Authentication, Association Request etc |
|
Triangle
- Down |
This shape
is used in similar context as the Triangle-Up
shape but is only used in scenarios when the Client has moved to a
different BSSID for the duration of the trace capture. The Triangle-Up shape toggles to the Triangle-Down shape as soon as the
BSSID changes and continues with it until the BSSID changes again. Thus, this
shape is used in concert with the Triangle-Up
shape to visually indicate Client hopping. Example:
Let us say Client hops from AP1 to AP2 to AP1. In this case all the frames
exchanged with AP1 will be of Triangle-Up
shape and all the frames exchanged with AP2 will be of Triangle-Down shape. |
|
Star |
This
shape is used to depict those special Re-association frames where the
'Current AP' field has a MAC which is different from the MAC of the AP the
Client is trying to associate to. In other words, this shape is used to
depict those Re-association frames which indicate hopping. |
Sizes
All the bullets are of the same size except in three cases:
In the first two cases, the bullet size is slightly larger
than other bullets to emphasize the importance of such frames.
In the third case, the bullet size is slightly smaller than
other bullets to represent that it is a retried version of previous frame.
Packets is a trademark of Arista Networks.