Building a wireless capturing tool for WiFi

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks. 2009; 2: Published online 2 April 2009 in Wiley InterScience ( Building a wireless capturing tool for WiFi Ke Meng, Yang Xiao, and Susan V. Vrbsky Department of Computer Science, The University of Alabama, 101 Houser Hall, Box , Tuscaloosa, AL , U.S.A. Summary WiFi is becoming increasingly prevalent nowadays, whether as a simple range extender for a home wired Ethernet interface or a wireless deployment throughout an enterprise. Wireless local area networks (WLANs) provide us with mobility, convenience, and low cost. At the same time, WiFi is unsafe and is more vulnerable than traditional Ethernet, so that anyone familiar with wireless networks can initiate an attack. One strategy to identify potentially malicious unauthorized users is through packet capturing. Although there are several software products available for packet capture, there is currently no paper in the literature that describes how to build a software tool to capture WiFi frames and its associated functions. In this paper, we present how we build our frame capture tool along with a set of implementation techniques for automatically capturing all the frames and analyzing an attack on a WiFi. In our research, we focus on the WiFi medium access control (MAC) layer for wireless network analysis. We also discuss what we learned and the limitations which we discovered when implementing the tool. Copyright 2009 John Wiley & Sons, Ltd. KEY WORDS: wireless local area network; packet capture; WiFi 1. Introduction A wireless local area network (WLAN) card has become a requisite part of a laptop. Not surprisingly, over two-thirds of U.S. corporations provide WLANbased Internet connectivity [1] and many families have set up wireless network environments in their homes. WLAN, also called WiFi, has the following advantages. Mobile equipment can become entirely mobile, escaping the bondage of an Ethernet line. Certain localities where it is difficult to deploy a traditional network (e.g., mine, old metropolis) may be easily covered by wireless networks. The WiFi signal can also be transmitted several miles with a special antenna, which can connect two places to one local network at a very low cost. The world record for 5G outdoor WiFi connection was 304 km ( miles) on 27 August 2007 [2]. Networks are inherently unsafe from unauthorized users. Because a packet may pass through numerous nodes to arrive at its destination, the packet may be redelivered or copied illegally during this transfer process. A wireless network has almost all of the same safety problems as traditional wired networks, in addition to the safety defects which are the result of its wireless characteristics. For example, many people use the same channel in wireless networks due to a shared spectrum. The media upon which a wireless signal is dependent is opened to public use, and this Correspondence to: Professor Yang Xiao, Department of Computer Science, The University of Alabama, 101 Houser Hall, Box , Tuscaloosa, AL , U.S.A. yangxiao@ieee.org Copyright 2009 John Wiley & Sons, Ltd.

2 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI 655 increases the possibility that all the sent/received data may be captured by other user s computers. Moreover, other people can also connect to one s private wireless network, sharing or stealing his/her resources. The available encryption technology can be ineffective. Wired equivalent privacy (WEP) can be easily cracked when capturing enough frames and a WiFi protected access-pre-shared key mode (WPA-PSK) password can be acquired by capturing only one integration association and authentication handshake. Binding a medium access control (MAC) address to an access point (AP) still cannot solve the security problem since the MAC address can be easily modified. The one encryption method that appears safe is the certificate file in a WPA authentication, but it is extremely complicated to deploy. Compared to a wired network, a wireless network may be easily attacked. Some attackers may send malformed packets to a computer since the wireless channel is open to everyone. These numerous flooding packets may take up the narrow bandwidth and make the network congested. Furthermore, some malicious packets can lead to security problems. They can discover drawbacks of the system, and even crack the password or obtain other privacy information. In addition, wireless is invisible, so one cannot see the details of the current wireless network directly. It can cost time for a network manager to learn the topology of the current network, such as how many APs exist in the network, how many stations connect with each AP or whether there are some illegal adapters connected to the APs. Although there are several software products available for packet capture, there is currently no paper in the literature that describes how to build a software tool to capture WiFi frames and its associated functions. We implemented a wireless capture tool at the University of Alabama, and in this paper, we describe its implementation. First, we capture all the WiFi frames (one channel each time). Then, the frames are analyzed and classified. Through the analysis, we learn how many APs are alive in the air and which stations are communicating with the APs. Also, we can obtain statistics about the throughput of each station. Importantly, this information is real-time and is updated continuously. In the future, if we incorporate judgment conditions, we can include intrusion detection in our tool to determine which stations are illegal and also identify the suspicious stations which send malicious frames. Compared to many research papers in related areas, one advantage of our work is that it is a real implementation instead of simulations, emulations, or some other abstraction. The rest of this paper is organized as follows: Section 2 reviews existing work on wireless security issues. Section 3 introduces the method to capture wireless frames in our wireless capture tool. We analyze the structure of WiFi frames in Section 4. In Section 5, we specify the detailed design for analyzing the obtained frames and how to organize a topology. We note that during the analysis, we focus on the MAC layer. Section 6 describes a method for an attack diagnostic. We test and evaluate the tool in Section 7. Finally, we conclude this paper in Section Wireless Attacks and Wireless Analysis Tool 2.1. Wireless Security Technology Networks are unsafe, especially wireless networks. There are many technologies that could be used in order to protect the data transmission in the network. While such technologies can protect individuals to some degree, they are very vulnerable to malicious users who are well versed in wireless networks Wireless encryption Wireless encryption is the most fundamental security technology. WEP is the most frequently used encryption mode since it is the simplest, and almost all of wireless devices support this mode. However, WEP is the weakest encryption mode among currently available methods [3,4]. Usually, the 40-bit WEP can be cracked with initial vectors (IVs), and the 104- bit WEP can be cracked with IVs. With the introduction of the PTW technique [5] in aircrack-ng 0.9, the number of data frames required to crack WEP is dramatically lowered. Using this technique, the 40-bit WEP (64-bit key) can be cracked with as few as data frames and the 104-bit WEP (128-bit key) with data frames [6]. WPA-PSK is safer than WEP. However, if the integrated handshake frames are captured, the key can also be identified. Some tools, such as aireplay-ng, can force the clients to reauthenticate with APs, making it easy to capture the handshake frames. WPA-transport layer security (TLS) and WPAprotected extensible authentication protocol (PEAP) are among the safest wireless encryption algorithms. There is no report on cracking these encryption algorithms thus far. However, they are so complicated that an extra radius server is needed to issue and authenticate the certificate file for the user. As a result, it is difficult to configure and not suited for regular use.

3 656 K. MENG ET AL Hiding SSIDs Hiding service set identifiers (SSIDs) is used to prevent illegal users from connecting to the APs. As a default configuration, most of the APs broadcast beacons every 100 ms, making them exposed to the public. By receiving the beacons, the stations know the detailed configuration of an AP, including the SSID, supported rates, channel number, country domain, encryption mode, and so on. The APs can be configured to disable broadcasting beacons in order to impede the ability of common users to learn the existence of the APs. However, skilled users can use the association request frames (which still includes an AP s SSID), instead of the beacon frames to obtain detailed information about the APs and to connect to the APs by inputting SSIDs manually. As a result, hiding SSIDs is an invalid method to prevent skilled intruders Binding a MAC or IP address Binding a MAC and IP address to an AP is often configured in home WLAN plans or even some campuses of universities. For a typical household where there are a limited numbers of computers, it is an easy method to set up. Traditionally, the MAC address is considered as the unique identity of the network adapter, and it is a valid method to bind a MAC address to an AP to prevent others from connecting to the AP. However, the MAC address of network adapters can be modified from the electrically erasable programmable read-only memory (EEPROM) of hardware devices or from the operating system. Some manufacturers provide tools to modify MAC addresses for their products. In Windows operating systems, the registered MAC for a system can be rewritten by editing the register. The tool called SMAC may also carry out the MAC modification. It is even easy to modify a MAC address in the Linux operating system, as the command of ifconfig may complete the modification. As a result, the method of cracking the binding of the MAC or IP address can occur. First of all, the valid MAC and IP addresses can be found by capturing the data frames. By modifying the addresses of illegal devices to a valid address, illegal users can access the wireless network freely Wireless Crack Aircrack-ng (the next generation of aircrack) [6] is the most commonly used tool to crack a wireless network. It supports WEP and WPA-PSK encryption and can be used in both Linux and Windows operating systems. Aircrack-ng also provides extra tools to accelerate the crack speed. During the process of a wireless crack, enough wireless frames should be captured. A wireless network card that supports the promiscuous mode is needed to work as a sniffer. The sniffer passively listens, and cannot be observed by the host of a cracked AP Common Wireless Attacks Traditionally, a wireless crack is considered as a kind of wireless attack. However, in this research, we differentiate wireless attacks by their activity mode: passive or active. Generally, wireless cracks work in the passive mode, in which the devices are used as sniffers in promiscuous mode to collect frames. This differs from an active wireless attack that is actively sending frames to disturb the current wireless network, making the network abnormal for some period or even crashing the network. The media in which wireless frames transmit is the air, making it easily disturbed by other radio signals and difficult to be detected. Wireless attacks can be classified into two categories: a physical attack and a software attack. Radio devices which can send strong signals at the frequency of 2.4G can be used to perform a physical attack to 2.4G wireless networks. They break the media at the broad bandwidth upon which the wireless devices depend. For example, microwave ovens work at the frequency of 2.4G. When a microwave oven is turned on, the waves from the microwave oven can strongly interfere with the media in nearby areas. As a result, devices cannot be used near microwave ovens. During a physical attack, all the channels from 1 to 11 of b may be broken. Therefore, the wireless signal cannot be transmitted until the physical attack is stopped. In our work, we do not consider this kind of crack since the waves sent by those devices cannot be captured by our tool. The only case we take into account is attacks from wireless devices, which we call a software attack. There are many kinds of software wireless attacks. One type of software wireless attack helps to crack a WEP or PSK password. Another type may disturb wireless users from normal work by sending flooding frames to make the media congested. Also, some types of software attacks are used to destroy the operating system. They are similar to the attacks in a common network, such as address resolution protocol (ARP) flooding, ARP redirect, broadcast storm, etc. An attacker can send a DEAUTH request to the clients with the spoofed source address of an AP, forcing the clients to deauthenticate and re-authenticate with the APs. By

4 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI 657 capturing the frames during the authenticate process the WPA-PSK keys can be cracked. Some wireless tools, such as Harris, are used to broadcast frames to disturb the current channel. A wireless network is very vulnerable to these types of attacks, since the media is open to the public and shared with other people, and attackers can easily use the characteristics to implement attacks Existing Wireless Network Analysis Tools There are some wireless capturing and analysis tools that can be found on the Internet. Wireshark, formerly known as Ethereal, has powerful features for network analysis and can be used both in Windows and Linux systems [7]. This tool can support wireless adapters that work in promiscuous mode to capture all the local wireless frames in the assigned channel. Most importantly, Wireshark is free and open source. We note that, as the default, Wireshark will capture all the frames without a frame check sequence (FCS) check. When analyzing the capture result, there may be many frames with unrecognized code. In this case, it is due to the bad frames that were not checked and should be discarded normally. Wireshark also supports Ethernet packets analysis, which does not need the promiscuous mode and only captures the packets passed by the network adapter. EtherPeek is a professional Ethernet network packet capturing and analysis tool which is developed by the WildPackets company. AiroPeek is another version used to capture and analyze wireless packets. It is a professional wireless frame capturing and analyzing tool that covers the full spectrum of wireless LAN management requirements, including site surveys, security assessments, client troubleshooting, WLAN monitoring, remote WLAN analysis, and application layer protocol analysis [8]. OmniPeek, which is the upgraded version of Ether- Peek and AiroPeek (also developed by the WildPackets Company), combines the Ethernet and wireless network together. The OmniPeek product family provides real-time troubleshooting of mission-critical network services and creates an effective, distributed solution for network analysis. It offers enterprises an easily deployed, easily managed and affordable solution for distributed network analysis [8]. These products of the WildPackets Company are not free to use. The other important contribution of the WildPackets Company is that it provides general wireless drivers to make wireless adapters work in promiscuous mode. As a result, we can use other wireless analyzers to work in cooperation with this driver. We can download the driver from the WildPackets website for free. Tcpdump is a very common packet sniffer which has very powerful functions and runs under the command line [9]. It allows the user to capture and display the packets according to different formats over the network. Most importantly, the packets captured and saved by tcpdump are compatible with Wireshark and it is convenient to use Wireshark to proceed with an analysis after packet capturing. Tcpdump may be used on both Windows and Linux systems. Netstumbler is a smart sniffer tool to display all the APs and detailed references existing in the local air. Also, Airdump can be used to capture wireless frames and use other wireless tools (i.e., Wireshark) for analysis. Another software product, called Aircrack, is used to crack the wireless encryption password after capturing the wireless packets by Airdump [6]. Of course, there are many other tools for wireless networks, such as Kismet [10], CommView [11] for WiFi, wlanscanner, WiFiscanner [12], and so on. However, the main function of these tools is to capture the frames in order to analyze them. They do not provide an integer topology of the current network directly. Although there are several software products available for packet capture as introduced above, there is currently no paper in the literature that describes how to build a software tool to capture WiFi frames and its associated functions. In this paper, we present how we build our frame capture tool along with a set of implementation techniques for automatically capturing all the frames and analyzing an attack on a WiFi. In our work, we develop our own tool to analyze the detailed structure of the network. Most importantly, we can extend the tool to support attack detection, and under some specific conditions, it will help us to identify suspicious stations. In our future work, we can separate the capturing and disposing of the process if necessary. This way, more than one adapter can be used to cover large scopes, collect frames and transmit them to the central server to dispose together. The whole wireless network can be monitored and to form a total topology as a diagnostic for the network. 3. How to Capture the Frames We now introduce how frames are captured and handled in our tool. The first step of the tool is to capture the frames using a sniffer adapter. The frames captured from the other stations and APs should include layers from the MAC layer to the application

5 658 K. MENG ET AL. layer. A common wireless adapter only handles those frames sent to it, while the hardware filters out any other frames. Hence, it cannot be used as a sniffer adapter since a sniffer collects all the frames which it receives. The wireless adapters which has the promiscuous mode are required. The promiscuous mode is a configuration of network adapter that makes the adapter pass all traffic/packets that it receives to the upper layer, even the destination of the packet is not the adapter. There are many wireless adapters that support promiscuous mode. The adapters with an Atheros chipset can support promiscuous mode the best. Aircrack recommends a list of chipsets, drivers and wireless adapters used for capturing wireless frames [13]. The drivers for the Atheros adapters for work with the promiscuous mode are provided by Wildframes [8]. In this research, we select the AirPcap USB adapter developed by CACE Technologies as our sniffer adapter. The main reason for selecting the AirPcap is that CACE Technologies provide a developer s package which we need for using an AirPcap adapter in our application for capturing frames. The content of the developer s pack includes: include files and lib files, online application programming interface (API) documentation and a ready-to-compile set of example programs that shows how to configure the adapter and capture frames. Another reason for choosing the AirPcap is the wide use of the USB interface. Most of the adapters provided by Aircrack are Cardbus, minipci, or PCI interfaces and cannot be used in most computers. Since almost all the computers support USB, we do not need to select special computers to use the adapters. The CACE developer s pack provides the following functions, which allow us to capture the wireless frames easily in our own program [14]: (1) pcap findalldevs() pcap findalldevs is used to look up all the available adapters in the computer. (2) pcap open live() pcap open live is used to open the adapter with WinPcap. (3) pcap get airpcap handle pcap get airpcap handle is used to obtain the Airpcap handle so we can change wireless-specific settings later. (4) AirpcapSetDeviceChannel() AirpcapSetDeviceChannel is used to set the fixed channel in which we want to capture the frames. (5) AirpcapSetLinkType() AirpcapSetLinkType is used to set the link layer to plus radio headers. In this case, we get a description of each frame that AirPcap has analyzed. We can remove these headers to get original wireless frames. (6) AirpcapSetFcsPresence() (7) AirpcapSetFcsValidation() These above two functions are used to filter and discard the FCS check error frames. (8) pcap next ex() pcap next ex is used to capture the wireless frames and save them to a buffer. The capturing process is real-time, so that we call this function in a loop. Of course, the loop needs to be created in a new separate thread; otherwise, the main process will be blocked and cannot implement a real-time analysis. (9) pcap close() pcap close is used to close the opened adapter. (10) pcap freealldevs() pcap freealldevs frees all the devices which are used to look up adapters. We can easily call these functions to capture wireless frames. The frames we get from pcap next ex() is binary data, which includes the data from the MAC layer to the application layer. The following analysis in the next section is based on these original binary frames. 4. WiFi Frame Analysis In this section, we introduce the structure of a WiFi frame and explain the method employed in our tool to handle these frames Frame Structure According to the IEEE Standard [15], the wireless frame consists of the following basic components: (1) a MAC header, which comprises frame control, duration, address, and sequence control information, and QoS control information for QoS data frames; (2) a variable length frame body, which contains information specific to the frame type and subtype; and (3) an FCS, which contains an IEEE 32-bit CRC. As for any 802.x protocol, the protocol covers the MAC and physical layers. The MAC layer performs functions that are typically related to upper layer protocols, such as ARP, fragmentation, acknowledge, and so on. Also, this layer provides the connection information for the wireless network. As a result, we will focus on the MAC layer.

6 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI 659 Fig. 1. The general MAC frame format from the protocol. Fig. 2. The format of the frame control part in the MAC header. Figure 1 shows the general MAC layer frame format. The first three fields (frame control, duration/id, and Address 1) and the last field (FCS) in the figure constitute the minimal frame format and are present in all frames, including reserved types and subtypes. The fields Address 2, Address 3, sequence control, Address 4, QoS control, and frame body are present only in certain frame types and subtypes. Address 4 can only be used when an AP is in the wireless distributed system (WDS) mode where the communication is from AP to AP. In normal WLAN use, only the stations communicate with the AP (infrastructure mode). Therefore, we are only concerned with three MAC address frames in this research. The frame control field consists of the following subfields: protocol version, type, subtype, to DS, from DS, more fragments, retry, power management, more data, protected frame, and order. The format of the frame control field is illustrated in Figure 2. The protocol version field is 2 bits in length and is invariant in size and placement across all revisions of the standards of IEEE For standards, the value of the protocol version is 0. All other values are reserved. The type field is 2 bits in length, and the subtype field is 4 bits in length. The type and subtype fields together identify the function of the frame. There are three frame types: control, data, and management. Each of the frame types has several defined subtypes. Figure 3 defines the valid combinations of type and subtype. In this research, we use the type to sort the frames into three different categories, and then the subtype to classify them more specifically. We focus on the management frames and data frames. The control frames carry only a small amount of information since they are very short, which makes it is difficult to identify the sender of the frame. According to the standard [15], the To DS field is 1 bit in length and is set to 1 for data type frames destined for the DS. This includes all types of data frames sent by stations associated with an AP. The from DS field is 1 bit in length and is set to 1 for data type frames exiting the DS. It is set to 0 for all other frames. By distinguishing the DS fields, we can know whether the frame is from an AP or from a station. The addresses in the MAC header are the most important items. The AP and station linked lists are organized and traversed by the MAC address. Therefore, it is necessary to make clear what each of the MAC addresses stands for. We are only interested in the three MAC address frames and discard the WDS frames in which the from ds and to ds bits are both set to 1. Figure 4 shows the relationship between from ds, to ds and the MAC addresses. In Figure 4, the basic service set identification (BSSID) field is a 48-bit field of the same format as an IEEE 802 MAC address. This field uniquely identifies each basic service set (BSS). The value of this field, in an infrastructure BSS, is the MAC address currently in use by the station in the AP of the BSS. The value of this field in an independent basic service set (IBSS) is a locally administered IEEE MAC address formed from a 46-bit random number generated according to the procedure. The individual/group bit of the address is set to 0. The universal/local bit of the address is set to 1. This mechanism is used to provide a high probability of selecting a unique BSSID. The value of all ones is used to indicate the wildcard BSSID. A wildcard BSSID shall not be used in the BSSID field except for management frames of subtype probe request. The DA field contains an IEEE MAC individual or group address that identifies the MAC entity or entities intended as the final recipient(s) of the MAC service data units (MSDUs), or fragment thereof, contained in the frame body field. The SA field contains an IEEE

7 660 K. MENG ET AL. Fig. 3. Valid type/subtype combinations. MAC individual address that identifies the MAC entity from which the transfer of the MSDU, or fragment thereof, contained in the frame body field was initiated. The individual/group bit is always transmitted as a zero in the source address. The RA field contains an IEEE MAC individual or group address that identifies the intended immediate recipient station(s) on the wireless medium, for the information contained in the frame body field. The TA field contains an IEEE MAC individual address that identifies the station that has transmitted, onto the wireless medium, the MAC protocol data unit (MPDU) contained in the frame body field. The individual/group bit is always transmitted as a zero in the transmitter address.

8 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI 661 Fig MAC address content. The analysis of the MAC addresses in the implementation will be based on the above figure. We are not concerned with the other bits of MAC headers since they are not used in this research Frame Analysis Various statistics can be determined from the analysis. For example, we may want to determine how many beacons each AP has sent, how many stations connect to each AP, how many data frames each station has sent and the association times of the stations. All the frame types each station sent may also be recorded. As a result, we can track the stations by watching all the frame information displayed in the program. At the same time, we can classify the raw binary data by each AP and each station, and save them to the.cap file, which is compatible with Wireshark or other wireless capturing tools. Therefore, it is convenient to use other tools to help analyze the frames according to each station. Better tracking of stations can be accomplished by performing an analysis above the MAC layer. Of course, this can only be done for a non-encrypted wireless network. In an encrypted wireless network, such as WEP or WPA-PSK, all the data above the MAC layer (i.e., IP, TCP, and so on) is encrypted and cannot be analyzed directly. Hence, we only consider non-encrypted wireless networks when we analyze the layer above the MAC layer. At present, we only consider the type of these frames, such as TCP, UDP, or ARP. Of course, we can analyze the data above the TCP layer and get more detailed information. However, because of the increase in complexity, we will address this in our future work Topology Organization In our tool, we capture all the frames and process the information. The results of the analysis are placed in a data structure of linked lists. The main linked list is the AP list. It contains all the local APs that exist near the capturing device. Each AP node also serves as a list header for a station-linked list. All the stations in the station list are connected to or were once connected to the AP. The topology of our tool is very straightforward. The main vertical link is the AP list, and every horizontal link is a station list which belongs to the first node (AP). It is convenient to display the topology with a graphic tool. In our research, we use two tables to show the relationship of the APs and stations. One table shows all the information for all the APs, and another table shows how the stations relate to each AP. This is illustrated in Figure 5, which is a screen shot of part of our tool. The traffic flow of the wireless network is easily discernable at a glance. If we want to look up the information for a Fig. 5. The AP list and station list in our capture tool. AP list includes ESSID, BSSID, AP channel, beacon number, beacon interval, and how many stations connect to it. The station list shows the information of each station.

9 662 K. MENG ET AL. station, the first step is to find the AP to which the station is connected or was connected to in the AP linked list. Then, we can traverse the station list of the AP to find the assigned station. Of course, we can only capture the traffic frames at one channel each time. In our future work, we will use enough sniffer cards distributed in different places to collect frames on more channels and to cover more places. Each sniffer card will send this binary data to a center server after collecting the frames, and the center server is used to handle the frame analysis. With this method, we can form the topology of a wireless network distributed in every channel and every accessible place. However, there are still some problems that need to be resolved. For example, there may be so much data that the linked list structure may ineffective for computation. Some valid algorithm (i.e., a hash array with a linked list) would have to be used to accelerate the analysis procedure under such circumstances. 5. Design and Implementation 5.1. Program Design Developing platform We use Microsoft Windows as the developing Operating System since the CACE developer s pack provides the function libraries for Microsoft Windows. Microsoft Visual C++ is used as the edit and compile tool. We use Microsoft Foundation Class (MFC) as the graphical interface in Microsoft Visual C Using multi-threads As we know, if there is a loop function in the main process, it will block the main process and the percentage of CPU usage will always be 100%. However, the function of pcap next ex() should be called in a loop in order to capture the frames continuously. Otherwise, the loop will block the main process, leading to high CPU usage and impacting the subsequent frames analysis and classification process. As a result, we add multi-threading into our program by calling AfxBeginThread to create a new thread and put the loop function in a thread other than the main process Real-time frame capturing and refresh strategy The tool is designed to support real-time frame capturing. The interface will show the wireless stations and APs during the capturing process. The amount of network traffic is indeterminable. Sometimes there are hundreds or thousands of frames in 1 s. It is impossible to refresh the interface each time a frame is received, since that would waste CPU time and I/O resources. In order to display the AP and station links in the interface, a timer is used for the refresh strategy. The SetTimer function is used to start a timer and wake up the interface when the timer expires. It begins once the Capture button is clicked and stops when the stop button or the program exit is clicked. As a default, the refresh time is set to 2 s, meaning every 2 s the system will wake up the OnTimer function. The OnTimer function will traverse the AP and station linked lists, and use the data from a list node to refresh the interface Frame overhead When the amount of frames in the traffic grows very large, this increase in the number of frames results in an increase in overhead. This overhead may lead to two problems. The first problem is that the hardware queue may overflow and later arriving frames discarded. We do not address this problem since our program does not communicate with the hardware and does not read frames from the hardware queue directly. We acknowledge that it is a difficult problem to solve. The second problem is that the CPU may be too slow to analyze and classify the frames. As we know, the received frames will be analyzed and classified according to the destination and source MAC address, and then inserted into the correct position in the linked list. A linked list searching method must then proceed to complete the insert operation. As the number of stations and APs grows, the search process will become longer and longer. We can use a hash table to accelerate the search speed and solve the problem. However, while we have included a hash table in our design for future implementation, we do not use a hash table for current programs I/O between the adapter and system The system uses a polling method to read frames from the adapters. The polling method has some defects, and one is low efficiency. However, the I/O method is determined by the hardware adapters and the developing frames. As mentioned in the previous section, our program does not communicate with the hardware or with the operating system directly. As a result, we cannot use other I/O methods. As a future improvement, we can use better wireless adapters to improve the I/O method.

10 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI Program Implementation There are two parts to the source code program in our implementation. The first part is the analysis layer, and it is responsible for the collection, analysis of the frames, and the organization of the station and AP linked lists. The second part is the application layer, and it creates the application interface, provides the operating tool, and displays the analysis results to users. This section introduces how to implement the tool Initialization Our program has a GUI interface that allows users to choose the capture parameters before capturing the frames. At the initialization stage, the application layer searches the system devices for available wireless adapters and lists them for users to choose. Only those wireless adapters that support a promiscuous mode can be used in this program to capture wireless frames. Therefore, the wireless adapter should plug into the computer before opening the tool, after which the main AP linked list header will be initialized Configuration After initialization, users have the option of configuring the tool to capture frames. The wireless card and capturing channel can be selected. If we select the wrong adapter that does not support the promiscuous mode, the tool will display an error message to indicate that it only supports cards with the promiscuous mode. After selecting the proper adapter, users can also choose whether or not to save the captured file with the common file format of.cap. Users can also select the refresh time (default = 2 s), which determines the time interval for reading data from the linked lists for the station and AP in order to update the interface. The capturing work begins after users choose these parameters. Figure 6 shows the interface provided to users in our tool. Once users click the Capture button, the validity of a parameter will be checked. The parameters will be set to configure the card if the configuration is determined to be correct Frame capturing The capturing process is one of the most important functions that begin after the configuration. A loop is used to obtain frames continuously. While capturing initially appears to be very simple, we now note Fig. 6. The configuration of our capture tool: the capture adapter, channel, saved file and refresh time can be selected. some complex issues which arose during our implementation. For example, a single-thread program will not satisfy our requirement. As discussed above, the loop frames capturing function in the main process will block the main process and the percentage of CPU usage will always be 100%. Instead, we create a new thread to use the AfxBeginThread function and put the loop in this new thread in order to solve the problem. Most of the analysis occurs in this loop. The next subsection describes the implementation of the analysis. All of the raw frames obtained in this research are hexadecimal data, making it difficult to understand and organize. We create many structures which are in the file of wifimac.h to map to different kinds of frames. First of all, we save the data to a buffer to further dispose and then map the buffer to the structure of the frame according to the appropriate category. The first part of a frame is a radio header, which includes the overall information about the frame, such as channel, transmit rate, signal strength, TX power, and so on. We do not pay much attention to this information; we simply provide the user with a choice to print the radio information and all the hexadecimal data. Instead, we utilize the MAC header to perform the real analysis. Since we know the structure of each type of MAC headers, we are able to analyze the MAC layer content, which is the first step once the hardware delivers the frame Frame analysis The frameanalysis() is the starting point for the analysis. It has three parameters: buffer point, buffer length, and the pointer to the address of the AP linked list. This function analyzes the frames and organizes the AP linked list and station linked list according to the result of the analysis. As mentioned previously, we are only concerned with three address frames. First, the parameter of the buffer pointer is transformed to the type

11 664 K. MENG ET AL. WLAN DATA MAC HEADER3*. Then, based on the type and subtype provided by the frame control item, we can classify the frames into different categories. In order to complete the complicated function for the analysis, the main analysis function is implemented by four subfunctions: beaconanalysis(), AssociationRequestAnalysis(), AssociationResponseAnalysis(), and dataanalysis(). As described below, each sub function analyzes different types of frames and organizes the linked lists Beacon analysis The beaconanalysis() function analyzes the beacon frames. It forces the buffer pointer to map to the type WLAN FRAME BEACON*. It is easy to obtain the BSSID of the frames, because the BSSID is typically the third MAC address in a beacon MAC header. However, it is difficult to analyze the beacon tags. One beacon may have many tags which include the channel, SSID, support rate, and many other items, while each tag has a tag number, tag length, and tag data. The problem is that each tag has a different data length and a different data format. In our work, we are only concerned with the channel and SSID, but we do not know where these two tags are located. To solve this problem, we define a special structure for the beacon tag: typedef struct wlanbeacontag { A UINT8 tagnum; A UINT8 taglength; A UINT8 tagdata[0]; } WLAN BEACON TAG; We note that the size of the tagdata is 0. At the beginning of the beacon tag analysis, the tag pointer points to the beacon tag head, and the type of the pointer is wlanbeacontag*. We can check the tag number to see whether the tag is what we want. If not, we move the pointer forward the length of the tag, so the pointer then points to the next tag. At the same time we move the pointer, we create a counter to record the length of the tags that are left. We keep traversing all the tags until the length left is not enough for one tag. In this way, we can find the tags we want and save them to a recognizable format. After the analysis of the beacon, we can get the information about the AP and organize the AP linked list. First of all, we traverse the AP linked list by BSSID to see if the AP is already in the AP linked list. If it is in the AP linked list, we just update the total beacon number this AP has sent. If this is a new AP, a new AP node will be created and initialized by the analysis result. Then, the new node will be inserted into the AP linked list Association request analysis The AssociationRequestAnalysis() subfunction identifies the station sending an association request and updates its status. An association request is sent from a station to an AP. We force the parameter of the buffer pointer to the type WLAN FRAME ASSOCIATION*. The from ds and to ds bits are set to 0 for the association frames. Therefore, MAC address 1 is the destination address, MAC address 2 is the source address and MAC address 3 is the BSSID. In order to determine which station sent this request in the AP and station linked lists, it is first necessary to traverse the AP linked list using the BSSID and find the AP to which the station connects. Then, the station-linked list of the AP is traversed in order to determine the station. After identifying the station, its association status will be changed and a record will be saved to a file Association response analysis The AssociationResponseAnalysis() subfunction identifies the station to which an association response is sent and updates the station s status. The association response is sent from an AP to the station. We still force the parameter of the buffer pointer to the type WLAN FRAME ASSOCIATION*. The from ds and to ds bits are set to 0 for the association frames. Again, MAC address one is the destination address, MAC address 2 is the source address and MAC address 3 is the BSSID. The AP and station linked lists are traversed to identify the station. Lastly, the association status of the station is updated and the record saved. Each station has a record file to save all the information for frames it has sent. For those stations which connect to the same AP, their record files will be saved in the same directory Data analysis As its name implies, in the subfunction dataanalysis() the data frames are analyzed. Analyzing the data frames is the most challenging task because of their complexity. The from ds and to ds bits may be set to (0, 1) or (1, 0). We force the buffer pointer to map to the type WLAN FRAME DATA*. For a MAC layer analysis, we only focus on the data destination address and

12 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI 665 Fig. 7. The main interface of our frames capturing tool. source address. Then we traverse the AP and station linked lists to identify the station. If it is a new station, a new node will be created and added to the station list. At the same time, the record will be saved. In Section , we describe an analysis above the MAC layer. For data frames, it may be difficult to determine which the station MAC address is and which the AP MAC address is. Commonly, if the from ds bit is set to 1, then the destination MAC address is the station and the source MAC address is the AP. If the to ds bit is set to 1, then the destination MAC address is the AP and the source MAC address is the station. However, the above simple analysis is not foolproof. There are some special frames that do not comply with this rule. For example, the dynamic host configuration protocol (DHCP) request of a station is a special frame. The from ds bit is set to 1 for a DHCP request, but the destination MAC address of the DHCP request is the broadcast MAC: FF:FF:FF:FF:FF:FF. The source MAC address is the station s MAC. Obviously, this does not comply with the rule, so all of these special frames must be analyzed separately Data display interface Figure 5 shows the main user interface for displaying the AP and station linked list. The list control is used to show the AP and station information. The left list control shows the information for the AP, including extended service set identification (ESSID), BSSID, channel, beacon count, beacon interval, and the number of stations that connect to the AP. If one of the APs in the left list control is selected, then the right list control will show the information for stations that connect to the selected AP. The station information includes MAC address, sent frame count, and so on. If the station is selected (see Figure 7), an edit place will appear above to show the detailed information of the station, including the association time and send frame time. After double clicking the station list, a new dialog will be created to display information about the number of frames the station has sent and received. This frame information is read directly from the record files that are saved when frames are sent or received. During the frame capturing process, new directories will be created for each AP. Every station which is connected to the AP has two files. The first file is the log file which records the association, sending, and receiving times of the frames. The second file is the.cap file which saves all the raw frames sent and received by the station. As mentioned previously, the.cap file can be opened conveniently by Wireshark to analyze the detailed frame content.

13 666 K. MENG ET AL MAC view In order to view the detailed information about each station easily, we draw a picture to display the number of frames each station has sent and received in the new dialog when we double click the item of a station list. Therefore, an issue arises as to how the parameters should be passed to the dialog to display the picture. The class of the new dialog is the sub-class of the main dialog. The main dialog knows the parameter and should notify the sub-dialog to display the MAC view. Hence, we need to pass the parameter to the new dialog before the main dialog calls the DoModal function to create the new dialog. A new function SetParameter for the sub-class is used to pass the parameters to the new dialog. It has six parameters: the file path which the new dialog should read to display the record information, the number of frames the station sent, the number of frames the station received, the number of acknowledged frames which the station received, and the authentication and association status. After the new dialog is created, the parameters can be displayed directly on the interface. However, there is an update problem with this method. The parameters are passed to the new dialog before it is created but the data are displayed after the dialog is created. As a result, it is difficult to update these data during the display. In order to get the new data, the dialog needs to be closed and reopened by double clicking the station list IP view This subsection introduces how to draw the picture from the IP layer. Since we are only concerned with the data frames, the management frames, such as the association request and association response, are discarded. To draw the picture from the IP layer, we use the same method used in the MAC view, displaying the classification and statistics in the main dialog, and sending the parameters to the new dialog by calling the SetParameter function. The types of frames in the IP layer include IP, ARP, and so on. 6. Attack Diagnostic for Further Work WLAN has its own features in the physical (PHY) and logic link control (LLC) layers, and as a result a WLAN attack analysis is not the same as a traditional Ethernet attack analysis. The identification of traffic signatures or fingerprints which are unique to the WLAN applications is of primary concern. There are some people who focus on WLAN intrusion analysis. For example in Reference [16], the author reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the AMC and LLC layers. However, the intrusion analysis is a manual diagnostic based on the frames present in the capturing tool, such as Ethereal, NetStumber, and so on. In our work, we plan to implement an auto-analysis attack diagnostic tool, which may discover a WLAN intrusion through an analysis of the current network content and provide a warning to the network manager. The current version of the tool cannot support an attack diagnostic yet. However, the function of the attack diagnostic can be easily added to the tool once the algorithm of the attack is defined. We present here a plan to support an attack diagnostic. Our tool includes the whole process from capturing frames, disposing and then creating the topology to display. We can insert the attack detecting code in the dispose process. To make the program more scalable, a register function will be used for the attack detection function to register. In this way, we do not need to modify other code when a new attack detection method is added. By calling the attack detecting function, we can find the suspicious stations according to the result returned. Then a warning message will display on the interface or be sent to the network administrator. An attacker cannot be stopped directly by our tool, because it is just a passive detective tool in this research. However, there are some methods that we can employ to stop an attacker in the future. For example, we can send spoof deauthentication frames to the attacker or control the AP to refuse the connection of the attacker. However, this increases the complexity as special adapters and APs are required which can be controlled to send frames and do associations. 7. Test and Evaluation 7.1. How to Use the Tool First of all, the aircap wireless USB network adapter with driver must be used for this software. The WIN- CAP library and.dll files are also needed to use the frame-capturing tool, since it is based on the Aircap development kit. This tool is a single executable file and can be opened directly. We suggest that an independent directory should be created for the tool, because it will generate many record files (the send, receive log, and.cap file) in different sub-directories during the

14 BUILDING A WIRELESS CAPTURING TOOL FOR WIFI 667 Fig. 8. The interface of the traffic of each client. capturing procedure. The main interface of our tool is shown in Figure 7 and the interface is used as follows. We begin with the items in the top left group box for the configuration for the capture. Select the proper network adapters. Select the capturing channel. The legal channels in the United States are from 1 to 11 for IEEE b/g. The adapter can only capture frames in one channel each time. Use the check box to save all the binary data of frames to a specified.cap file. Specify a refresh time used for updating the interface if the default is not desired. Click the Capture button to start after the configuration. (The Capture button appears as the Stop button once the configuration begins.) Next, we consider the remaining items beginning with the bottom left group box in Figure 7. The left down list control will show the information of APs in the selected channel, including the ESSID, BSSID, channel, beacon amount, beacon interval, and the number of stations connecting with the AP. Click one of the APs in the AP list and the right down list control will show the stations that connect with the AP. The information for the stations includes MAC address and the amount of data that has been sent and received. Click one of the stations in the station list and the top right edit box will show the detailed information for the station, including the time at which the station connected to the AP and the time at which the station sent the last frame. Double click one of the stations in the station lists and a new dialog will be created to show more detailed information about the station, including the topology of the MAC view. This interface is shown in Figure 8. The edit box shows the send and receive log of the selected station, including the connecting time, send data time, and receive data time. Due to the limitations of the edit box, only the latest 100 lines are displayed. The topology in Figure 8 shows the MAC view of the station. It includes the association and authentication status, and the number of sent and received frames. Go to the directory in which this application is stored to get the log file and saved raw frame file, if more information is needed about each client or the total frames. The total binary file of all the captured frames is saved in the directory which is the same as the application (if the check box is chosen to save all the frames). Directories will be created for each AP found during the frame analysis. The directories are named ap0, ap1, and so on, corresponding to the sequence of the APs in the AP control list. The log files and binary data for the stations are put into the directories according to the APs with which the stations connect. The log files are named sta1, sta2, and so on, according to the sequence of the stations in the station list. ASCII files are used to save the events of the specific station, including authentication, association, send data, and receive data. The binary data files are named by sta1.cap, sta2.cap, and so on, with formats compatible with Wireshark. The data in the files are the content of the frames which the specific station sent