Thursday, November 19, 2015

Wireshake WPA2-PSK decryption is not working

I have tried many times to decrypt wifi pkt captures using Wireshark without success. I googled extensively but didn't find why the decryption is not working. Finally I think I found how to decrypt wifi captures. The secret is in Edit --> Preferences --> Protocols --> IEEE 802.11


Ignore the protection bit is set to "no" by default. Set that to "Yes - with IV".  As soon as I set this I could see the data pkts.



Also make sure that the pkt capture contains a 4-way handshake.





Saturday, November 7, 2015

Cisco controller Layer 3 authentication(CWP) with Windows 2008 NPS

If you want use captive web portal authentication for wireless users using Cisco wireless lan controller (WLC) and Windows NPS as the RADIUS server you need to tick few boxes that are not ticked by default. In simple term you need to enable PAP in the NPS network policy.

















WLC configuration,

Create a SSID




Select no Layer 2 security 


Select "Web policy" as layer 3 security 



Windows NPS configuration 

Select NPS and click on configure 802.1x









Finally the pkt capture at the RADIUS server looks like this. The service type is "login", instead of "Framed".








Thursday, October 29, 2015

Network Delay Generation

If for any testing you would like to generate network delay you can use the software tool netem. I used the instruction in the web site below for setting up netem.

http://www.linuxfoundation.org/collaborate/workgroups/networking/netem#How_come_first_ping_takes_longer.3F

I am going to explain a simple setup you can use this tool to test the effect of network delay on network protocols,

1. Introduce ping round trip delay,
























2. At the Ubuntu desktop enter the following commands in the shell 

For delay d1 ,

shell# tc qdisc add dev eth0 root netem delay 100ms


For delay d2 (need to create a ifb interface),

shell#  modprobe ifb
shell#  ip link set dev ifb0 up
shell#  tc qdisc add dev eth0 ingress
shell#  tc filter add dev eth0 parent ffff: \ protocol ip u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb0
shell#  tc qdisc add dev ifb0 root netem delay 750ms


3. Now ping from any client to the Ubuntu box 172.16.1.177 and the ping round trip delay will be around 850ms,



















4. Lets say you want to change the delay d1 and d2, use the two commands below,

shell# tc qdisc change dev eth0 root netem delay d1ms
shell#  tc qdisc change dev ifb0 root netem delay d2ms


5. To remove network delay,

shell# tc qdisc del dev eth0 root netem delay d1ms
shell#  tc qdisc del dev ifb0 root netem delay d2ms



6. I used this to test the effect of network delay on NTP. The NTP server was installed in the Ubuntu box (apt-get install ntp) and introduced a 60 second delay to see whether the client failed time sync,








Tuesday, October 20, 2015

Wifi Spectrum Analysis test with video transmitter

I was curious to see how Aerohive HiveManager and Cisco controller would report my 2.4GHz video transmitter (2.4G 4CH XL24017),





Aerohive HIveManager + AP330 identified the video transmitter as a video bridge,



Cisco controller + AP 3502i reported it as a continuous transmission, which is correct because it is a continuous analog transmission, but it would have been nice if the controller could identify that it is a video transmitter.




Monday, September 21, 2015

WIN 2008 R2 DHCP server not showing leases

I have run in to this issue several times and finally found the solution. If you Windows 2008 R2 DHCP server does not show leases just refresh the leases.

Before refresh :



After refresh :


Wednesday, April 22, 2015

Broadcast and Multicast analysis using Wireshark

I have been looking for a way to analyse a packet capture and provide a visual representation to show how much multicast and how much broadcast is in a capture compared to unicast. There are commercially available software to do this kind of analysis but those are not cheap.  Playing around with tools in Wireshark I found that IO graph can show this analysis in a graph,

Steps : Open the capture using Wireshark --> goto Statistics --> IO Graph --> Enter the filter you want for each line in the graph.

IPv4 multicast filter :  eth.dst[0] == 0x01
IPv6 multicast filter :  eth.dst[0] == 0x33
Broadcast filter        :  eth.dst[0] == 0xff
Unicast is not(multicast or broadcast) : !(eth.dst[0] == 0x33 || eth.dst[0] == 0x01 || eth.dst[0] == 0xff)