dot11Expert: Advanced Wireless Packet Capture Techniques

dot11Expert: Step‑by‑Step Guide to Wireless ForensicsWireless forensics investigates what happened on a Wi‑Fi network by capturing, analyzing, and interpreting 802.11 (Wi‑Fi) traffic and related artifacts. dot11Expert is a powerful approach and toolset for this task, combining packet capture, protocol analysis, timeline reconstruction, and contextual investigation techniques. This guide walks you through the full forensic process: preparation, evidence collection with dot11Expert and supporting tools, detailed analysis techniques, reporting, and legal/operational considerations.

---

Who should read this

• WLAN engineers who need to investigate outages or performance issues.
• Incident responders handling wireless security incidents.
• Forensic analysts seeking practical, hands‑on Wi‑Fi investigation methods.
• Security researchers and penetration testers interested in reconstructing wireless events.

---

1. Fundamentals of Wireless Forensics

Wireless forensics differs from wired network forensics in several key ways:

• Broadcast nature: Wi‑Fi frames are transmitted over the air and can be received by any device within radio range.
• Radio context: Signal strength (RSSI), channel, and PHY details matter for location and timeline reconstruction.
• 802.11 protocol complexity: Management, control, and data frames each reveal different evidence types.
• Capture limitations: You only see what your radio(s) receive — overlapping channels, interference, and hardware capabilities affect completeness.

Core forensic artifacts in 802.11 investigations:

• Management frames (beacon, probe request/response, association/disassociation, authentication/DEAUTH)
• Control frames (RTS/CTS, ACK) — useful for timing and retransmission patterns
• Data frames and payloads — may include higher‑layer protocols (HTTP, DNS, etc.) if unencrypted
• Radiometric data (RSSI, timestamps, channel, phy rate)
• Metadata from access points, controllers, and authentication servers (RADIUS, syslogs)

---

2. Legal and Ethical Considerations

Before collecting wireless data:

• Confirm authority to capture radio traffic in the investigation area.
• Obtain written authorization or warrant when required.
• Be aware that capturing unencrypted user payloads may expose private communications.
• Preserve chain of custody: document devices, operators, timestamps, and procedures.

Maintain minimal scope: capture only what’s necessary, and securely store captured evidence with cryptographic hashing (SHA‑256) and clear audit logs.

---

3. Tools and Environment

Primary tool: dot11Expert (conceptually representing advanced 802.11 capture and analysis workflows). Complementary tools:

• Wireshark — deep packet and protocol analysis.
• Kismet — passive discovery and multi‑adapter capture.
• tcpdump/airodump-ng — lightweight capture options.
• Aircrack-ng suite — for certain capture modes and decryption (with keys).
• Radiotap and pcapng — capture file formats preserving radio metadata.
• RADIUS/syslog collectors — for correlating authentication events.

Hardware considerations:

• Use high‑quality 802.11 radios that support monitor mode and multiple channels (e.g., Atheros, Intel X520‑based adapters, specialized sniffers).
• Consider multiple synchronized capture points to reduce blind spots.
• GPS or timestamping (PTP/NTP) sync between sensors for accurate timeline correlation.
• Antennas and placement matter: directional antennas for targeted capture, omnidirectional for area coverage.

---

4. Evidence Collection: Best Practices

1. Define objectives: incident timeline, device identification, payload recovery, or location estimation.
2. Choose capture locations: near APs, suspected client locations, and choke points.
3. Configure radios:
   • Enable monitor mode.
   • Set correct channel(s) or use adaptive/multi‑channel capture.
   • Capture Radiotap headers and full packet (snaplen high enough).
4. Time synchronization:
   • Ensure all capture hosts sync to an authoritative time source.
   • When possible, enable GPS timestamps on capture devices.
5. Preserve chain of custody:
   • Hash capture files immediately after collection (e.g., SHA‑256).
   • Log operator, device IDs, MACs, start/stop times, and capture settings.
6. Capture system logs:
   • Collect AP/controller syslogs, RADIUS logs, DHCP logs, and relevant host logs.
7. Capture duration:
   • For incidents, capture from before to after the window of interest when possible.
   • For ongoing monitoring, rotate files with overlap and maintain retention policies.

---

5. Basic dot11Expert Capture Workflow (Step‑by‑Step)

Step 1 — Prepare the environment:

• Install and verify capture tools (dot11Expert components, Wireshark).
• Verify radio drivers and monitor‑mode capability.
• Confirm time sync and storage availability.

Step 2 — Start passive capture:

• Use multi‑channel or fast channel‑hop capture depending on hardware.
• Prefer continuous, high‑resolution capture when investigating active incidents.

Step 3 — Annotate the capture:

• Add manual notes for observed events (physical evidence, operator actions).
• Tag capture files with incident IDs and subject metadata.

Step 4 — Supplement with active data where authorized:

• Query APs for logs, run authenticated scans to list SSIDs/BSSIDs and config.
• Capture management frame exchanges by causing a probe/association (only with permission).

Step 5 — Secure and transfer evidence:

• Hash files and store on write‑once media or secure servers.
• Maintain access logs and avoid altering original files.

---

6. Analysis Techniques

6.1 Initial Triage

• Open capture in Wireshark or dot11Expert viewer.
• Filter management frames:
  • Beacon frames list SSIDs, supported rates, and vendor IEs.
  • Probe requests reveal scanning clients and preferred SSIDs.
  • Authentication/association frames show clients joining APs.
• Identify deauthentication/disassociation storms via spikes in DEAUTH frames.

Quick filters (Wireshark examples):

• Management frames: wlan.fc.type_subtype == 0x08 (beacons) or use wlan_mgt
• Deauth: wlan.fc.type_subtype == 0x0c

6.2 Client and AP Identification

• Map MAC addresses to OUI/vendor for device type guesses.
• Correlate client MACs with DHCP and RADIUS logs to get IP/user context.
• Track a device’s roaming by following reassociation frames and BSSID changes.

6.3 Timeline Reconstruction

• Use timestamps (Radiotap) to order events across captures.
• Combine AP logs, RADIUS logs, and PCAP timestamps to build a timeline.
• Look for causality: e.g., authentication failure → deauth flood → client disconnect.

6.4 Decryption and Payload Analysis

• If WPA2/3 handshakes captured and PSK or PMK available, attempt decrypt in Wireshark.
• For enterprise networks, correlate EAP/RADIUS exchanges to identify authenticated user.
• Decrypted payloads enable higher‑layer analysis (DNS, HTTP, SMB).

Practical tips:

• Capture full EAPOL handshake (4‑way) for WPA/WPA2-PSK decryption.
• For WPA3/SAE, decryption is far more complex; rely on endpoint logs where possible.

6.5 Radiometric & Physical Analysis

• Use RSSI and frame timing to infer approximate physical location or movement.
• Compare signal strength across multiple capture points to triangulate.
• Inspect control frames (ACK/RTS) and retransmission counts to find interference or jamming.

6.6 Detecting Attacks & Malicious Activity

• Rogue APs: SSIDs advertising corporate names but different BSSIDs or insecure security.
• Evil Twin: AP with same SSID as legitimate AP but with different BSSID or differing capabilities.
• Deauth/Disassociation attacks: spikes of 802.11 DEAUTH/Disassoc frames from unexpected sources.
• Probe request profiling: unusual probe strings, excessive scanning, or random MAC probing patterns.
• Packet injection: anomalous management frames with impossible timing or malformed IEs.

---

7. Advanced dot11Expert Techniques

• Multi‑sensor correlation: merge multiple pcap files using global timestamps and create composite views of an event.
• Beacon/Probe fingerprinting: track device fingerprints across random MACs using IE patterns and supported rates.
• Client behavior modeling: detect anomalies by comparing normal traffic volumes, probe frequencies, and association patterns.
• Automated heuristics: use scripts to extract EAPOL handshakes, list deauth sources, and generate timeline CSVs for SIEM ingestion.
• Machine learning: cluster probe requests, or use classification models to separate legitimate versus rogue AP behavior (requires labeled data).

---

8. Case Study (Example Reconstruction)

Scenario: Users report intermittent disconnections in an office. Investigation steps:

1. Collect continuous multi‑channel captures near the affected area and gather AP syslogs.
2. Triage reveals repeated DEAUTH frames targeting multiple clients during business hours.
3. Correlate timestamps with physical access logs — discover a maintenance device testing Wi‑Fi sweeps.
4. Radiometric analysis shows DEAUTH transmitter located near a specific conference room.
5. After confronting operations staff, device identified and operation halted. Capture files hashed and stored; incident closed with remediation steps (device policy update).

This demonstrates combining packet evidence, location inference, and organizational context.

---

9. Reporting and Evidence Presentation

• Include executive summary, scope, timeline, methodology, findings, and recommended remediation.
• Present key artifacts: screenshots of Wireshark packets, decoded EAP/RADIUS exchanges, and summary tables of malicious frames.
• Maintain raw evidence integrity: attach hashes and chain‑of‑custody logs.
• Produce an appendix with technical details and commands used for reproducibility.

Example table of key findings:

Item	Evidence	Impact
Deauth flood	PCAP timestamps, source BSSID/MAC	Client disconnects, DoS risk
Rogue AP	Beacon frames, SSID/BSSID mismatch	Credential harvesting risk

---

10. Remediation and Hardening

• Enforce 802.11w (Protected Management Frames) to mitigate deauth/disassoc attacks where supported.
• Use WPA2/WPA3 enterprise with EAP methods that provide mutual authentication.
• Enable AP/AP controller logging and integrate with SIEM for alerting on anomalous management frames.
• Apply RF planning: adjust channels, power levels, and antenna placement to reduce co‑channel interference.
• Implement device onboarding controls (network access control, certificate‑based auth) to limit rogue devices.

---

11. Automation & Playbooks

Develop playbooks for common incidents:

• Deauth storm: collect capture, identify source MACs, correlate with physical access, and block via wireless controller.
• Rogue AP detection: quarantine device, collect PCAP, compare to known AP configs, and notify security.
• Credential capture suspicion: preserve relevant PCAP, extract EAP exchanges, contact legal/compliance.

Automate routine extraction tasks:

• Extract EAPOL handshakes, list SSIDs/BSSIDs, summarize probe requests per MAC, and compute RSSI time series.

---

12. Limitations and Challenges

• Incomplete captures due to channel hopping or limited radios.
• Encryption (WPA3, TLS) limits payload visibility.
• MAC randomization and privacy features complicate device tracking.
• Legal restrictions on active probing and payload capture.

Mitigate via multi‑sensor deployments, greater capture density, and integrating non‑wireless logs (DHCP, RADIUS, physical access).

---

13. Learning Resources and Next Steps

• Study 802.11 standards and Radiotap format.
• Practice with benign captures and tools like Wireshark and Kismet.
• Build a small multi‑adapter lab to simulate incidents and refine workflows.
• Follow vendor advisories for AP/controller hardening and updates.

---

Conclusion

dot11Expert forensic workflows combine disciplined evidence collection, radio and protocol expertise, and cross‑correlation with system logs and organizational context. With careful planning, legal compliance, and the right hardware and tools, wireless forensics can reveal clear timelines, identify malicious actors, and support remediation.