Beacon Frames

1. What are the SSIDs of the two access points that are issuing most of the beacon
frames in this trace?

30 Munroe St and linsys_SES_24086

2. What are the intervals of time between the transmissions of the beacon frames from
the linksys_ses_24086 access point? From the 30 Munroe St. access point? (Hint: this
interval of time is contained in the beacon frame itself).

- linksys_ses_24086: 0.1024 seconds

- 30 Munroe St.: 0.1024 seconds

3. What (in hexadecimal notation) is the source MAC address on the beacon frame from
30 Munroe St? Recall from Figure 7.13 in the text that the source, destination, and BSS
are three addresses used in an 802.11 frame. For a detailed discussion of the 802.11
frame structure, see section 7 in the IEEE 802.11 standards document (cited above).

00:16:b6:f7:1d:51

4. What (in hexadecimal notation) is the destination MAC address on the beacon frame
from 30 Munroe St?
 ff:ff:ff:ff:ff:ff

5. What (in hexadecimal notation) is the MAC BSS id on the beacon frame from 30 Munroe
St?

00:16:b6:f7:1d:51

6. The beacon frames from the 30 Munroe St access point advertise that the access point
can support four data rates and eight additional “extended supported rates.” What are
these rates?

Four supported rates: 1Mb/s, 2Mb/s, 5.5Mb/s and 11Mb/s

 Data Transfer

1. Find the 802.11 frame containing the SYN TCP segment for this first TCP session (that
downloads alice.txt).

o What are the three MAC address fields in the 802.11 frame?

• Source: 00:13:02:d1:b6:4f, to the host itself

• Destination: 00:16:b6:f4:eb:a8, to the first hop router

• BSS: 00:16:b6:f7:1d:51

o What is the IP address of the wireless host sending this TCP segment?
192.168.1.109

o What is the destination IP address?

128.199.245.12

o Does this destination IP address correspond to the host, access point, first-hop
router, or some other network-attached device? Explain.
This corresponds to the server gaia.cs.umass.edu.

2. Find the 802.11 frame containing the SYNACK segment for this TCP session.

o What are the three MAC address fields in the 802.11 frame?
 • Destination: 91:2a:b0:49:b6:4f, to the host itself

• Source: 00:16:b6:f4:eb:a8, to the first hop router

• BSS: 00:16:b6:f7:1d:51

o Does the sender MAC address in the frame correspond to the IP address of the
device that sent the TCP segment encapsulated within this datagram?
No
 Association/Disassociation

1. What two actions are taken (i.e., frames are sent) by the host in the trace just after t=49,
to end the association with the 30 Munroe St AP that was initially in place when trace
collection began? (Hint: one is an IP-layer action, and one is an 802.11-layer action).
Looking at the 802.11 specification, is there another frame that you might have
expected to see, but don’t see here?

- At t = 49.583615 a DHCP release is sent by the host to the DHCP server (whose IP
address is 192.168.1.1) in the network that the host is leaving.
- At t = 49.609617, the host sends a DEAUTHENTICATION frame (Frametype = 00
[Management], subframe type = 12[Deauthentication]).

2. Examine the trace file and look for AUTHENTICATION frames sent from the host to an
AP and vice versa. How many AUTHENTICATION messages are sent from the wireless
host to the linksys_ses_24086 AP (which has a MAC address of Cisco_Li_f5:ba:bb)
starting at around t=49?

19 Authentication messages, starting from t=49.638857

3. Does the host want the authentication to require a key or be open?

The host wants the authentication to be open, not requiring a key.

4. Do you see a reply AUTHENTICATION from the linksys_ses_24086 AP in the trace?

No
5. Now let’s consider what happens as the host gives up trying to associate with the
linksys_ses_24086 AP and now tries to associate with the 30 Munroe St AP. Look for
AUTHENTICATION frames sent from the host to an AP and vice versa.

o At what times are there an AUTHENTICATION frame from the host to the 30
Munroe St AP?

At t = 1:03.168087

o When is there a reply AUTHENTICATION sent from that AP to the host in reply?

At t = 1:03.169707

6. An ASSOCIATE REQUEST from host to AP, and a corresponding ASSOCIATE RESPONSE

frame from AP to host are used for the host to associate with an AP.

o At what time is there an ASSOCIATE REQUEST from the host to the 30 Munroe St
AP?

At 1:03.169910

o When is the corresponding ASSOCIATE REPLY sent?

(Note that you can use the filter expression “wlan.fc.subtype < 2 and wlan.fc.type ==
0 and wlan.addr == IntelCor_d1:b6:4f” to display only the ASSOCIATE REQUEST
and ASSOCIATE RESPONSE frames for this trace.)

7. What transmission rates is the host willing to use? The AP? (To answer this question,
you will need to look into the parameters fields of the 802.11 wireless LAN
management frame.)

Four supported rates: 1Mb/s, 2Mb/s, 5.5Mb/s and 11Mb/s

 Other Frame types

16. What are the sender, receiver and BSS ID MAC addresses in these frames? What is
the purpose of these two types of frames? (To answer this last question, you’ll need to
dig into the online references cited earlier in this lab).

At t = 46.586825 there is a Probe Request sent with source 00:13:02:d1:b6:4f, destination:

ff:ff:ff:ff:ff:ff, and a BSS Id of ff:ff:ff:ff:ff:ff.

At t = 46.590448 there is a Probe Response sent with source: 00:16:b6:f7:1d:51, destination

and a BSSID of 00:16:b6:f7:1d:51.

A Probe Request is used by a host in active scanning to find an Access Point. A Probe
Response is sent by the access point to the host sending the request.