CWAP-403 has been one of my favorite exams to study for, several books and a lab-guide has yet to be completed. Wireless analysis will be something I would like to master, and this exam is just the beginning.
I do feel a bit “all over the place” with so many books to read, so I thought it could be a good idea to make short notes about each single topic. After seeing that @keepcalmandping passed his exam, and read his blog (https://keepcalmandping.online/) (good one!) I forced myself to start doing something. I already have this blog, why not use it more. We can’t all be like the awesome Rasik (https://mrncciew.com/) or Gjermund Raaen (https://gjermundraaen.com/) but we all need to start somewhere. 😊
You find the topics here – CWAP-403 objectives
(warning, I tend to write not so technically. That may change)
1.1 – Capture 802.11 frames using the appropriate methods and locations
1.1.1 – Install monitor mode drivers
First some words from Wikipedia:
This is all about Windows or Linux for that matter, since it works perfectly on macOS. Not all adapters support monitor mode, and some work better than others. A tool to check if your adapter support monitor mode can for example be an old tool called Microsoft Network Monitor (look at this blog for more info https://techwiser.com/check-if-wireless-adapter-supports-monitor-mode/
That was a fun old tool ! – here is a random capture from my Meraki AP
Channel 44 and Center Frequency 2437 and RSSI of 0 dBm……
This topic is more about installing the driver, and if you use Omnipeek (https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/) you would need to manually install their drivers to see if you have a working adapter. Like this.
Download trial, download driver, install drivers and cross your fingers to see if the drivers support your adapter. My Netgear AC6200 was supported. 🙂
1.1.2 – Select appropriate capture device
This just makes sense, right now my Omnipeek trial is on my desktop PC and that is not an appropriate capture device (well, it is if you like a good chair and a huge 34″ curved screen to lab some wireless).
You can use a laptop with one or several USB adapters, Jetson Nano (Remote Wireless Capturing with a Jetson Nano – by Gjermund Raaen), an AP with a PoE-battery to be able to capture with a 8×8 device or a sidekick (with the Ekahau Connect license) or do it the easy way. Get a Macbook Air with 802.11ac 2×2 and use AirTool. I have a Macbook Air 2015 model that I use.
1.1.3 Select appropriate capture location
If you do not see the frame you are looking for, try looking closer to the AP or closer to the client. A 2.4 Ghz client cannot connect to the wireless network, could it be because someone put the AP in the microwave?
1.1.4 – Capture for an appropriate amount of time based on the problem scenario
What are you trying to figure out? Are you troubleshooting VoiP, did you capture enough frames|packets? Are you troubleshooting roaming, did you capture roaming event using multiple adapters?
I once troubleshooted a P2P connection, and I was done after I captured hundreds of beacons from the antenna at -90dBm one meter (that is around 3.3 feet) from the antenna, standing on a rooftop. Solution was to change the antenna and design.
1.1.5 – Scanning channels vs. capturing on a single channel
Frames move so quickly, so it all depends on what you are trying to accomplish. Usually it is a good idea to use something like WinFi, inSSID or WiFi Explorer Pro to look at what channels are used by the AP.
Then you can decide to capture from just a few channels, or just from the the channel the AP and the client with issues are using for example. Just remember that you will miss several frames when using one adapter jumping from channel to channel.
Tools like AirTool for Mac or Omnipeek have setting where you can easily change what channel or capture on a specific channel. You can also change the dwell time (duration on each channel). Picture shows Omnipeek.
1.1.6 – Capturing in roaming scenarios
When roaming you could easily miss the frame you need when the client is roaming from AP to AP (ch to ch). In Omnipeek or AirTool for example you can change the dwell time and jump between the channels the AP are using, or you can use multiple adapters.
In Omnipeek you can also create an Aggregator/Roaming adapter so you can capture from several devices at the same time. I only have one adapter right now, but with my 64GB of RAM I could probably aggregate 6 adapters with ease. (Only issue is how I could move this desktop PC around)
Doing this you would not miss any (or so many) frames when troubleshooting roaming.
11.1.7 Capture with portable protocol analyzers (laptops)
Yes, either a PC running Linux in a VM for example with AX200 (How to setup WiFi6 sniffer wireshark in Ubuntu) or if you have a Macbook it just works.
Lastly, one of the best tools (that I have tested) for capturing on PC that I have already mentioned several times is Omnipeek.
Be smart! Do not use the trial on a your desktop computer 😉
Here is a random picture of me when I studied for ENWLSI and ENWLSD. Capturing on a Mac is still the easiest way to capture wireless frames.
1.1.8 Capture with APs, controllers, and other management solutions
I have used my Autonomous Cisco AP (before it broke down… again) to capture. I included some guides for WLC, Autonomous, 9800, WLANPi and again the Jetson Nano blog
Autonomous Cisco AP Sniffer mode guide – Cisco.com
WiFi Captures with Sniffer mode AP (Cisco WLC) – blog by Rasika Nayanajith
CISCO 9800 WLC – AP SNIFFER MODE – blog by Rowell Dionicio
1.1.9 Capture with specialty devices such as handheld analyzers
One of these devices could be the AirCheck G2 or if you add a LCD sceen to the RPi and put a battery on it. That could also be a called a handheld analyzer.
This is my RPi with Kali and a 800×600 7″ LCD with a 4000mah battery on it. Do I really need to blur out the mac:adr? Not really, it is a a bunch of Google mesh APs and my Meraki AP
That was it for now, next up is 1.2 Analyze 802.11 frame captures to discover problems and find solutions
Recommended blogs, books and other relevant URLs: