Sequence numbers jumping - question
Joshua Wright
Joshua.Wright
Mon Oct 28 13:43:33 PST 2002
I am doing some research for wireless intrusion analysis and was hoping someone could fill me in on a question I have regarding hostap drivers and sequence numbers.
Using FakeAP and the 2002-10-12 hostap drivers on my Slackware 8.1 machine (using pcmcia-cs 3.2.1), I generated a series of beacon frames using changing ESSIDs. I captured this traffic on another Slack machine using a Cisco Aironet 350 card in RFMON mode.
When analyzing the traffic pattern, the sequence numbers seem to hop quite a bit between changing the ESSID with fakeap (which works by using iwconfig to do the IOCTL stuff). Basically, fakeap does this (perl):
system( $IWCONFIG, $interface_opt, "ESSID", $essid );
system( $IWCONFIG, $interface_opt, "channel", $channel );
system( $IFCONFIG, $interface_opt, "hw", "ether", $mac );
to change the ESSID, frequency and MAC address. Some of my traces look like this:
IEEE 802.11
Type/Subtype: Beacon frame (8)
Frame Control: 0x0080
<snip>
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:40:ae:76:4d:bc (00:40:ae:76:4d:bc)
BSS Id: 00:40:ae:76:4d:bc (00:40:ae:76:4d:bc)
Fragment number: 0
Sequence number: 2089
IEEE 802.11 wireless LAN management frame
<snip>
Tagged parameters (23 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 6
Tag interpretation: Lilaea
Tag Number: 1 (Supported Rates)
Tag length: 4
<snip>
IEEE 802.11
Type/Subtype: Beacon frame (8)
Frame Control: 0x0080
<snip>
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:04:76:ed:64:91 (00:04:76:ed:64:91)
BSS Id: 00:04:76:ed:64:91 (00:04:76:ed:64:91)
Fragment number: 0
Sequence number: 2090
IEEE 802.11 wireless LAN management frame
<snip>
Tagged parameters (21 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 4
Tag interpretation: urim
Tag Number: 1 (Supported Rates)
In this case, the sequence number moves from 2089 to 2090, like I would expect.
However, I have several instances where the sequence number jumps by as much 22:
IEEE 802.11
Type/Subtype: Beacon frame (8)
Frame Control: 0x0080
<snip>
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:40:33:fa:77:74 (00:40:33:fa:77:74)
BSS Id: 00:40:33:fa:77:74 (00:40:33:fa:77:74)
Fragment number: 0
Sequence number: 1974
IEEE 802.11 wireless LAN management frame
<snip>
Tagged parameters (24 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 7
Tag interpretation: ladonna
Tag Number: 1 (Supported Rates)
IEEE 802.11
Type/Subtype: Beacon frame (8)
Frame Control: 0x0080
<snip>
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:40:33:fa:77:74 (00:40:33:fa:77:74)
BSS Id: 00:40:33:fa:77:74 (00:40:33:fa:77:74)
Fragment number: 0
Sequence number: 1996
IEEE 802.11 wireless LAN management frame
<snip>
Tagged parameters (24 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 7
Tag interpretation: ladonna
Tag Number: 1 (Supported Rates)
<snip>
Is their any reasons the HostAP drivers would skip some of the sequence number values when changing the frequency or ESSID? It could be my data capture implementation or the Cisco internal channel hopping mechanism that is preventing me from seeing all the frames, but I don't have a way to confirm this.
Can anyone shed some light on how sequence numbers are handled in HostAP? I didn't see an obvious reference to it in the code - if someone can point me to the right general area instead, that would be good too. :)
Many thanks.
-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at jwu.edu
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
More information about the Hostap
mailing list