Identifying System Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.


Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:

• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.

It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.

Identifying System Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.


Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:

• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.

It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.

Identifying System Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.


Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:

• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.

It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.

Identifying System Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.


Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:

• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.

It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.

Identifying System Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.


Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:

• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.

It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.

Identifying System Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.


Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:

• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.

It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.

University research aims at more secure wireless network

Researchers at Carleton University, Ottawa, Canada, have reported positive results for a novel means of securing Wi-Fi and other wireless networks from hackers and other unauthorized intrusion.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.

Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.

Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.


The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.

As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.

The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.

With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.

Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.

University research aims at more secure wireless network

Researchers at Carleton University, Ottawa, Canada, have reported positive results for a novel means of securing Wi-Fi and other wireless networks from hackers and other unauthorized intrusion.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.

Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.

Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.


The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.

As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.

The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.

With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.

Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.

University research aims at more secure wireless network

Researchers at Carleton University, Ottawa, Canada, have reported positive results for a novel means of securing Wi-Fi and other wireless networks from hackers and other unauthorized intrusion.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.

Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.

Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.


The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.

As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.

The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.

With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.

Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.

The Script Kiddie

What is Script Kiddie ?

A person, normally someone who is not technologically sophisticated, who randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else. A script kiddie is not looking to target specific information or a specific company but rather uses knowledge of a vulnerability to scan the entire Internet for a victim that possesses that vulnerability.

Script Kiddie also referred to a person who relies on premade exploit programs and files (”scripts”) to conduct his hacking, and refuses to bother to learn how they work. The script kiddie flies in the face of all that the hacker subculture stands for - the pursuit of knowledge, respect for skills, and motivation to self-teach are just three of the hacker ideals that the script kiddie ignores. While anyone can be a script kiddie, generally they are teenagers who want the power of the hacker without the discipline or training involved. Obviously anyone who follows this route aspires to be a blackhat, but most refuse to even dignify them with this term; “blackhat” generally implies having skills of your own.

It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities.


From around 1995 on, the widespread use of the Internet in the business and home computer field, and the full disclosure movement’s policy of disclosing working exploitation tools has led to an enormous growth of the script kiddie scene.

Script kiddies often act out of boredom, curiosity or a desire to ‘play war’ on the Internet. There are many organized script kiddie groups, who often meet in anonymous chat channels such as IRC.
Script kiddies are always looking for new exploits which are unknown to the public, and hence particularly effective. Such exploits are leaked from research labs or given to script kiddies by insiders; they are then used to compromise a large number of hosts on the Internet. Script kiddies are often young, and can evolve into honest programmers later in life.

In 1999, NetBus (a software program for remotely controlling a Microsoft Windows computer system over a network as a backdoor.) was used by script kiddie to plant child pornography on the work computer of Magnus Eriksson, a law scholar at Lund University, Sweden. About 3,500 images were discovered by system administrators, and Eriksson was assumed to have downloaded them knowingly. Eriksson lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.

The Script Kiddie

What is Script Kiddie ?

A person, normally someone who is not technologically sophisticated, who randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else. A script kiddie is not looking to target specific information or a specific company but rather uses knowledge of a vulnerability to scan the entire Internet for a victim that possesses that vulnerability.

Script Kiddie also referred to a person who relies on premade exploit programs and files (”scripts”) to conduct his hacking, and refuses to bother to learn how they work. The script kiddie flies in the face of all that the hacker subculture stands for - the pursuit of knowledge, respect for skills, and motivation to self-teach are just three of the hacker ideals that the script kiddie ignores. While anyone can be a script kiddie, generally they are teenagers who want the power of the hacker without the discipline or training involved. Obviously anyone who follows this route aspires to be a blackhat, but most refuse to even dignify them with this term; “blackhat” generally implies having skills of your own.

It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities.


From around 1995 on, the widespread use of the Internet in the business and home computer field, and the full disclosure movement’s policy of disclosing working exploitation tools has led to an enormous growth of the script kiddie scene.

Script kiddies often act out of boredom, curiosity or a desire to ‘play war’ on the Internet. There are many organized script kiddie groups, who often meet in anonymous chat channels such as IRC.
Script kiddies are always looking for new exploits which are unknown to the public, and hence particularly effective. Such exploits are leaked from research labs or given to script kiddies by insiders; they are then used to compromise a large number of hosts on the Internet. Script kiddies are often young, and can evolve into honest programmers later in life.

In 1999, NetBus (a software program for remotely controlling a Microsoft Windows computer system over a network as a backdoor.) was used by script kiddie to plant child pornography on the work computer of Magnus Eriksson, a law scholar at Lund University, Sweden. About 3,500 images were discovered by system administrators, and Eriksson was assumed to have downloaded them knowingly. Eriksson lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.

The Script Kiddie

What is Script Kiddie ?

A person, normally someone who is not technologically sophisticated, who randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else. A script kiddie is not looking to target specific information or a specific company but rather uses knowledge of a vulnerability to scan the entire Internet for a victim that possesses that vulnerability.

Script Kiddie also referred to a person who relies on premade exploit programs and files (”scripts”) to conduct his hacking, and refuses to bother to learn how they work. The script kiddie flies in the face of all that the hacker subculture stands for - the pursuit of knowledge, respect for skills, and motivation to self-teach are just three of the hacker ideals that the script kiddie ignores. While anyone can be a script kiddie, generally they are teenagers who want the power of the hacker without the discipline or training involved. Obviously anyone who follows this route aspires to be a blackhat, but most refuse to even dignify them with this term; “blackhat” generally implies having skills of your own.

It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities.


From around 1995 on, the widespread use of the Internet in the business and home computer field, and the full disclosure movement’s policy of disclosing working exploitation tools has led to an enormous growth of the script kiddie scene.

Script kiddies often act out of boredom, curiosity or a desire to ‘play war’ on the Internet. There are many organized script kiddie groups, who often meet in anonymous chat channels such as IRC.
Script kiddies are always looking for new exploits which are unknown to the public, and hence particularly effective. Such exploits are leaked from research labs or given to script kiddies by insiders; they are then used to compromise a large number of hosts on the Internet. Script kiddies are often young, and can evolve into honest programmers later in life.

In 1999, NetBus (a software program for remotely controlling a Microsoft Windows computer system over a network as a backdoor.) was used by script kiddie to plant child pornography on the work computer of Magnus Eriksson, a law scholar at Lund University, Sweden. About 3,500 images were discovered by system administrators, and Eriksson was assumed to have downloaded them knowingly. Eriksson lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.

Understanding 802.11 Frame Types

When analyzing or troubleshooting the operation of a wireless LAN, you'll likely be using an 802.11 packet analyzer (e.g., AiroPeek or Sniffer Wireless) to monitor the communications between radio network interface cards (NICs) and access points. After capturing the packets, you need to understand the different 802.11 frame types as a basis for deciphering what the network is or isn't doing. In this tutorial, I'll give you an overview of the more common 802.11 frames to help you become more adept at comprehending the operation of a wireless LAN and solving network problems.

General frame concepts

The 802.11 standard defines various frame types that stations (NICs and access points) use for communications, as well as managing and controlling the wireless link. Every frame has a control field that depicts the 802.11 protocol version, frame type, and various indicators, such as whether WEP is on, power management is active, and so on. In addition all frames contain MAC addresses of the source and destination station (and access point), a frame sequence number, frame body and frame check sequence (for error detection).

802.11 data frames carry protocols and data from higher layers within the frame body. A data frame, for example, could be carrying the HTML code from a Web page (complete with TCP/IP headers) that the user is viewing. Other frames that stations use for management and control carry specific information regarding the wireless link in the frame body. For example, a beacon's frame body contains the service set identifier (SSID), timestamp, and other pertinent information regarding the access point.
Note: For more details regarding 802.11 frame structure and usage, refer to the 802.11 standard, which is free for download from the 802.11 Working Group Web site.

Management Frames

802.11 management frames enable stations to establish and maintain communications. The following are common 802.11 management frame subtypes:

• Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC. The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the radio NIC sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The radio NIC must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the radio NIC has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the radio NIC with an authentication frame signifying the result of authentication.
• Deauthentication frame: A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
• Association request frame: 802.11 association enables the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (e.g., supported data rates) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
• Association response frame: An access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association. If the access point accepts the radio NIC, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the radio NIC can utilize the access point to communicate with other NICs on the network and systems on the distribution (i.e., Ethernet) side of the access point.
• Reassociation request frame: If a radio NIC roams away from the currently associated access point and finds another access point having a stronger beacon signal, the radio NIC will send a reassociation frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point waiting for transmission to the radio NIC.
• Reassociation response frame: An access point sends a reassociation response frame containing an acceptance or rejection notice to the radio NIC requesting reassociation. Similar to the association process, the frame includes information regarding the association, such as association ID and supported data rates.
• Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a radio NIC that is shut down gracefully can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association table.
• Beacon frame: The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to radio NICs that are within range. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
• Probe request frame: A station sends a probe request frame when it needs to obtain information from another station. For example, a radio NIC would send a probe request to determine which access points are within range.
• Probe response frame: A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.

Control Frames

802.11 control frames assist in the delivery of data frames between stations. The following are common 802.11 control frame subtypes:

• Request to Send (RTS) frame: The RTS/CTS function is optional and reduces frame collisions present when hidden stations have associations with the same access point. A station sends a RTS frame to another station as the first phase of a two-way handshake necessary before sending a data frame.
• Clear to Send (CTS) frame: A station responds to a RTS with a CTS frame, providing clearance for the requesting station to send a data frame. The CTS includes a time value that causes all other stations (including hidden stations) to hold off transmission of frames for a time period necessary for the requesting station to send its frame. This minimizes collisions among hidden stations, which can result in higher throughput if you implement it properly.
• Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will utilize an error checking processes to detect the presence of errors. The receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK after a period of time, the sending station will retransmit the frame.

Data Frames

Of course the main purpose of having a wireless LAN is to transport data. 802.11 defines a data frame type that carries packets from higher layers, such as web pages, printer control data, etc., within the body of the frame. When viewing 802.11 data frames with a packet analyzer, you can generally observe the contents of the frame body to see what packets that the 802.11 data frames are transporting.

Understanding 802.11 Frame Types

When analyzing or troubleshooting the operation of a wireless LAN, you'll likely be using an 802.11 packet analyzer (e.g., AiroPeek or Sniffer Wireless) to monitor the communications between radio network interface cards (NICs) and access points. After capturing the packets, you need to understand the different 802.11 frame types as a basis for deciphering what the network is or isn't doing. In this tutorial, I'll give you an overview of the more common 802.11 frames to help you become more adept at comprehending the operation of a wireless LAN and solving network problems.

General frame concepts

The 802.11 standard defines various frame types that stations (NICs and access points) use for communications, as well as managing and controlling the wireless link. Every frame has a control field that depicts the 802.11 protocol version, frame type, and various indicators, such as whether WEP is on, power management is active, and so on. In addition all frames contain MAC addresses of the source and destination station (and access point), a frame sequence number, frame body and frame check sequence (for error detection).

802.11 data frames carry protocols and data from higher layers within the frame body. A data frame, for example, could be carrying the HTML code from a Web page (complete with TCP/IP headers) that the user is viewing. Other frames that stations use for management and control carry specific information regarding the wireless link in the frame body. For example, a beacon's frame body contains the service set identifier (SSID), timestamp, and other pertinent information regarding the access point.
Note: For more details regarding 802.11 frame structure and usage, refer to the 802.11 standard, which is free for download from the 802.11 Working Group Web site.

Management Frames

802.11 management frames enable stations to establish and maintain communications. The following are common 802.11 management frame subtypes:

• Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC. The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the radio NIC sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The radio NIC must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the radio NIC has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the radio NIC with an authentication frame signifying the result of authentication.
• Deauthentication frame: A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
• Association request frame: 802.11 association enables the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (e.g., supported data rates) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
• Association response frame: An access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association. If the access point accepts the radio NIC, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the radio NIC can utilize the access point to communicate with other NICs on the network and systems on the distribution (i.e., Ethernet) side of the access point.
• Reassociation request frame: If a radio NIC roams away from the currently associated access point and finds another access point having a stronger beacon signal, the radio NIC will send a reassociation frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point waiting for transmission to the radio NIC.
• Reassociation response frame: An access point sends a reassociation response frame containing an acceptance or rejection notice to the radio NIC requesting reassociation. Similar to the association process, the frame includes information regarding the association, such as association ID and supported data rates.
• Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a radio NIC that is shut down gracefully can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association table.
• Beacon frame: The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to radio NICs that are within range. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
• Probe request frame: A station sends a probe request frame when it needs to obtain information from another station. For example, a radio NIC would send a probe request to determine which access points are within range.
• Probe response frame: A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.

Control Frames

802.11 control frames assist in the delivery of data frames between stations. The following are common 802.11 control frame subtypes:

• Request to Send (RTS) frame: The RTS/CTS function is optional and reduces frame collisions present when hidden stations have associations with the same access point. A station sends a RTS frame to another station as the first phase of a two-way handshake necessary before sending a data frame.
• Clear to Send (CTS) frame: A station responds to a RTS with a CTS frame, providing clearance for the requesting station to send a data frame. The CTS includes a time value that causes all other stations (including hidden stations) to hold off transmission of frames for a time period necessary for the requesting station to send its frame. This minimizes collisions among hidden stations, which can result in higher throughput if you implement it properly.
• Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will utilize an error checking processes to detect the presence of errors. The receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK after a period of time, the sending station will retransmit the frame.

Data Frames

Of course the main purpose of having a wireless LAN is to transport data. 802.11 defines a data frame type that carries packets from higher layers, such as web pages, printer control data, etc., within the body of the frame. When viewing 802.11 data frames with a packet analyzer, you can generally observe the contents of the frame body to see what packets that the 802.11 data frames are transporting.

Understanding 802.11 Frame Types

When analyzing or troubleshooting the operation of a wireless LAN, you'll likely be using an 802.11 packet analyzer (e.g., AiroPeek or Sniffer Wireless) to monitor the communications between radio network interface cards (NICs) and access points. After capturing the packets, you need to understand the different 802.11 frame types as a basis for deciphering what the network is or isn't doing. In this tutorial, I'll give you an overview of the more common 802.11 frames to help you become more adept at comprehending the operation of a wireless LAN and solving network problems.

General frame concepts

The 802.11 standard defines various frame types that stations (NICs and access points) use for communications, as well as managing and controlling the wireless link. Every frame has a control field that depicts the 802.11 protocol version, frame type, and various indicators, such as whether WEP is on, power management is active, and so on. In addition all frames contain MAC addresses of the source and destination station (and access point), a frame sequence number, frame body and frame check sequence (for error detection).

802.11 data frames carry protocols and data from higher layers within the frame body. A data frame, for example, could be carrying the HTML code from a Web page (complete with TCP/IP headers) that the user is viewing. Other frames that stations use for management and control carry specific information regarding the wireless link in the frame body. For example, a beacon's frame body contains the service set identifier (SSID), timestamp, and other pertinent information regarding the access point.
Note: For more details regarding 802.11 frame structure and usage, refer to the 802.11 standard, which is free for download from the 802.11 Working Group Web site.

Management Frames

802.11 management frames enable stations to establish and maintain communications. The following are common 802.11 management frame subtypes:

• Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC. The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the radio NIC sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The radio NIC must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the radio NIC has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the radio NIC with an authentication frame signifying the result of authentication.
• Deauthentication frame: A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
• Association request frame: 802.11 association enables the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (e.g., supported data rates) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
• Association response frame: An access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association. If the access point accepts the radio NIC, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the radio NIC can utilize the access point to communicate with other NICs on the network and systems on the distribution (i.e., Ethernet) side of the access point.
• Reassociation request frame: If a radio NIC roams away from the currently associated access point and finds another access point having a stronger beacon signal, the radio NIC will send a reassociation frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point waiting for transmission to the radio NIC.
• Reassociation response frame: An access point sends a reassociation response frame containing an acceptance or rejection notice to the radio NIC requesting reassociation. Similar to the association process, the frame includes information regarding the association, such as association ID and supported data rates.
• Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a radio NIC that is shut down gracefully can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association table.
• Beacon frame: The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to radio NICs that are within range. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
• Probe request frame: A station sends a probe request frame when it needs to obtain information from another station. For example, a radio NIC would send a probe request to determine which access points are within range.
• Probe response frame: A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.

Control Frames

802.11 control frames assist in the delivery of data frames between stations. The following are common 802.11 control frame subtypes:

• Request to Send (RTS) frame: The RTS/CTS function is optional and reduces frame collisions present when hidden stations have associations with the same access point. A station sends a RTS frame to another station as the first phase of a two-way handshake necessary before sending a data frame.
• Clear to Send (CTS) frame: A station responds to a RTS with a CTS frame, providing clearance for the requesting station to send a data frame. The CTS includes a time value that causes all other stations (including hidden stations) to hold off transmission of frames for a time period necessary for the requesting station to send its frame. This minimizes collisions among hidden stations, which can result in higher throughput if you implement it properly.
• Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will utilize an error checking processes to detect the presence of errors. The receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK after a period of time, the sending station will retransmit the frame.

Data Frames

Of course the main purpose of having a wireless LAN is to transport data. 802.11 defines a data frame type that carries packets from higher layers, such as web pages, printer control data, etc., within the body of the frame. When viewing 802.11 data frames with a packet analyzer, you can generally observe the contents of the frame body to see what packets that the 802.11 data frames are transporting.