Back to Home Back to Archive

What do "your" WiFi clients support?

February 23, 2016


The need to know "what my clients support" is common. For example, before enabling a certain frequency or feature on your WLAN, like channel 144 or 802.11w. Other times, you'd like to know what the percentage of 1/2/3 Spatial-Stream or MU-MIMO capable devices looks like.

Sometimes you can get some of this from your infrastructure (see References section below), and sometimes not. In situations where you can not, you can look at Probes and/or Association Request frames; and with a little help from tcpdump or wireshark you can begin to answer these questions.

You can see Examples here for specific fields to check in Association Request frames. Right-clicking and selecting "Prepare as filter-->Selected" should get you the corresponding tshark/wireshark filter, for reference later. This is what's used to populate the following spreadsheet: clients.mikealbano.com.

In my example, I've given direction using OSX as the capture device, however it would be easier to gather a larger sample set if using distributed Linux boxes (TCPDUMP) or remote-pcap capable Access Points. Note, since capture-filters are in place to only grab "Probe or Association" frames, it's possible to let these captures run for weeks or months, without fear of filling up disk.
See this post for more examples of common packet-capture setups & examples.

Here is an example of checking Probe Requests for a devices ability to support the "BSS Transition" portion of 802.11v. This is just one example, you could extend this to Association Requests to validate any of the previously mentioned features or examples.

For reference, here's how you obtain the "Display Filter" from Wireshark.

Support for 802.11v advertised this in the Probe requests

The corresponding display filter, in this example would be: "wlan_mgt.extcap.b19 == 1". Easy enough for analyzing a small capture. Here's how you can check at a larger scale, using OSX or Linux.

Capture Probe Requests

1. Set your channel to "1". This isn't totally necessary, but I prefer any 2.4GHz channel as that will get you the best chance of demodulating the most Probe frames (1Mb DSSS).
    • sudo airport -z
    • sudo airport --channel=1
1.5. Corresponding Linux commands:
    • ifdown wlan0
    • iw dev wlan0 set channel 1
    • iw dev wlan0 set type monitor
    • ifconfig wlan0 up
2. Capture Probe Request frames (either platform):
    • tcpdump -s0 -I -i en0 -e type mgt subtype probe-req -w file.pcap
    • Or if you prefer tshark: tshark -I -i en0 -f "wlan[0]==0x40" -w file.pcap

Analysis

CLI Method (faster)

Useful if you don't have a GUI on the analyzing device, or analyzing an extremely large capture file 
  1. Combine pcaps, if necessary, using 'mergecap'.
  2. Get the total amount of unique devices:
    • tshark -r file.pcap -o nameres.mac_name:FALSE -Y "wlan.fcs_good==1" | awk '{print $3}' | sort -u | wc -l
  3. Get the total amount of unique devices that advertise 802.11v support:
    • tshark -r file.pcap -o nameres.mac_name:FALSE -Y "wlan.fcs_good==1 and wlan_mgt.extcap.b19 == 1" | awk '{print $3}' | sort -u | wc -l
  4. Divide Step 3 by Step 2 for your percentage.
GUI Method (slower -- might be necessary, if you've done remote-sniffer AP method of capturing frames)
  1. Load your pcap full of Probes (based on prev. commands) into Wireshark and apply the following display filters
    • wlan.fcs_good==1 and wlan_mgt.extcap.b19 == 1
  2. Select "Statistics--->Endpoints"
  3. Select IEEE 802.11 (make sure name resolution NOT checked)
  4. Select Copy--->CSV. Write the clipboard to a CSV file in the terminal:
    • cat > total.csv (ctrl-d when done)
  5. Select "Limit to display filter". 
  6. Select Copy--->CSV. Write the clipboard to a different CSV file in the terminal:
    • cat > 11v_support.csv (ctrl-d when done)
  7. You now have two CSV's to look at for an idea of how many devices advertise 802.11v "BSS Transition" support. For example, divide the two numbers for your percentage:
    • wc -l total.csv;wc -l 11v_support.csv
References, Notes & More Examples

More examples, assuming you capture Association Requests from remote Aruba APs:
Total assoc or re-assoc frames: tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2" | wc -l
Total unique assoc frames/clients: tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2" | awk '{print $3}' | sort -u | wc -l
Total # of Unique clients that advertise UNII-2 channel support: tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2 and wlan_mgt.supchan.first==52" | awk '{print $3}' | sort -u | wc -l
Total # of Unique clients that advertise UNII-2 and UNII-2e channel support: tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2 && wlan_mgt.supchan.first==52 && wlan_mgt.supchan.first==100" | awk '{print $3}' | sort -u | wc -l
Total # of Unique clients that advertise NO UNII-2 and UNII-2e channel support: tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2 && !(wlan_mgt.supchan.first==52 && wlan_mgt.supchan.first==100)" | awk '{print $3}' | sort -u | wc -l
Total # of Unique clients that support 144: sudo tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2 and wlan_mgt.supchan.first==144 or (wlan_mgt.supchan.first == 100 and wlan_mgt.supchan.range == 12)" | awk '{print $3}' | sort -u | wc -l

Total # of Unique clients that DON'T support 144: sudo tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2 and !(wlan_mgt.supchan.first==144 or (wlan_mgt.supchan.first == 100 and wlan_mgt.supchan.range == 12))" | awk '{print $3}' | sort -u | wc -l

 Total # of Unique clients that DON'T advertise their 'channel support' at all: sudo tshark -r <pcap_file>.pcap -d udp.port==5555,aruba_erm -Y "wlan.fc.type_subtype==0 or wlan.fc.type_subtype==2 and !(wlan_mgt.tag.number == 36)" | awk '{print $3}' | sort -u | wc -l

The following is a way to more specifically replicate the Wireshark/GUI method, however the 'statistics' (-z) option for tshark does not appear to accept display filters, so you can't pass 'wlan_mgt.extcap.b19==1' as a filter for example.

tshark -r /tmp/all.pcap -o nameres.mac_name:FALSE -q -z endpoints,wlan

You can't utilize this method for 802.11r or 802.11k unless they are also enabled on the WLAN. This is due to the BSS not advertising support for these features, unless enabled. For example, with 802.11r, The AKM tag of the RSN IE (48), does not display "FT using...":


Section for BSS Transition (part of 802.11v): 10.23.6 of 802.11-2012
Section for all 80211v/WNM: 4.3.13 of 802.11-2012

iOS support for 802.11k/r/v

From an Aruba controller, you can see some client capabilities with:
(wlc) show ap association

 Again, "R" and "K" support won't be accurate unless it's enabled on the BSS.