Before we start using specific WiFi tools to investigate wireless networks, let’s look at
using Wireshark. Specifically, we’ll take a look at the radio headers that are sent. You
wouldn’t see any of this when you are capturing traffic normally unless you enable
monitor mode on your wireless interface, which you can do by enabling that setting
in the interface in Wireshark. Once you do that, you’ll see all the radio traffic your
interface sees. Using Wireshark, we can look at the headers indicating where the SSID
has been announced. This is called a
beacon frame
, and Wireshark will call it that in
the info column. You can see the relevant headers in
. This shows the name
of the SSID as
TP-Link_862C_5G
. Above that, you will see that the BSSID is different
and is presented as a MAC address, including the translation of the organizationally
unique identifier (OUI) into a vendor ID.
Figure 7-2. Radio headers in Wireshark
The program
kismet
can be used to not only get the BSSID of a wireless network but
also enumerate networks that are broadcasting. This information also includes SSIDs
that are not named. Ythat a couple of SSIDs aren’t explicitly
named. The first is
, indicating that the SSID broadcasting has been
disabled. When a probe is sent looking for wireless networks, the AP won’t respond
with an SSID name. You will, however, get the BSSID. Using the BSSID, we’ll be able
to communicate with the device because we know the identification of the AP. The
second one that isn’t explicitly named is
, which is an indication that a probe is
being sent out.
You will also notice an SSID that has two separate BSSIDs associated with it. In this
case, two meshed Google WiFi devices are handling that SSID, and as a result, the
SSID is being announced by both of those devices.
kismet
also shows you the channel
that is associated with that SSID. Our two APs advertising CasaChien are on two dif‐
ferent channels. Two APs trying to communicate over the same channel, meaning
they are using the same frequency range, will end up clobbering one another. In the
wired world, this would be called a
collision
. Although there are different addresses,
