locked
EAP EAPOL WiFi-traffic RRS feed

  • Question

  • Hi,

     

    I have a general question regarding Network Discovery / Link-Layer Topology Mapper that I am a bit puzzled about.

     

    I am using Windows 7 (standard configuration, standard software, Intel 4965AGN-WLAN-chipset) in a secured WPA2-PSK WLAN-network. WPA2-PSK passphrase is 10 characters and includes numbers + special characters. The key has been kept secret.

     

    However, within the "Network Infrastructure"-section of the Network-shell-folder, there is an Access Point (D-Link DIR-615) that isn't mine. I have never seen it, never bought it.

     

    In the Properties-page of the device, the IP-address was shown as "Unavailable". Only manufacturer, model, model number, serial number, MAC address and unique identifier were specified.

     

    Network Monitor reveals some traffic, classified as EAP and EAPOL, holding the information given in the property page. No other traffic, except WiFi Management Beacon, shows up.

     

    The question: Is the network compromised?

    Wednesday, January 5, 2011 10:22 AM

Answers

  • Update: I read on another forum that perhaps the Dlink device has roamed onto my router.

    The suggestion to resolve this was to change something to do with SSID, etc. including a stronger password update.

    I remembered that I had just logged in to the router using the generic password it came with.

    So what I did was go into my router and update my password to a strongly enrcypted one. After I logged back in to the router using the new password the Dlink device had disappeared.

    Summary: if router managers always change the router password from the supplied generic one to a strongly encrypted password immediately on connecting the router for the first time, these ghostly roaming issues will disappear.

    • Proposed as answer by Sidney S Wednesday, July 6, 2011 11:52 AM
    • Marked as answer by Paul E Long Wednesday, July 6, 2011 7:13 PM
    Wednesday, July 6, 2011 11:51 AM

All replies

  • I doubt your network is compromised.  The DIR-615 is a wireless network router and I'm guessing is somehow got stuck in your topology map.  I think that a network forum for Windows 7 might be able to troubleshoot how to get rid of the listing.

    When you trace the traffic with Network Monitor, are you saying that you don't see anything representing the DIR-615 router?

    Thanks,

    Paul

    Thursday, January 6, 2011 5:46 PM

  • Thank you for your help,
    I am still somewhat confused how-to interpret the WiFi-conversation.
    Especially the ManagementAuthentication and Association, sent from the D-Link device.
    The complete conversion involves (source: MAC-address of D-Link, destination == MAC-addess of my computer)
    *) WiFi ManagementProbe Response,
    *) WiFi ManagementAuthentication (Status: Successful),
    *) WiFi ManagementAssociation response (Status: Successful),
    *) EAP: Request, Type==Identity
    *) WiFi ManagementBeacon
    *) EAP: Request, Type==Reserved

    Note the WiFi ManagementAssociation and Authentication with Status == Succesful (both sent from D-Link).
    My computer appears to never respond to these frames.
    My computer only responds with the following frames (source: MAC-addess of my computer, destination D-Link):
    *) EAPOL
    *) EAP: Response, WFA-SimpleConfig-Registrar-1-0
    *) EAP: Response, Reserved for the Expanded Type (frame containing Windows version and computer name in ASCII)

    The ManagementAuthentication (Status: Successful), sent from D-Link, is received as:
    =================================================================================
      Frame: Number = 1605, Captured Frame Length = 62, MediaType = WiFi
    - WiFi: [ ManagementAuthentication] ....... RSSI = -89 dBm, Rate = 1.0 Mbps
      - MetaData: RSSI = -89 dBm, Rate = 1.0 Mbps
         Version: 2 (0x2)
         Length: 32 (0x20)
       - OpMode: Extensible Station Mode
          StationMode:           (...............................0) Not Station Mode
          APMode:                (..............................0.) Not AP Mode
          ExtensibleStationMode: (.............................1..) Extensible Station Mode
          Unused:                (.0000000000000000000000000000...)
          MonitorMode:           (0...............................) Not Monitor Mode
         Flags: 0 (0x0)
         PhyType: Undefined Value (0)
         Channel: Undefined PhyType 0, Center Frequency: 2412 MHz
         lRSSI: -89 dBm
         Rate: 1.0 Mbps
         TimeStamp: 12/30/2010, 21:28:11.348531 UTC
      - FrameControl: Version 0,Management, Authentication, .......(0xB0)
         Version:        (..............00) 0
         Type:           (............00..) Management
         SubType:        (........1011....) Authentication
         DS:             (......00........) Ad hoc network
         MoreFrag:       (.....0..........) No
         Retry:          (....0...........) No
         PowerMgt:       (...0............) Active Mode
         MoreData:       (..0.............) No
         ProtectedFrame: (.0..............) No
         Order:          (0...............) Unordered
        Duration: 304 (0x130)
        DA: 00215C 2F15C1
        SA: 002401 213166
        BSSID: 002401 213166
      + SequenceControl: Sequence Number = 994
      - Authentication:
         AuthAlgo: Open System (0)
         AuthSequence: 2 (0x2)
         Status: Successful

    The ManagementAssociation response (sent from D-Link, without any request sent from my MAC-address)
    =================================================================================
      Frame: Number = 1606, Captured Frame Length = 87, MediaType = WiFi
    - WiFi: [ ManagementAssociation response] ....... RSSI = -88 dBm, Rate = 1.0 Mbps
      - MetaData: RSSI = -88 dBm, Rate = 1.0 Mbps
         Version: 2 (0x2)
         Length: 32 (0x20)
       - OpMode: Extensible Station Mode
          StationMode:           (...............................0) Not Station Mode
          APMode:                (..............................0.) Not AP Mode
          ExtensibleStationMode: (.............................1..) Extensible Station Mode
          Unused:                (.0000000000000000000000000000...)
          MonitorMode:           (0...............................) Not Monitor Mode
         Flags: 0 (0x0)
         PhyType: Undefined Value (0)
         Channel: Undefined PhyType 0, Center Frequency: 2412 MHz
         lRSSI: -88 dBm
         Rate: 1.0 Mbps
         TimeStamp: 12/30/2010, 21:28:11.355752 UTC
      - FrameControl: Version 0,Management, Association response, .......(0x10)
         Version:        (..............00) 0
         Type:           (............00..) Management
         SubType:        (........0001....) Association response
         DS:             (......00........) Ad hoc network
         MoreFrag:       (.....0..........) No
         Retry:          (....0...........) No
         PowerMgt:       (...0............) Active Mode
         MoreData:       (..0.............) No
         ProtectedFrame: (.0..............) No
         Order:          (0...............) Unordered
        Duration: 304 (0x130)
        DA: 00215C 2F15C1
        SA: 002401 213166
        BSSID: 002401 213166
      + SequenceControl: Sequence Number = 995
      - AssociationResponse:
       + Capability: 0x310C
         Status: Successful
       + AssociationID: 3
       - InformationElements:
        + rates: 1.0, 2.0, 5.5, 11.0, 9.0, 18.0, 36.0, 54.0
        + ExtendedRates: 6.0, 12.0, 24.0, 48.0
        - VendorSpecificInfo: OUI=Ralink Technology, Corp., FieldType=Unknown
           ElementID: Vendor Specific Information
           Length: 7 (0x7)
           OUI: 00-0C-43(Ralink Technology, Corp.)
           Data: Binary Large Object (4 Bytes)
    WiFi Management Probe Response (sent from MAC-address of D-Link, directed to the MAC-address of my computer)
    ============================================
      Frame: Number = 172, Captured Frame Length = 413, MediaType = WiFi
    - WiFi: [ ManagementProbe response] ...R... RSSI = -89 dBm, Rate = 1.0 Mbps, SSID = Estmer, Channel = 1
      - MetaData: RSSI = -89 dBm, Rate = 1.0 Mbps
         Version: 2 (0x2)
         Length: 32 (0x20)
       - OpMode: Extensible Station Mode
          StationMode:           (...............................0) Not Station Mode
          APMode:                (..............................0.) Not AP Mode
          ExtensibleStationMode: (.............................1..) Extensible Station Mode
          Unused:                (.0000000000000000000000000000...)
          MonitorMode:           (0...............................) Not Monitor Mode
         Flags: 0 (0x0)
         PhyType: Undefined Value (0)
         Channel: Undefined PhyType 0, Center Frequency: 2412 MHz
         lRSSI: -89 dBm
         Rate: 1.0 Mbps
         TimeStamp: 12/30/2010, 21:17:30.366408 UTC
      + FrameControl: Version 0,Management, Probe response, ...R...(0x850)
        Duration: 304 (0x130)
        DA: 00215C 2F15C1
        SA: 002401 213166
        BSSID: 002401 213166
      + SequenceControl: Sequence Number = 580
      - ProbeResponse: Probe Response with SSID [Estmer]
         TimeStamp: 1684768858 microsecond(s)
         BeaconInterval: 100 ms
       - Capability: 0x310C
          ESS:                (...............1) Extended service set used
          IBSS:               (..............0.) Independent basic service set Not used
          CF:                 (............00..) No PC at non-QoS AP
          Privacy:            (...........1....) Required
          ShortPreamble:      (..........1.....) Allowed
          PBCCModulation:     (.........0......) Not Allowed
          ChannelAgility:     (........0.......) No
          SpectrumManagement: (.......0........) Not Required
          QoS:                (......0.........) Not Implemented
          ShortSlotTime:      (.....1..........) Enabled
          APSD:               (....1...........) Implemented
          RadioMeasurement:   (...0............) Disabled
          DSSSOFDM:           (..0.............) Not Allowed
          DelayedBlockAck:    (.0..............) Not Implemented
          ImmediateBlockAck:  (0...............) Not Implemented
       - InformationElements:
        + ssid: Estmer
        + rates: 1.0, 2.0, 5.5, 11.0, 9.0, 18.0, 36.0, 54.0
        + Channel: 1
        + ERP: No Non-802.11g STA present
        + ExtendedRates: 6.0, 12.0, 24.0, 48.0
        + HTCapabilities:
        + HTOperation:
        + SecondaryChannelOffset: 0x0
        - VendorSpecificInfo: OUI=MICROSOFT CORP., FieldType=WPA
           ElementID: Vendor Specific Information
           Length: 26 (0x1A)
           OUI: 00-50-F2(MICROSOFT CORP.)
         - WPA: 0x1
            OUIType: 1 (0x1)
            Version: 1 (0x1)
          + GroupCipher: TKIP
          + PareClipher:
          + AKM:
        + VendorSpecificInfo: OUI=MICROSOFT CORP., FieldType=WMM
        + ExtendedCapabilities:
        + VendorSpecificInfo: OUI=Ralink Technology, Corp., FieldType=Unknown
        + Country: GB
        + VendorSpecificInfo: OUI=EPIGRAM, INC., FieldType=Unknown
        + VendorSpecificInfo: OUI=EPIGRAM, INC., FieldType=Unknown
        + VendorSpecificInfo: OUI=MICROSOFT CORP., FieldType=WPS
    >>  + VendorSpecificInfo: OUI=MICROSOFT CORP., FieldType=Unknown

    In the trailing >>VendorSpecificInfo: OUI=MICROSOFT CORP., FieldType=Unknown, the following words were shown:
    D-Link.#..DIR-615.$..DIR-615.B..00000000.....DIR-615.....Ž
    (the data shown in the property page within Explorer)

    The same properties were also shown within
    EAP: Request, Type == RESERVED  (sent from the MAC-address of DIR-615, directed to the MAC-address of my computer)
    ==========================================
      Frame: Number = 1638, Captured Frame Length = 621, MediaType = WiFi
    - WiFi: [Unencrypted Data] F......, (I) RSSI = -93 dBm, Rate = 1.0 Mbps
      - MetaData: RSSI = -93 dBm, Rate = 1.0 Mbps
         Version: 2 (0x2)
         Length: 32 (0x20)
       - OpMode: Extensible Station Mode
          StationMode:           (...............................0) Not Station Mode
          APMode:                (..............................0.) Not AP Mode
          ExtensibleStationMode: (.............................1..) Extensible Station Mode
          Unused:                (.0000000000000000000000000000...)
          MonitorMode:           (0...............................) Not Monitor Mode
         Flags: 0 (0x0)
         PhyType: Undefined Value (0)
         Channel: Undefined PhyType 0, Center Frequency: 2412 MHz
         lRSSI: -93 dBm
         Rate: 1.0 Mbps
         TimeStamp: 12/30/2010, 21:28:13.438586 UTC
      + FrameControl: Version 0,Data, Data, F......(0x208)
        Duration: 202 (0xCA)
        DA: 00215C 2F15C1
        BSSID: 002401 213166
        SA: 002401 213166
      + SequenceControl: Sequence Number = 1
    + LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
    + Snap: EtherType = EAPOL/802.1x, OrgCode = XEROX CORPORATION
    - Eapol: EAP-Packet , Length = 553
        Version: 2 (0x2)
        Type: EAP-Packet, 0(0x00)
        BodyLength: 553 bytes
    - Eap: Request, Type = RESERVED for the Expanded Type
        Code: Request, 1(0x1)
        Identifier: 1 (0x1)
        Length: 553 bytes
        Type: RESERVED for the Expanded Type, 254(0xfe)
        VendorId: 14122 (0x372A)
        VendorType: Identity
        VendorData: Binary Large Object (541 Bytes)
    (VendorData containing the sama data as for the Management Probe, D-Link DIR-615 + 000000000)

    My computer answers the request with
    EAP: Response, Type == Reserved, containg windows version + computer name
    ======================================
      Frame: Number = 1640, Captured Frame Length = 485, MediaType = WiFi
    - WiFi: [Unencrypted Data] .T....., (I)
      - MetaData:
         Version: 2 (0x2)
         Length: 32 (0x20)
       - OpMode: Extensible Station Mode
          StationMode:           (...............................0) Not Station Mode
          APMode:                (..............................0.) Not AP Mode
          ExtensibleStationMode: (.............................1..) Extensible Station Mode
          Unused:                (.0000000000000000000000000000...)
          MonitorMode:           (0...............................) Not Monitor Mode
         Flags: 4294967295 (0xFFFFFFFF)
         RemData: Outbound
         TimeStamp: 12/30/2010, 21:28:13.475484 UTC
      + FrameControl: Version 0,Data, Data, .T.....(0x108)
        Duration: 32768 (0x8000)
        BSSID: 002401 213166
        SA: 00215C 2F15C1
        DA: 002401 213166
      + SequenceControl: Sequence Number = 0
    + LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
    + Snap: EtherType = EAPOL/802.1x, OrgCode = XEROX CORPORATION
    - Eapol: EAP-Packet , Length = 417
        Version: 1 (0x1)
        Type: EAP-Packet, 0(0x00)
        BodyLength: 417 bytes
    - Eap: Response, Type = RESERVED for the Expanded Type
        Code: Response, 2(0x2)
        Identifier: 1 (0x1)
        Length: 417 bytes
        Type: RESERVED for the Expanded Type, 254(0xfe)
        VendorId: 14122 (0x372A)
        VendorType: Identity
        VendorData: Binary Large Object (405 Bytes)

    VendorData, containing Microsoft, Windows, 6.1.7601 + name of computer
    Sent from my computer, to the MAC-address of DIR-615.
    Thanks for any help,
    Andreas Nilsson
    Friday, January 7, 2011 6:09 PM
  • So I'll first say I'm not an expert on wireless traffic.  But it does appear that your wireless NIC is associating itself with the DIR-615. As far as I know, you can only associate to one access point.

    When you look to see the network SSID of who you are associated with, is it in fact your own and not the DIR-615?

    Is there any other traffic after this then reassociates you to another access point?

    Thanks,

    Paul

    Wednesday, January 12, 2011 5:07 PM
  • The wireless NIC is configured to only join my WPA2-network.
    The network name Estmer (?) doesnt tell me much (and is not in my list of previously associated networks).
    The strange part is that, during the packet sampling, only the following frames are sent from my NIC to the D-Link:
    My computer only responds with the following frames (source: MAC-addess of my computer, destination D-Link):
    *) EAPOL
    *) EAP: Response, WFA-SimpleConfig-Registrar-1-0
    *) EAP: Response, Reserved for the Expanded Type (frame containing Windows version and computer name in ASCII
    ... and that the D-Link appears to send a lot more to me, including the WiFi ManagementAssociation and Authentication with Status == Succesful.
    Is the relation between EAP-EAPOL and "Network Infrastructure"-section of the Network-shell-folder  documented somewhere, just to check if this might be a feature (for instance to discover factury-default, non-configurated access points)?
    Thanks,
    Andreas
    Tuesday, January 18, 2011 9:27 PM
  • I can't say I understand what is going on.  I ran this by a WiFi specialist here and he seems to agree that you are getting associated with this D-Link, but I'm not sure we understand why.

    I think your best bet is to ask this question in a networking forum.  You could include the traffic above for reference. 

    Paul

    Thursday, January 27, 2011 4:37 PM
  • I have exactly the same situation on my HP desktop. I see that no resolution was reached here. Is there a continuation of this thread on another forum that I have missed?
    Wednesday, July 6, 2011 11:37 AM
  • Update: I read on another forum that perhaps the Dlink device has roamed onto my router.

    The suggestion to resolve this was to change something to do with SSID, etc. including a stronger password update.

    I remembered that I had just logged in to the router using the generic password it came with.

    So what I did was go into my router and update my password to a strongly enrcypted one. After I logged back in to the router using the new password the Dlink device had disappeared.

    Summary: if router managers always change the router password from the supplied generic one to a strongly encrypted password immediately on connecting the router for the first time, these ghostly roaming issues will disappear.

    • Proposed as answer by Sidney S Wednesday, July 6, 2011 11:52 AM
    • Marked as answer by Paul E Long Wednesday, July 6, 2011 7:13 PM
    Wednesday, July 6, 2011 11:51 AM