Table of Contents
Tutorial: ARP Request Injection Packet Capture Explained
Version: 1.03 February 16, 2009
File linked to this tutorial: arpinjection.cap
This is quick and dirty explanation of a sample capture file. It is a capture of an ARP request injection. To keep things simple, I have only included three rounds.
To view the capture, use Wireshark to open it then “View” then “Expand All”. This shows all the sections and fields expanded. You will need to scroll through the fields for each packet to locate the ones mentioned. See this FAQ entry to learn how to use Wireshark.
The capture was done using an Atheros chipset and airodump-ng as the capture program.
Being able to read a capture file is an important skill to learn and build on. It allows you to troubleshoot a connection if you are having problems. By understanding this capture, you can then compare it to a live capture and hopefully find out what is going wrong.
Analysis of the capture
This is the access point (AP) Beacon.
Packets 2, 5, 8
These are the ARPs being injected by “aireplay-ng -2 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -r replay_arp-0328-152933.cap ath0”.
They are sequence numbers 2622, 2623 and 2624. Because there is no other traffic being sent by the card, they are consecutive numbers.
IEEE 802.11 → Frame Control → Flags → DS Status Flag: The direction flag is “TO DS”. Meaning from the wireless client to the AP.
Notice the the initialization vector number (IEEE 802.11 → WEP Parameters) is the same on each. This is because we are injecting the same packet over and over.
NOTE: In current versions of aireplay-ng, the initialization vector number changes on each injected packet since a push-down stack of the most recently received packets is used. The following sample file shows examples of unique injected IVs: arpinjection.new.cap
Packets 3, 6, 9
These are acknowledgments from the AP to the wireless client acknowledging packets 2,5,8 respectively.
Packets 4, 7, 10
These are the ARP requests being rebroadcast by the AP. Notice that each one has a new unique initialization vector (IEEE 802.11 → WEP Parameters). This is the whole point of the exercise.
They are sequence numbers 2726, 2727 and 2728. Notice that this series is different then the client. Each device uses its own series of sequence numbers.
IEEE 802.11 → Frame Control → Flags → DS Status Flag: The direction flag is “FROM DS”. Meaning from the AP to the wireless clients.
So you should now be able to do the same tests with your cards and see what is different.