![]() ![]() ![]() The device (aka station) which does a scan to get the list of available nearby access points is actually sending a probe request frame. As the name suggests the management frames are the ones which are used to manage the network. Pls note most of the latest A.P provide an option to turn off the beacon frames for security reasons.Īt the top-level there are three types of frames in 802.11, the management frames, control frames and data frames. There is a whole lot of information hidden in this frame which is a sub-type of management frame. It helps the end-user to knows its the availability and the services the access point can provide. These beacons are important in infrastructure BSS. It contains all the information about the network which in WiFi terminology is called its own BSS. ![]() There is a minimum time interval between two beacon frames which is 102 milli seconds. Beaconsīeacon frame are sent by access point all the time. How does the smart phone or whatever the electronic device which does the scanning to find the access points nearby able to see these things. In office environment, we may see access points with the same name repeated multiple times which helps our smartphones to connect to them when we are moving from one place to other. Access to internet is becoming more and more common (sometimes rudimentary) and it is now impossible to imagine that when we turn on the WiFi in our smart phones we see at least a few access point names in the list. Even though we have access to mobile internet (like 4G or 3G) we still look out for these things. So now we have the MME_UE_S1AP_ID, we can filter all S1 messaging containing that MME_UE_S1AP_ID, we’ll use this Wireshark filter to get it: s1ap.MME_UE_S1AP_ID = 2īoom, there’s a all the signalling for that subscriber.Whenever we go outside to hangout with our friends or family either to restaurants or to any place checking for the available free WiFI access points is one the first thing which we do nowadays. (It’s worth noting the MME_UE_S1AP_ID is only unique to the MME – If you’ve got multiple MMEs the same MME_UE_S1AP_ID could be assigned by each). The MME_UE_S1AP_ID is a unique identifier, assigned by the MME to identify which signaling messages are for which subscriber. Inside the protocolIEs is the MME_UE_S1AP_ID – This unique identifier will identify all S1 signalling for a single user. Next up let’s take a look at the contents of one of these packets, Quick note – Not all IntialUEMessages will contain the IMSI – If the subscriber has already established comms with the MME it’ll instead be using a temporary identifier – M-TMSI, unless you’ve got a way to see the M-TMSI -> IMSI mapping on the MME you’ll be out of luck. The Wireshark e212 filter filters for ITU-T E.212 payloads (ITU-T E.212 is the spec for PLMN identifiers). Luckily we can filter in Wireshark to find the IMSI we’re after e212.imsi = "001010000000001" The S1 interface only contains the IMSI in certain NAS messages, so the first step in tracing a subscriber is to find the initial attach request from that subscriber containing the IMSI. So how do we find all the packets relating to a single subscriber / IMSI amidst a sea of S1 packets? The S1 interface can be pretty noisy, which makes it hard to find the info you’re looking for. ![]()
0 Comments
Leave a Reply. |