Wireless and the OSI Model

[seag33k]

Its been a while since I last looked at the details of the OSI model. I am trying to troubleshoot and issue with operating my wireless card in monitor mode so thought I'd make sure I had a decent understanding of how wireless technology functions using the OSI model.

In a wired network I view the model as:

Layer 1 - the physical CAT5 wire
Layer 2 - frames are transported via a switch/hub using MAC addresses
Layer 3 - packets transport data via IP addresses

In a wireless network I view the model as:

Layer 1 - the wireless card and AP
Layer 2- frames are transported via the 802.11 network. Generally your computer and AP are configured with a certain SSID, Channel, and possible encryption so they can connect to the AP which is similar to the switch in a wired network.
Layer 3 - packets are transported via IP addresses

In general I view wireless networks similar to a Hub with one large collision domain. Channels/frequencies can limit the scope of these collision domains, but if your AP is close to and on the same channel of other AP's, your frames will "mingle" within the collision domain.

Sorry for the long winded discussion, but I am trying to better understand wireless so I can hopefully solve my original issue with using my card in monitor mode.

 

[thiggins]

An excellent reference is Matt Gast's 802.11 Wireless Networks. 802.11 uses CSMA/CA to coordinate traffic among APs and STAs (clients).

Putting two APs on the same channel close to each other isn't recommended because they will share the same bandwidth because they can detect each other's presence.

 

[seag33k]

I just found that book and looks like a good read. Are my assumptions correct, that a wireless network is similar to a hub design in that it is one collision domain? If I have my wireless card in monitor mode and listening to a certain channel, it should see all frames within range? If there is no encryption enabled, I can use wireshark to analyze the data.

In my test lab, all I see are beacons and no real data such as http traffic from test clients.

Thanks for the feedback!

 

[thiggins]

If your wireless card can properly go into promiscuous mode, yes, it should see everything in range. But some cards have trouble with this.

If you are using Kismet, I think the docs list suggested cards.

 

[seag33k]

Yes my card supports this mode (Alfa awus036NH). I am using airmon-ng to put the card into monitor mode. I am also using Wireshark and/or airodump-ng to capture the traffic from the monitor interface.

Since my card is in monitor mode, I should only be seeing frames and not packets correct?

 

[thiggins]

Since my card is in monitor mode, I should only be seeing frames and not packets correct?

Sorry. Don't know the answer to that one.

 

[seag33k]

Thanks for the help anyways!

 

[sfx2000]

all 802 family protocols stop at the MAC (Media Access Control) layer in the OSI stack.

There are plenty of drivers out there that do allow reporting of lower layer parameters, more in the FOSS community (Linux/BSD) that what you might find in the Win/Mac side...

 

[sfx2000]

An excellent reference is Matt Gast's 802.11 Wireless Networks. 802.11 uses CSMA/CA to coordinate traffic among APs and STAs (clients).

Putting two APs on the same channel close to each other isn't recommended because they will share the same bandwidth because they can detect each other's presence.

One thing to note - CSMA/CA only works in the same channel - if you have an AP in an adjacent channel, it's a noise source, and collision avoidance doesn't work

 

[FlangeMonkey]

I'm sure you and many people are familiar with this, so I hope I don't offend anyone.

sfx2000 is completely right, wireless kinda stops at Layer 2 from an OSI point of view. But the air around you is the medium so this is layer 1, not the wireless card. The wireless card is layer 2 as this handles the data link.

Where I think your getting confused, is with what OSI represents, which is a network model, where 802.11 is architecture. Wireless as devices fits into the OSI model at layer 2 very much like switches (still layer 2) and routers into layer 3. Take the OSI model and network devices should fit into it.

Now it gets confusing because the OSI model exists as a model for everything network related including protocols. So although a wireless NIC is layer 2 that uses the 802.11 architecture. The 802.11 architecture itself fits into the model at both layer 2 and layer 1. So what might help is comparing apples to apples, therefore architectures such as wireless 802.11 with ethernet 802.3. As you understand 802.3's physical architecture more greatly, you should see how 802.11 works from a layer point of view and it will build on how you view such things as authentication, modes, beacon frames, etc.

If you want further understanding on how you use the OSI model, compare it against the TCP/IP model, session or transport protocols such as SIP or NFS. Then take such protocols and see where it fits in with TCP/IP.

So you understand how to capture traffic and if I've explained myself well enough (I hope I have). Then its a short leap to understand that the tools your mentioning need to operate with layer 2 802.11 frames in order to view and perform actions on wireless networks. So you can capture frames, but ultimately within the frames are packets. but those frames need to be deciphered/decrypted before you can view the packets, therefore during the process your technically doing both.

 

[stevech]

I just found that book and looks like a good read. Are my assumptions correct, that a wireless network is similar to a hub design in that it is one collision domain?

yes. WiFi is essentially the same as the original Ethernet on coaxial cable: half duplex, not switched. A nit: this old ethernet used carrier sense and collision detection (CSMA/CD). WiFi uses CSMA/CA, where CA means collision avoidance, via random delay if the channel is occupied.

A key difference between 802.11 WiFi and 802.3 switched Ethernet (Cat 5/6 today) is that 802.11 is half duplex (send then receive) whereas switched is usually operated full duplex, and with TCP, this makes packet buffer windows work well. And of course, switched Ethernet needs no CSMA, so all PCs can "talk simultaneously", assuming the switch uplink port is much faster than any of the ports serving PCs.

 

[sfx2000]

I just found that book and looks like a good read. Are my assumptions correct, that a wireless network is similar to a hub design in that it is one collision domain? If I have my wireless card in monitor mode and listening to a certain channel, it should see all frames within range? If there is no encryption enabled, I can use wireshark to analyze the data.

In my test lab, all I see are beacons and no real data such as http traffic from test clients.

Thanks for the feedback!

All STA's that are part of the ESSID - it's basically a hub, not a switch... so a STA in RFMON mode can capture traffic on the same network.

Gets odd though, in that 802.11, if you scan other channels, including your own, you can at least grab beacon traffic, and on open 802.11 networks, you can grab traffic on your channel and others...