THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to detect reasons for Wifi log on and off

My devices keep logging on and off my Wifi. I want to find the reason why this is happening. I have already tried all kinds of ways to find out such as manually selecting a low-used channel etc. All my devices have the latest Wifi drivers. So how can I use Wireshark to find the reason why my devices keep loosing the Wifi connection and then connect again?

to_sam@web.de's avatar
1
[email protected]
asked 2020-05-26 21:12:31 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

You use Wireshark by observing the connection sequence, probably:

 open authentication --> association --> 4-way EAPOL handshake for auth+keying

and then the tear down sequence, probably a single management frame, either 

disassociate or deauth

This could be more about cutting the problem in half instead of the brass ring - know exact root cause. Anyway, sometimes we get lucky. Either side can choose to leave the association, so you would see who is issuing the leave, and there is a field that might contain a reason code. Hopefully it doesn't say 'unspecified'... this is the jumping off point. Whichever entity is leaving, you need to look there - why are they sending that frame? A real reason code is a great starting clue. Often, you will need logs as Wireshark only shows what happened, but does not always show why it happened.

Things like power save behavior, DHCP timeouts, and session timeouts are common reasons why a host might leave a wireless association.

Wireless packet capture is hard but there is some guidance here. Often, special hardware is needed.

Bob Jones's avatar
1.5k
Bob Jones
answered 2020-05-26 21:26:05 +0000, updated 2020-05-26 21:28:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for this answer. However, I am new to Wireshark and therefore don't know what you mean with 

open authentication --> association --> 4-way EAPOL handshake for auth+keying

How do I do this in Wireshark?

to_sam@web.de's avatar [email protected] (2020-05-27 06:34:27 +0000) edit
more
  • delete

Some options:

  1. Follow the link on capturing wifi traffic, obtaining any special hardware you might need (a Macbook usually works). Then introduce your client to the wifi network (i.e. turn it on) and then wait for failure. The packet capture, if done correctly, should contain this information.
  2. Hire someone to do the capture for you. Maybe someone close by could help?
Bob Jones's avatar Bob Jones (2020-05-27 08:39:29 +0000) edit
more
  • delete

I am capturing wifi traffic with my router (fritzbox). Would that be enough to do the analysis?

to_sam@web.de's avatar [email protected] (2020-05-27 09:40:57 +0000) edit
more
  • delete

I assume you have checked logs, if any, in the AP? If it is capturing 802.11 traffic then it might be useful. However, most of the vendors have some type of capture solution on the products (mid to high end) but they always have issues when trying to get ALL traffic. But you don't need ALL traffic, you need to see how the device is behaving and if/when/how the device is leaving the association so it MIGHT be suitable to get started.

If you are comfortable, make a link to a download of the capture and provide the MAC of the problem device and we can take a look.

Bob Jones's avatar Bob Jones (2020-05-27 12:36:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer