Pcap-quiz #1, 802.1X/EAP Authentication and Roaming

I have over a periode of time had a wish to make some pcap-quiz into the wireless community. And its time to jump into it

I am using this method

  • Make a topology file that shows the network and all necessary data like mac-addresses and so on
  • Take a wireless capture while i’am doing something with the clients
  • Filter the pcap to reasonable sizes containing frames/packets that matters
  • Make a questionare
  • copy the same file and fill in some answers
  • Zip it in a downloadable file


Back in January 2019 I startet do play with WlanPi and packet capturing. Nigel Bowden had a article where he showed how to do packet capturing with the WlanPi and a compatibel WiFi-adapter on a Windows client. I ask him to update his script so that the WlanPi could capture 80MHz channels. And he did. Nigels link

Under my testing I discovered that the WlanPi could capture on four separate 20MHz-channels in a 80MHz-channel.  See my blog article

Peter Mackenzie did a deeper analysis on my pcaps and wrote a article where he explained what happens much better than I can do in english. Peters link

The point is that with my Realtek 8812AU adapter on the WlanPi it can capture 4 different 20MHz-channels in one capture, instead of using four adapters. Yes, it has some limitations. But in a lab environment its good enough.

In the zip-file I attached to this article is a pcap capture where the WlanPi captures on a 80MHz channel and it is 4 different APs each configured with the same SSID on 20MHz. Channel 36, 40, 44 and 48. The WlanPi is set to primary channel 36. That is the reason why the 802.11 radio information in Wireshark reports channel 36 for all 4 APs.

The original capture has almost 100.000 frames beause all clients also did pinging to the default gateway, just to create some traffic. I have filtered out the frames that matters to this questionare. It is the mangement- and EAPOL frames, so the capture contains only 8695 frames

Here is the case

  • 4 AP, each at 20MHz using channel 36, 40, 44 and 48
  • The pcap file contain captures from all four channels
  • The network uses 802.1X/EAP authentication, so all clients/suplicants communicate with a authentication server (Radius-server) during 802.1X/EAP authentication
  • Three clients, a MacBookPro, a iPAD and a Samsung A5. The iPAD and the Samsung  does a roam during the capture
  • Fast roaming is enabled
  • The questionare have 5 questions about 802.1X/EAP authentication and 5 questions about roaming
  • The topology file contains all mac addresses that matters
  • Eddie Forero had a awesome presentation during WLPC_US using Wireshark and how to customize it
  • Brian Long had a presentation at WLPC_US regarding 802.1X/EAP authentication


The zip-file:    Pcap Quiz #1


Please try it and make some comments. Next time it will be more against 802.11 radio informations

We all know that a pcap contains frames, but I changes between writing frames or packets all the time

Usable links
Gjermunds article about fast secure roaming, part 1  part 2
Eddie Forero, WiFiShark Fu, youtube video, Link
Brian Long, The Anatomy of the 802 1X Association, youtube video  Link


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s