Assignment 7: WiFi


This week we'll look at WiFi. We'll first look at how WiFi packets are put together, and what frequencies they use. This is called the Physical Layer of WiFi, the first of seven layers that are defined in the Open Systems Interconnection (OSI) standard for a communication link. This is basically just a more sophisticated form of the packet radio protocols we've seen in other situations.

There are two key ideas that are widely used in many communication systems. One is using a pseudo-random sequence to spread the signal spectrum out, and allow multiple communication links at the same frequency. This is widely used in WiFi, as well as cell phones, GPS, and deep space communications. The second idea is using multiple frequency channels to increase the data rate. For WiFi this is done with Orthogonal Frequency Domain Multiplexing (OFDM). This also is very widely used in many different communication systems.

Next we'll talk about how local WiFi networks work. Each terminal transmits its packets, and all of the other terminals listen to see if the packet is for them. If so, it decodes the packet, and determines its type (port). It then passes the packet data on to a daemon process (continuously running background process) that handles that port. This could be http, mail, ssh, or many other ports.

The interesting thing is that every terminal decodes at least the headers (source, destination, and port) for every packet on the local network. That alone allows traffic analysis, and a picture of who is on the net, and what they are doing. Beyond that, many internet protocols are transmitted unencrypted (although this is changing). If someone on the local net loads an http webpage, you can capture all of the packets, and reconstruct exactly what they are looking at.

One question is what sort of hardware and software you need to intercept these packets. Fortunately (or not) it is all already there on your computer if use use a unix variant (linux, macOSX)! For windows, you will just need to install some free software.

WiFi History

WiFi refers to a wireless network protocol defined by the IEEE specification 802.11. There are lots of other protocols that are part of 802, such as 802.3 which is ethernet, 802.15 which is Wirelss Personal Area Networks (WPANs) that concern networks of radios such as bluetooth as well as networks of radios on your body, and 802.16 which is WiMAX. Quite a few of these standards either are dead, or are under development, and not in use.

802.11 is the WiFi we all use every day. The original version was just called 802.11, and is now called 802.11 1999. It was very slow (1 MBit/s), and was not very widely deployed. Since then, there have been a whole sequence of standards, each offering higher data rates enabled by more sophisticated encoding schemes and wider signal bandwidths. These include 802.11b, 802.11a, 802.11g, 802.11n, and onwards. From the initial 1 MBit/s, current 802.11ac offers up to 1GBit/s.

The 802.11 standard includes many different bands including 900 MHz, 2.4, 3.6, 5 and 60 GHz. In practice, the 2.4 GHz band was widely used first due to the availability of inexpensive hardware. However, as we'll see, the spectrum available is limited in this band. More recently the 5 GHz band has been used, with its much wider spectrum. Ultimately WiFi will go to the 60 GHz band, just as cell phones are now. This will provide immense bandwidth.

Connecting to WiFi

If you carry a WiFi enabled device (any recent phone, your computer, an ipad) it is constantly trying to find connections, and telling the world a lot about who you are, and what kind of device it is. This is true even if you never connect. One way to see this is to look at all of the networks you could connect to. For example, from my house I see my routers, and several of my neighbors.

For each of these, a substantial amount of information has been exchanged. One of the projects for this week looks at how this can be exploited. On a Mac you can get more information by clicking the WiFi icon with the option button held down.

This tells you a lot about your connection. What frequency you are using, what your SNR is, and what sort of data rate you can expect. Note that the power is in dBm. This is dB relative to 1 mW. Astoundingly little power is required for WiFi.

The key thing is that all of this interaction happens before you even connect. You have exposed yourself at this point, even though you have done nothing. As you walk around the world, lots of devices are noticing you, collecting your data, and sizing you up! How would you exploit this at a mall? How about a protest march? All of these are serious issues, which you can look at this week.

WiFi Packets

WiFi packets look pretty much like all of the other packets we've looked at. For 802.11b, this looks like

There is a preamble that identifies this as a packet of interest, a header, and then the data. The original data is sampled at 1 MHz, which is then digitally modulated up to 11 MHz, as we will describe below. That signal is then modulated up to 2.4 GHz for transmission over the air.

Direct Sequence Spread Spectrum (DSSS)

The simplest version of the 802.11b system looks like this

The digital modulation scheme is called Direct Sequence Spread Spectrum, or DSSS. The idea is that every 1 us symbol is replaced by a 1 us code waveform with 11 segments or chips.

The results is that the signal changes 11 times more quickly, and takes 11 times more spectrum.

Why is this a good thing? There are several advantages. One is that an interfering source will only effect part of the spectrum. Often we will still be able to decode the signal. Second, is that we haven't lost any SNR. If we transmitted the original data, the receiver would simply integrate over each symbol, and then decide if it is a +/- 1. For the DSSS signal we first multiply by the code waveform. When they line up the 1's line up and the -1's line up. The multiplication of the two is all 1's, and the integral over the symbol is the same as the original data symbol. We haven't lost anything.

The most important reason, though, is that we can give different code waveforms to different channels, and they won't interfere. This allows multiple links to use the same frequency with minimal degradation. We can also transmit multiple bit streams at once to increase capacity. This is what the faster 802.11b variations do.

This basic approach is called spread spectrum, because we have deliberately expanded the spectrum in order to get other benefits. This shows up everywhere in communications.

Orthogonal Frequency Domain Modulation (OFDM)

DSSS uses special code waveforms in order to transmit several symbols over the link at once. These all just add up. Another approach is to transmit each symbol over a slightly different frequency. The idea is illustrated below

A group of N symbols are all transmitted at once, with each symbol multiplying a unique sinusoid. This effective transmits every Nth symbol at its own frequency. We can transfer data faster simply by increasing N, and increasing the signal bandwidth. The spectrum looks like

The result is a very flat spectrum that uses exactly the bandwidth that is allocated to it. This is a very efficient way to transmit data.

In the 2.4 GHz band this is used for 802.11g. Unfortunately there isn't much spectrum in this band which limits speed. In the 5 GHz band, OFDM is very powerful, allowing data rates up to 1 Gbit/s.

For the receiver, we just do the opposite procedure. We take each signal segment and compute its frequency content. The amplitude of each frequency component is the value of each symbol. The encoding and decoding are very efficiently performed using the fast Fourier transform (FFT), which you will learn about in EE 102A.

An example of an 802.11a packet using OFDM and its spectrum is:

You can see the preamble, and the header and data bits in the packet. The spectrum is almost completely flat, because it is made up of multiple adjacent channels.

2.4 GHz Spectrum

The WiFi 2.4 GHz spectrum is shown below

There are nominally 13 channels from 2.412 GHz to 2.472 GHz. These are only 5 MHz apart. However, the bandwidth of an 802.11b/g channel is 22 MHz. That means that the channels heavily overlap, and there are only really three completely separate channels, here 1, 6, and 11. In practice it means that you are always contending with interference from other users.

If I capture the WiFi spectrum at my house, I can see both DSSS and OFDM links on the 2.4 GHz band. Here is a capture that shows a couple 802.11b links

This is what happens when I turn on the microwave

Here is one that shows a 802.11g link

This is my office, where you see to 802.11g networks, with multipath cancellation at specific frequencies

Each has a characteristic shape.

802.11 Networks

All the terminals in an 802.11 network listen to all the traffic on their channel. The WiFi interface decodes each packet, and checks the address to see if it was meant for it. Normally traffic intended for other terminals is ignored. However, this can be captured also.

Much of the WiFi traffic is TCP/IP. IP is a lower level protocol that gets packets to and from the right machines. TCP is the next higher level, that gets packets to and from the right services on the machine. The IP header comes first, and looks like this:

The important thing for us is the source and destination. The TCP header comes next, and looks like this

This says which port the packet came from, and which it is going to. The port is just a number that tells the WiFi interface what program to hand the packet off to. These programs are called daemons, because they are always running, waiting to handle input. Some important ports are SSH at 22, HTTP at 80, DNS at 53, and HTTPS at 443. Basically all of the numbers up to 512 are assigned to something, and many higher numbers also.

There are lots of programs for capturing and decoding packets. On unix derivatives the key library is libpcap. This comes with almost all unix, linux, and MacOSX systems. This gives you the ability to put your WiFi interface into “promiscuous” mode, where it listens to everything that comes by. Using a command line interface like tcpdump (also on most unix derivatives) you can specify filters to set which packets you would like to listen to, like HTTP for example. It will then spew out lots and lots and lots of text.

To make this more manageable, there are many integrated tools. The best known of these is wireshark, available here:

A nice demonstration of its capabilities is given in this youtube video

Wireshark Tutorial

This is for a previous version of wireshark, but the basic concepts are the same.

Here is what I get if I fire up wireshark at my house

You can see that I run dropbox by the packet from my computer. You can also see a couple RST packets.

Many web sites are now encrypted. In this case wireshark shows you all of the traffic, but you can't easily decode the content. This is still useful, though. If I go to the New York Times web site, this is a small part of what I get

You also see all the ad web sites as well.

For conventional HTTP web sites, you can see everything. One HTTP web site is Nate Silver's 538. Wireshark shows this

when I load this web page

Wireshark shows where all the text and images come from. I could capture all of these, and recreate the web page.

A lot of older internet services all transmitted plain text, and could be intercepted this way. This include mail, ftp, telnet, rsh, and many others. You can see why using these is not recommended!


You have several options for your assignment this week. For each topic, generate about 5 slides to describe your thoughts or results. Sign up here:

Week 7 Signup

and upload your slides here:

Week 7 Slides

1. One way to eliminate the ability of packet sniffers to monitor your internet traffic is to use The Onion Router, or TOR. This was originally developed by the US Naval Research Labs to protect defense communications. Now it has a much wider user base!

There are several areas you can investigate. First, how does it work? How do you use it? Who are currently major users? You can download the Tor Browser here

Try it out and see what you think. The plusses and minuses should be pretty obvious.

2. Each internet service generally has its own packet type, or “port”. Often, one of the first steps to hacking a device is to see which ports are open, meaning the device responds to a probe. Knowing which services are enabled helps you identify the device. Each service is handled by a separate daemon process. These each can have their own vulnerabilities that can be exploited to gain access.

This is known as port scanning. It is the equivalent of casing a house, rattling the door knobs and trying the windows, without actually entering. It is generally considered a hostile act, unless it is your net. Lots of network security programs include port scanning.

A well known port scanning tool is nmap. See what you can find about it. What can it tell about devices? You can install nmap from here:

Use it to scan your computer, or some other computer for which you have the owners permission, and see what you find. Try turning on and off network services, and see if they are detected (on the mac, these are the network sharing options, like remote login, or internet sharing). There are lots of other port scanners out there, so you can also try one of these.

Don't scan your local net (or some other net), or you may well draw attention to your self.

3. Use wireshark to monitor your own network traffic. Use the filter to limit to traffic coming in and out of your machine, as shown in the video. You have every right to monitor your own traffic! Try opening up connections (web browser, ssh shell, print something) and see what traffic you generate. Do you see any traffic you don't expect?

4. When a device tries to connect to a WiFi net you can tell a lot about it. This is called “fingerprinting”. This also uses wireshark, but captures even lower level packets. When a device tries to connect it has to negotiate which technical specifications it supports, and this gives away its identity. A nice description of this is given in this defcon youtube video.

WiFi Device Fingerprinting

This allows you to identify what type of devices are even if they don't ultimately connect.

It could also be extended to identify the brand and model of the network router. This would be useful since many routers have their default passwords, and these can easily be looked up on the web if you know the brand and model.

5. One of the simplest attacks on the internet is a Distributed Denial of Service (DDoS) attacks. This is usually done with a botnet, that all transmit packets at one target, all at once. The goal is to knock the target off the net. One site that has a number of historical attacks archived is

A10 Networks Current Attacks

Click on the “Learn About the Map” lin k in the upper right to see what the different attacks do. ChatGPT can help explain how some of these work. Another that shows what's happening now, as well as the past, is here

Netscout DDOS Website

Take a look to see who is getting clobbered today, and look at some of the previous big attacks. There are other resources out there, too. See what you can find.

You can also look into recent botnets. Particularly interesting are botnets made up of devices like web cameras and routers, because they have good web connections, and they often are easy to take over (many still have default passwords). This will only get worse with the IoT.

6. Pick your own WiFi hack. For example, you could look at be sniffing passwords in airports or coffee shops. Is this a real thing? Another is the WiFi Pineapple “network security auditing device”. What does it do? Please don't run this on the Stanford net …