Forum

  • Hello everyone,

    I have been studing a packet capture and I have some questions about it. After looking through the capture, I've notice a lot of consecutive CTS frames. The Source field is blank and the Desination Field is an AP. There are about (43) consecutive CTS frames and they consists from 2or3 different APs. After these 43 CTS frames, I get a beacon (1 Frame) from one of the 3 AP transmitting the CTS and then it's right back to the consecutive CTS frams between the 3 APs. This series of CTS frames also has a lot of repeated CTS frames. It like this throughout the capture and not in the particular part in the capture.
    The beacon frames does indicate to use protection but there are no NON ERP device present. So, I'm assuming the AP is detecting the Use Protection from another AP beacon.


    Can anyone help identify this type of behavior?

    Thanks,

  • Hello agian,

    I just captured some more packets in another building. This user is having the same issues. The laptop has -67 dbm signal and no throughput. The laptop will not load any thing. I got some packet captures and scanned through them briefly. The beacon indicates use the protection mech but there are zero NON ERP devices. I know this normally indicates that the AP hears another beacon with the protection set to 1. I scanned channel 6 because this is the channel the user is connected. I looked att he protocols stats and 57.7% is CTS traffic. I know this is not normal. I don't have a rf scanner. I think this is a major tool I need for this situtation. Could this indicate a bad AP? I have attached a snapshot of what I've seeing. :-|

    snapshot > http://s254.photobucket.com/albums/hh108/ksimpson_album/
    Thanks again,

  • Yea, my guess is you have a hosed AP. Either try a reboot or firmware upgrade for next steps. Also look at the AP and client settings to see if CTS frame size was monkeyed with ...

    That AP is really doing a DoS attack, not surprised you cant get access to the medium.

  • Yea, I guess I will replace it. After I replace it, I will perform another capture to see how it's working. I'm pretty sure the CTS setting hasnt been changed on the AP since we have controlers and thin APs.

  • simpson Escribi?3:

    Yea, I guess I will replace it. After I replace it, I will perform another capture to see how it's working. I'm pretty sure the CTS setting hasnt been changed on the AP since we have controlers and thin APs.


    It would be interesting to move the ap to a lab and test it further... Keep me in the loop i would like to know how this turns out ...

  • I'm about to go replace it in the next hour or so. I'm going to bring it back and connect it in my office. I will do another capture and compare the two.
    I do have a question about the capture I've posted. If you look at the capture, the access point is the destination and the AP is receiving all these CTS. The source is unknown. The source field is blank. It seems as if it's a DOS from another source.

    This is the link to the captures.

    > http://s254.photobucket.com/albums/hh108/ksimpson_album/

    Thanks again,

  • OKAY. I have replaced the access point. I'm getting the same thing on this access point. The CTS frames contains an unknown source. Most of the CTS frames have a blank or FF:FF:FF:FF:FF:FF for the source. It's mostly on channel 6.

    I brought the original AP back to my office. I've connected and it's working fine. I'm not getting the traffic. So, there got to be something within this building.

    Has anyone seen a CTS frame or any frame without a source? I've posted a snapshot of the frame at

    http://s254.photobucket.com/albums/hh108/ksimpson_album/

    If it's a bad device or even a DOS device, how can I find it without the source? Could I go by the signal strength of the CTS packet?

    Thanks again!

  • Double check the filter settings on your packet capturing tool to make sure you are not filtering the address out of your view.

  • Ok. I will check it but I see the source in other packets. I will look as soon as I get back tot he machine.

    Thanks for the suggestions!

  • You might check the settings for management access to your AP's are secure and not set at default user names and passwords. Consider changing passwords that have not been in the last 30-90 days but before you do, disable any remote access to the AP's if possible and configure them via the maanagment port.
    This may not be possible and depends on your situation. If you have only a few APs in question
    you might try disabling the AP's temporarily and see if there is any CTS frames still flooding the network. Your organization may not allow this but it might help thin out the area so you can find a possible rogue. If you are logging access to your network devices you might check for unauthorized access. If you can find the MAC you can possibly track down it's port if it is on your network. Do not forget Physical Security also, out of place things around the building and surrounding lots.

    Bruce

Page 1 of 2