Steve Kersley provided me with a quick tute in using the native Mac OSX tools to monitor the local wifi clients and access points.
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
finally run the tcpdump command to begin monitoring the wireless activity in realtime
sudo tcpdump -i en1 -I -n type mgt and not subtype beacon
The above is fairly self-explanatory except for the last options for filtering by type.
The table below lists the various packet types and subtypes specified in the 802.11 WLAN standard, and describes their usage briefly.
Table E.1 WLAN packet types
|
|
|
|---|---|
|
|
|
|
|
00 |
mgmt |
0000 |
Association Request |
This packet is sent to an access point (in a BSS or ESS) or to any other peer (in an IBSS or ad hoc network). The sender must already be authenticated in order to gain a successful association. |
|
00 |
mgmt |
0001 |
Association Response |
This packet is sent from an access point (in a BSS or ESS) or from any other peer (in an IBSS or ad hoc network) in response to an association request packet. If the request is successful, the response will include the Association ID of the requester. |
|
00 |
mgmt |
0010 |
Reassociation Request |
Like an association request, but it includes information about the current association at the same time as it requests a new association (either with the original Station after some lapse of time, or with a new station upon moving from one BSS to another). This packet is sent to an access point (in a BSS or ESS) or to any other peer (in an IBSS or ad hoc network). The sender must already be authenticated in order to gain a successful association. |
|
00 |
mgmt |
0011 |
Reassociation Response |
Like an association response, but in response to a reassociation request. This packet is sent from an access point (in a BSS or ESS) or from any other peer (in an IBSS or ad hoc network) in response to a reassociation request packet. If the request is successful, the response will include the Association ID of the requester. |
|
00 |
mgmt |
0100 |
Probe Request |
Probe request is used to actively seek any, or a particular, access point or BSS. |
|
00 |
mgmt |
0101 |
Probe Response |
Probe response replies with station parameters and supported data rates. |
|
00 |
mgmt |
1000 |
Beacon |
Beacon packets are sent by the access point in a BSS (or its equivalent in an IBSS) to announce the beginning of a Contention Free period (CF), during which the right to transmit is conferred by the access point by polling.
Beacon management packets carry BSS timestamps to help synchronize member stations with the BSS, and other information to help them locate and choose the BSS with the best signal and availability. |
|
00 |
mgmt |
1001 |
ATIM |
Announcement Traffic Indication Message. This packet serves much the same function in an IBSS that the Beacon packet does in an infrastructure (BSS or ESS) topology. The packet sets the synchronization of the group and announces that messages are waiting to be delivered. Stations in Power Save mode wake up periodically to listen for ATIM packets in ad hoc (IBSS) networks, just as they do for Beacon packets in infrastructure (BSS or ESS) networks. |
|
00 |
mgmt |
1010 |
Disassociation |
This packet is an announcement breaking an existing association. It is a one-way communication (meaning it does not require or accept a reply), and must be accepted. It can be sent by any associated station or BSS and it takes effect immediately. |
|
00 |
mgmt |
1011 |
Authentication |
Authentication packets are sent back and forth between the station requesting authentication and the station to which it is attempting to assert its authentic identity. The number of packets exchanged depends on the authentication method employed. Information relating to the particular scheme is carried in the body of the Authentication packet. |
|
00 |
mgmt |
1100 |
Deauthentication |
This packet is an announcement stating that the receiver is no longer authenticated. It is a one-way communication from the authenticating station (a BSS or functional equivalent), and must be accepted. It takes effect immediately. |
|
01 |
ctrl |
1010 |
PS-Poll |
Power Save polling packet. Stations in power save mode awaken periodically to listen to selected Beacons. If they hear that data is waiting for them, they will awake more fully and send a PS-Poll packet to the access point (BSS) to request the transmission of this waiting data.
In Control packets of the Power Save-Poll type, the Duration/ID field contains the association ID (AID) for the station sending the packet. |
|
01 |
ctrl |
1011 |
RTS |
Request To Send. Coordinates access to airwaves. |
|
01 |
ctrl |
1100 |
CTS |
Clear To Send. Response to a RTS, coordinates access to airwaves. |
|
01 |
ctrl |
1101 |
ACK |
Acknowledges receipt of transmitted data. |
|
01 |
ctrl |
1110 |
CF End |
Signals the end of Contention Free period. |
|
01 |
ctrl |
1111 |
CF End + CF ACK |
Signals the end of the Contention Free period and Acknowledges the receipt of some packet in a single message. |
|
10 |
data |
any |
any |
Multiple subtypes exist for Data type packets, but all have the same basic format, as described above. ([see Appendix C, “802.11 WLAN Packets and Protocols”](http://www.wildpackets.com/resources/compendium/manual_appendices/nxA1_AP#wp1001864).)
The different Data subtypes essentially just piggyback CF-Poll, CF-ACK, and CF-End messages onto the data message in a single transmission. This allows the BSS to gain higher throughputs possible using PCF (point coordinating function). |