Trying to decipher captured wireshark packets

Question

I have a saved wireshark capture and I've applied a filter to the results to only show communications for one particular device. I have decryption enabled, and the decryption key is stored as wpa-pwd in the format key:SSID.

I don't fully understand how to interpret the results that I have available to me. I've searched extensively here on S/O, and on Google.

I imagine that the packets that would be "of interest" to me from the results would be the packets coming from the source device, outgoing to the router, all marked with the 802.11 protocol.

I currently have the filtered results ordered by destination, there's

3 "request-to-send" results
followed by a "802.11 Block Ack",
8 "request-to-send" results,
followed by another "802.11 Block Ack"
3 "request-to-send" results.

I'll place the results here in this order, but I'm only including the summary for the first of the request-to-send, and the two 802.11 block ack packets, since the summary for the request-to-send packets are all essentially identical.

As a question, is there any way I can directly interpret these results to understand what these packets contained/were for?

Packet 1 (Request-to-send) Summary 5131 27.713095 Apple_88:85:55 (TA) Actionte_30:f4:b6 (18:1b:eb:30:f4:b6) (RA) 802.11 45 Request-to-send, Flags=...P....C

Packet 1 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 57 11 bb 47 00 00 00 00  ....o...W..G....
0010   12 30 85 09 80 04 c3 a0 00 b4 10 9e 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 a4 ff c8 cc           0..,....U....

Packet 2 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 c1 b7 77 48 00 00 00 00  ....o.....wH....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 a6 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 69 3a 25 10           0..,....Ui:%.

Packet 3 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 de 05 78 48 00 00 00 00  ....o.....xH....
0010   12 30 85 09 80 04 c5 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

Packet 4, 802.11 Block Ack Summary 6829 40.120666 Apple_88:85:55 (TA) Actionte_30:f4:b6 (18:1b:eb:30:f4:b6) (RA) 802.11 57 802.11 Block Ack, Flags=........C

Packet 4 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 53 65 78 48 00 00 00 00  ....o...SexH....
0010   12 30 85 09 80 04 c6 9e 00 94 00 00 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 05 00 b0 3c 01 00 00  0..,....U...<...
0030   00 00 00 00 00 5d c0 d4 c7                       .....]...

Packet 5 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 02 6f 78 48 00 00 00 00  ....o....oxH....
0010   12 30 85 09 80 04 c5 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

Packet 6 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 ea 77 78 48 00 00 00 00  ....o....wxH....
0010   12 30 85 09 80 04 c5 9e 00 b4 00 be 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 33 18 ce 45           0..,....U3..E

Packet 7 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 c3 ca 78 48 00 00 00 00  ....o.....xH....
0010   12 30 85 09 80 04 c5 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

Packet 8 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 f8 d4 78 48 00 00 00 00  ....o.....xH....
0010   12 30 85 09 80 04 c5 9e 00 b4 00 ce 01 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 f3 72 37 72           0..,....U.r7r

Packet 9 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 24 68 7a 48 00 00 00 00  ....o...$hzH....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

Packet 10 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 7e ed 7b 48 00 00 00 00  ....o...~.{H....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 a6 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 69 3a 25 10           0..,....Ui:%.

Packet 11 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 e3 3c 7c 48 00 00 00 00  ....o....<|H....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

Packet 12 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 3c 52 7c 48 00 00 00 00  ....o...<R|H....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 0e 01 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 e0 6a fd b0           0..,....U.j..

Packet 13 (Block Ack) Summary 6978 40.406195 Apple_88:85:55 (TA) Actionte_30:f4:b6 (18:1b:eb:30:f4:b6) (RA) 802.11 57 802.11 Block Ack, Flags=........C

Packet 13 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 94 bf 7c 48 00 00 00 00  ....o.....|H....
0010   12 30 85 09 80 04 c6 9e 00 94 00 00 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 05 00 40 3d 03 00 00  0..,....U..@=...
0030   00 00 00 00 00 fa 5f c6 82                       ......_..

Packet 14 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 54 cd 7c 48 00 00 00 00  ....o...T.|H....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

Packet 15 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 1a f7 7c 48 00 00 00 00  ....o.....|H....
0010   12 30 85 09 80 04 c2 9e 00 b4 00 be 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 33 18 ce 45           0..,....U3..E

Packet 16 Hex + ASCII

0000   00 00 19 00 6f 08 00 00 6f 4a 7d 48 00 00 00 00  ....o...oJ}H....
0010   12 30 85 09 80 04 c6 9e 00 b4 00 a2 00 18 1b eb  .0..............
0020   30 f4 b6 2c f0 a2 88 85 55 72 b5 89 09           0..,....Ur...

So, I'm looking for an explanation how to interpret these and future results, kind of like "catch the first fish and then show me how to do it."

I know I've read something about right-clicking on the packet and going to "follow" and "stream", but this option isn't available in a saved capture, if anyone wants to mention what that specific feature does, it'd also be appreciated.

Ray Ray · Accepted Answer · 2016-12-30T21:37:40

According to Wikipedia (https://en.wikipedia.org/wiki/IEEE_802.11_RTS/CTS), these messages are intended to avoid transmission collisions. They mean something like "I would like to send something over WiFi, can I or is there somebody else planning to send data?".

Some more explanation: instead of just "yelling out" the bulk of data the WiFi card can first asks "can I?" and if nobody complains the bulk of data follows (and nobody else tries to send data as you asked to speak first). Without asking first, there is the potential of everybody yelling out loud and nobody can understand anybody.

As the "can I?" message is way shorter than the bulk of data, there will be less concurrent transmissions (which result in collision --> data needs to be resend).

Trying to decipher captured wireshark packets

1 Answers