Digital forensics

Wireless networking fundamentals for forensics

January 25, 2021 by

With the evolution of Internet of Things (IoT) devices, there are countless wireless devices around us these days. Many people carry small-sized wireless networks everywhere they go — smartphones and smartwatches connected via Bluetooth.

A majority of homes have at least a small Wi-Fi network. This article provides an overview of wireless networking fundamentals with a primary focus on 802.11 (Wi-Fi).

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Common types of wireless devices

Let us begin by discussing various types of wireless devices that we commonly come across these days.

  • Wi-Fi (802.11)
  • Cell phones and laptops
  • Infrared devices
  • Bluetooth-based devices such as light bulbs
  • Zigbee devices such as light bulbs
  • Wireless doorbells
  • IP cameras

Basics of wireless LAN

Wi-Fi networks use radio waves for its connection and communication. A station such as a laptop or mobile phone having wireless compatibility converts its data into radio waves and sends it to the Wi-Fi router.

The router receives the signals and sends the information to the internet after decoding it. Then the router receives information back from the internet and again sends it to the station in the form of radio waves.

Wireless LAN terminology

  • STA: STA stands for station. A station can be any client that is connected to the access point (router in our case). Examples are laptops, tablets and cell phones with W-Fi capability.
  • WAP: WAP stands for Wireless Access Point. The clients connect to the WAP or router.
  • Beacons: Access points broadcast data packets into the air to show its presence. These packets are called beacon frames.
  • BSSID: BSSID stands for basic service set identifier. A BSSID is the MAC address of the access point.
  • SSID: SSID stands for service set identifier. This is the name of the access point that is being displayed for STAs to connect. 
  • MAC address: Every networking device will have a unique address given by the manufacturer of the device. That is called a MAC address. It is in hexadecimal format and it is of 6 bytes in length. An example of a mac address is 00-B0-D0-86-BB-F7. The preceding mac address has 6 bytes. The first three bytes represent the identifier of the manufacturer and the last three bytes represent the identifier of the product.

WLAN security types

In wireless networks, all the data we pass and all the headers of the corresponding data will be in the air. A simple sniffing attack can lead to a very major problem. So security plays a major role in wireless networks. To fulfill this, few security schemes have been introduced into wireless networks.


WEP stands for wired equivalent privacy. It is the first security scheme that has been introduced to protect wireless networks. The name itself represents that its security is equivalent to that of a wired network. The most important feature of this scheme is confidentiality. It provides confidentiality by encrypting the data passing through air. But because of its weak encryption algorithms, it is proved that WEP can be easily cracked.


WPA stands for Wi-Fi protected access. It is another security scheme developed by fixing the problems in the existing WEP protocol. WPA has been developed as a temporary solution and later on it is extended to WPA2, which stands for Wi-Fi protected access 2. WPA and WPA2 use a four-way handshake and a pre-shared key for authentication, and it is known to be vulnerable to brute forcing and offline cracking attacks.


WPA3 security protocol was announced by Wi-Fi Alliance in 2018. It is meant to replace WPA2 and is considered much more secure than the older protocols, such as WEP, WPA/WPA2. WPA3 makes it harder to perform brute force attacks that were possible in WPA/WPA2.

802.11 frame types

The 802.11 protocol suite defines different types of frames and different types contain different types of evidence. Thus, it is worth noting the differences. All 802.11 frames fall under one of the following three types.

  • Management frames
  • Control frames
  • Data frames

Management frames: Management frames, also known as type 0 frames, are used to manage the access point. This includes probing, associating, roaming and disconnecting clients from the access point. Management frames are not encrypted and they can be seen over the network using a tool like Wireshark by actively sniffing a wireless network.

Control frames: Control frames, also known as type 1 frames, are designed to manage the flow of traffic across a wireless network. Control frames only contain a header and trailer, no body.  There are three control frame subtypes:

  • Request-to-send (RTS)
  • Clear-to-send (CTS)
  • Acknowledgment

Data frames: Data frames, also known as type 2 frames, contain the actual data transmitted across the wireless network. For instance, every IP packet that flows across the wireless 802.11 network is part of the payload of an 802.11 data frame. There are administrators who use open Wi-Fi networks not realizing the fact that the data flows across the network will not be encrypted unless there is application specific encryption implemented. This allows an investigator to gain access to unencrypted data frames over the network. Even if the wireless network uses encryption, if we have access to the encryption key and can gain access to unencrypted data frames, then you can capture and analyze the wireless traffic at layer 3 and above. 

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.


Network Forensics, Ric Messier

Internet Forensics: Using Digital Evidence to Solve Computer Crime, Robert Jones

Network Forensics: Tracking Hackers through Cyberspace, Sherri Davidoff


Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs Email: