The time delta analysis

Since an advanced attacker can emulate fixes for most of the red flags identified in the preceding section, we need a serious mechanism to identify a rogue access point among the legitimate ones. We will make use of time delta for the beacon frames to identify the fake access point. While the fake access point tries to fool the analysis systems by spoofing the fixed beacon interval, time delta analysis allows us to figure out the exact beacon intervals.

A real AP would produce a time delta graph denoting an almost straight line; this is not the case for a fake AP. Let's confirm what we just said using tshark -r beacon-01.cap -2 -R "wlan.sa==7c:8b:ca:ea:27:52 && wlan.fc.type_subtype==0x08" -T fields -e frame.time.delta ...

Get Hands-On Network Forensics now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.