Featured offer

Everything you need for site surveys
and spectrum analysis in a
super bundle!

Simulating Multiple Wireless Access Points Using CommView for WiFi

CommView for WiFi includes the functionality that allows users to edit and send arbitrary 802.11 a/b/g/n packets (commonly referred to as "packet generation" or "packet injection") through the wireless adapter. This functionally is used by WLAN engineers for many different purposes, including hardware and software testing and troubleshooting, security honeypots, etc. One of the possible applications of this functionality is a simulation of multiple access points. This brief guide describes how this can be achieved. It is assumed that the reader has extensive knowledge of the underlying WLAN technologies, 802.11 frame formats, and some experience with CommView for WiFi.

Required Software and Hardware

To be able to generate packets, you must have a compatible adapter that supports packet generation. Most of the adapters supported by CommView for WiFi are capable of packet injection. You can see the list here. All the adapters marked as "Recommended" support packet injection. Some of the adapters not marked as "Recommended" also support it; see the technical notes.

Creating and Editing Beacon Packets

To simulate multiple APs, you need to create and edit a few fake beacon packets and send them continuously in a loop. The easiest way to create a packet is to load a real beacon into the packet generator and then edit it. This can be done by selecting a captured beacon packet, right-clicking on it, and selecting Send Packet(s) => Selected. The packet generator window will appear, as shown below:

The hex editor on the right allows you to edit the packet contents. You can replace the SSID with a new one (we chose "FakeAP#0017" in the example above), as well as the source MAC address and BSSID. If you want to make the SSID longer or shorter than the one in the original packet, be sure to edit the corresponding bytes in the information elements (a detailed description of the beacon structure is beyond the scope of this guide). Once you have edited the packet, you can drag-and-drop it from the hex editor window to the desktop. This will create a file named "packet.ncf". Open a new Log Viewer window in CommView for WiFi and drag-and-drop it to that window. You can then edit the packet in the packet generator window once again; change the SSID, source MAC, and BSSID to new values; and, as before, save it to the desktop and drag-and-drop to the Log Viewer window. You can repeat this operation many times, depending on how many unique APs you'd like to simulate. If you need dozens of APs, write a small program that will create a CommView for WiFi log file with the desired packets. The log format is open, so this will take just a few minutes if you know any programming language. We created a sample file that can be downloaded here. It contains one hundred packets with unique SSIDs and BSSIDs. Here is what you see if you open it in CommView for WiFi:

Sending Packets

This is the easiest part. First, start capturing on the channel that you used in the beacons' channel information element (we used channel 4 in our sample file.) Second, right-click on the Log Viewer window that contains your crafted packets and select Send Packets => All. The packet generator window will pop up. Select Continuously and adjust the packets-per-second rate. For a file with a hundred beacons, something like 500 packets per second is a good value that translates into 5 unique beacons per second. The 802.11 Rate should be one of the legacy 802.11 rates, e.g. 1 or 11 Mbps. Finally, click Send:

CommView for WiFi will be sending packets in a loop. Now you can use a different notebook to verify that the packets are being sent and that we are simulating many unique APs. You will see something like this:

Yes, a long list of available APs. Just no chance to connect to them:-) If you want to simulate many APs on different channels, use several computers running CommView for WiFi, each of them sending packets on a different channel.