SonicOS 8 Access Points

Viewing KRACK Sniffer Packets

When the Enable Wireless Intrusion Detection and Prevention option is enabled, the SonicWave periodically scans the wireless environment looking for a KRACK Man-in-the-Middle access point and any clients interacting with it. KRACK is the acronym for Key Reinstallation Attack.

The KRACK MITM attack clones the real access point on a different channel with the same MAC address as the real access point. When a KRACK MITM access point is detected, the SonicWave opens a monitoring interface on the same channel as the KRACK MITM, and sniffs the packets on the channel for a period of time. If a wireless client is associated with the MITM access point and the Disassociate Client from KRACK MITM AP option is enabled, the client is disassociated from the MITM access point. Log messages are reported in the MONITOR | Logs > System Logs page when any of the following events occur:

  • KRACK MITM access point is detected
  • Client is detected communicating with the MITM access point
  • Client is disassociated from the MITM access point

Because the sniffing is done during the KRACK detection process, the captured packets are saved in the buffer of the SonicWave. The following image shows the KRACK sniffer results from SonicWaves.

To analyze the KRACK process, click Download icon for a SonicWave to export the packet data to the file krackSniffer_[SonicWave name].cap, where [SonicWave name] is the name of the SonicWave. Then open the file and view it using Wireshark or another PCAP analyzer tool.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden