WiFi Hawk Changes

v0.18

Features:

  • Detects if client sends null PMKID during FT auth request
  • RRM NDP frame decoding
  • Create lists of AP Radios using beacons and NDP frames
  • Decoding of Channel Switch announcements, display info in beacons/action frames
  • New AP Radio object displayed, as collection of related BSSIDs
  • Detection if different BSSIDS belonging to same AP radio, do not have same data rates
  • Support for Scapy 2.5 and Python 3.11

Changes:

  • Added client detection from 802.11 auth request (this is in case first frame seen from client is auth, not prob req)
  • Avoids creating client entries for multicast destinations receiving data frames
  • Fixed wrong order if a frame needs to be summarized
  • Filters learning BSSID if data frame has destinatio/source as null address
  • Modifications to the content page format

v0.17

Features:

  • Shows Highest state reached by client, vs last state.
  • Option to filter out probing "only" clients. Useful for large captures to reduce information reported

Changes:

  • Default XLS window is larger in Mac OS
  • "VHT/HE NDP Announcement" client events are now summarized

v0.16

Features:

  • New detection for leaked unprotected Action frames when PMF is enabled
  • Displays identity provided during EAP ID request/response
  • Detects Channel Switch anouncements, typically sent after Radar event
  • Displays Action frames in genera, including information if the frame was protected by PMF
  • Displays VHT/HE Beamforming requests and responses (Action No-Ack frames)
  • New detection for RTS floods (>15 consecutive frames), either from AP or client

Changes:

  • Added better handling for null address frames (generates error instead of handled exception)
  • Slight change to client filtering on reports, now client that have sent/recieved at least 3 data frames or has events, will be included on report
  • Updated dot11 cipher names
  • Corrections to CTS large NAV detection (it was using wrong mac address)
  • Supressed console output in Windows version

v0.15

  • Added JSON report format for tool integration
  • Fixed error during SAE sucess status processing
  • Fixed missing SSID name, if first frame from BSSID was a probe response
  • Fixed incorrect group cipher parsing for SAE
  • Fixed exception during sleepign client processing, if client was still sleeping when captures ends
  • file type

v0.14

  • Added channel field to frames in omnipeek format
  • Included a channel summary in the index pag
  • Added a feedback link

v.0.13

  • Added proper exception reporting in XLS worksheet
  • Updated list of status codes to 802.11-2020
  • Fixed exception while parsing probe response with null SSID
  • Added error handling during association parsing, for malformed frames
  • Added support for PMF protected deauth frames
  • Error report for invalid PMKID roaming
  • Per TID bidirectional traffic seen event
  • Added SAE support

v.0.12

  • Added "click on error" in case there is a processing failure. A new browser window will be opened with more information
  • Cosmetic changes to GUI
  • Added "interesting" Action frame processing: WNM BSS transition req/response, and Radio Neighbor report req/res
  • Minor correction to text of AP auth response not present
  • Fix: Corrected client event summarization where first event of a specific severity may lead to missed information later
  • Updated Auth algorithm types, and better handling of SAE reason codes
  • Added support for Peekremote (AP sniffer mode) encapsulated over CAPWAP
  • Shows self calibration activity from client
  • Added support for frames over MCS rates in Peekremote files

v.0.11

  • Added support for Meraki legacy (Prism header) sniffer files
  • Ignores QBSS IE error, if AAC is zero (TSPEC not supported scenario)
  • Corrected TX/RX arrows direction in event flow
  • Added Client profiling, showing wireless capabilities during association request (11w/r/v/k, CCX, etc)
  • Shows Client manufacturer

v.0.10

  • Added large NAV in CTS error reporting
  • Changed TX/RX print info in flow print
  • Time stamps now have milisecond resolution
  • Added client error report if auth response arrives more than 120 miliseconds late
  • Adjusted severity of message if encrypted traffic is seen before M4
  • Added new Data frames SNR vs Rate Client Graph
  • Fixed issue when reporting client events and buffered data is still present at the end of capture

v.0.9

  • Initial Omnipeek/Savious support
  • Fixed exception if bssid is creaed from probe response, and we hear a beacon later
  • Added support for Non-QoS data frame for legacy clients

v.0.8

  • Wrong beacon parsing leading to incorrect channel in BSSID

v.0.7

  • Added coloring rules
  • Improved reporting of sleeping time
  • Added GUI wrapper
  • Added summary info on content tab

v.0.6

  • Added handling of beacon with buffered data, and summarization on XLS report

v.0.5

  • Added extended deauth reason code
  • Support for PSP frames to track wake/sleep

v.0.4

  • Added data rate histogram
  • Histograms show empty chart if no data source is available
  • Sleep state summarization on XLS report

v.0.3

  • Added error detection when client joins AKM SSID, it is deauth aand no EAP process happened
  • Added procesing of deauth sent by client
  • Added support to detect hidden SSID, and fill the info from probe responses