sniffwifi

Just another WordPress.com site

Archive for March 2010

DWA-160 Good; 802.11n Bad (Or At Least Annoying)

with 7 comments

I am going to have to expand upon this topic in another post somewhere down the road, but 802.11n continues to annoy me. The technology is revolutionary and inexpensive and blah, blah, blah, but it’s dang near impossible sniff it! Oh, does this tick me off. And to make matters worse today I finally got to use my D-Link DWA-160 dual-band 802.11n USB adapter with AirMagnet WiFi Analyzer so I really wanted to do some sniffing.


Let’s start off with the 802.11n thing first. 802.11n is a great technology that increases both the speed and the range (and even the security, in a way) of your WiFi. Unfortunately for people who dabble in WiFi sniffing, 802.11n also makes it virtually impossible to do traditional sniffing.

The problem with 802.11n is that with most setups the Data frames going in one direction will be missed. I don’t know exactly why this is and I don’t know all of the technical reasons behind it, but trust me, it happens. If you set your 802.11n capture to a standard channel (in my case today, a 20 MHz wide, 2.4 GHz channel 1) you’ll almost always capture data going in one direction but not the other. You will usually get non-data frames going in both directions (identified by frequent acknowledgments without data preceding), but not all of the data.

My guess is that the problem is the wide variations in 802.11n antennas. I think that for whatever reason my capture antennas (usually from USB adapters) tend to be of a much lower quality than my connection antennas (usually from a Mini-PCIe adapter). If I’m correct then that means that my connection adapter is capable of sending and receiving at a higher rate than my capture adapter is capable of sniffing at.

A solution to this problem would be to use the same card to capture that I use to sniff, but that’s easier said than done. The Intel 5100 AGN adapter is just about the only internal WiFi adapter I’m aware of that does 802.11n capture. I’m using a Broadcom 802.11n adapter to connect and Broadcom adapters don’t do monitor mode so I’m out of luck.

All was not lost today, however, as I did get to briefly check out AirMagnet WiFi Analyzer version 8.7 with the DWA-160. I had been eagerly anticipating the arrival of my DWA-160 ever since I stumbled upon the fact that version 8.7 offered support for it while on AirMagnet’s website last week. A big pet peeve of mine with AirMagnet has been their slow adoption of support for dual-band 802.11n USB adapters. They made some some progress with version 8.6 when they started offering support for the Ubiquiti SR71-USB model, but that was a half-baked solution. The SR71-USB is nice in a lot of ways, but it does not have an internal antenna. That means that to effectively use it you need to carry around external antennas and set them up any time you want to sniff. I don’t like that, so when support for a USB adapter with internal antennas showed up on their website, I was excited.

Upgrading to WiFi Analyzer version 8.7 was the usual simple process. I downloaded the new version from the MyAirMagnet site, ran through the licensing wizard and I was off. I didn’t notice anything different between 8.6 and 8.7 in terms of the interface, but that’s OK because the old version was great anyway.

As I wrote above, my one big annoyance was that I could not capture 802.11n data frames being transmitted by the AP on 2.4 GHz channel 1. When I went to the Infrastructure screen and clicked on my station, the counter for received data frames just stayed stuck at 0. It was really frustrating.

Being the optimist that I am (or at least try to be), I figure that 802.11n capture adapters will improve and that eventually I won’t run into these annoying problems. Until then, just be careful when you need to sniff an 802.11n WiFi network. It’s a good idea to always run a quick check to make sure that data in both directions is being captured before you engage in any detailed frame analysis.

Advertisements

Written by sniffwifi

March 31, 2010 at 1:46 am

Posted in Uncategorized

Sometimes, 802.11b Just Is Enough

leave a comment »

I’ve mentioned in the past that 802.11b has become a thing of the past for most WiFi networks, but recently I happened upon one of these old boys and it worked great. The episode served as a reminder that sometimes you can use old technology well beyond its expiration date if you put it in the right place.


You all know the limitations: 802.11b tops out at 11 Mbps. 802.11b stations sometimes lack support for WPA2 (or even WPA). I’ve never seen an 802.11b device support Block Acks. And many of the don’t even support QoS (which is an underrated way to protect yourself against WEP or PSK cracking, btw). But you also know the benefits: they’re cheap as heck!

There’s another reason besides cheapness that 802.11b remains an enticing choice: Sometimes you don’t need the extra speed. In my recent excursion I was using WiFi to access a wireless ISP. Initially I was surprised to see 11 Mbps traffic in my Wireshark (I was too lazy to boot into Windows; what’s new?), but then I realized that it made sense. If the backhaul from the ISP’s tower was under 18 Mbps, then 802.11b was the right choice. 18 Mbps may move like engine sludge to us city folks, but in the town I was working the top broadband speeds were probably under 2 Mbps.

I will stop short of advocating that new deployments use 802.11b. I mean, the stuff isn’t even sold retail anymore. But a lot of folks do have to choose between 802.11a/g and 802.11n nowadays. 802.11n is great with the extra range that it gives you, but the extra speed sometimes goes to waste. If you’re just delivering Internet service to guests or allowing conference room users to have meetings over MIMO, you’d probably be fine with the older, cheaper stuff. If there’s 802.11b equipment providing professional-grade service for ISPs in 2010, that means there’s a decent chance that 802.11a/g will still be a viable technology three or four years down the road.

Written by sniffwifi

March 25, 2010 at 1:03 am

Posted in Uncategorized

The Quick and The Filtered

with 3 comments

I haven’t talked much about AirMagnet products yet on this blog, and that’s a shame. AirMagnet (now owned by Fluke Networks) makes some of the best WiFi sniffing products on the market. Their signature product (AirMagnet WiFi Analyzer) is best of breed for field technicians and it has seen some improvements to its hardcore frame analysis features that folks like me crave.



Fluke AirMagnet WiFi Analyzer has long been the top 802.11 protocol analyzer in terms of market share. It has also long been the top 802.11 protocol analyzer for basic WiFi sniffing. And by, “basic,” I mean the type of quick, focused sniffing that’s needed by field technicians and other folks who are trying to solve identify the cause of typical problems quickly. 

Now, I’m no field technician, but I love AirMagnet. The WiFi Analyzer product is great for my writing work (because it’s widely used), my teaching work (because it makes it easy to show off 802.11 protocols) and my sniffing work (because sometimes I’m not a field technician, but I play one in your office). 

Today started out as a perfect example of the best of AirMagnet. There was an 802.11n wireless router setup in the office and I wanted to sniff it. I could have used WildPackets OmniPeek or Wireshark (with an AirPcap NX, of course), but sniffing 802.11n with those products can be a little bit frustrating. (In fact, sniffing 802.11n is frustrating in general, but that’s a topic for another blog post.) With OmniPeek and Wireshark you have to manually choose what channel you are sniffing on. With AirMagnet, the software automatically chooses the channel of your AP or station when you click on it in the Infrastructure screen. 

AirMagnet’s ability to choose a channel for you is especially helpful with 802.11n because 802.11n channels are so screwy. For example, the wireless router I was sniffing today was showing channel 3 in its Beacon. But which channel 3? Channel 3 could be a 20 MHz channel centered at the normal channel 3 frequency (2.422 GHz), it could be a 40 MHz channel with the “+1” or “high” label centered at the normal channel 5 frequency (2.432 GHz) or it could be a 40 MHz channel with the “-1” or “low” label centered at the normal channel 1 frequency (2.412 GHz). With Wireshark and OmniPeek, I’d have to sniff all three channel configurations and figure out which one is carrying the traffic that I want to sniff. With AirMagnet, I just double-click on the relevant AP in the Start screen and the software chooses the correct capture channel for me.

At this point in my morning sniffing, things were going great. I was capturing all of the traffic going through the 802.11n AP (using my trusty DWA-643 ExpressCard) and I was happy.

Then I had to go to the Decodes screen. (At this point I must note that AirMagnet expert Keith Parsons once astutely told me that when you’re using AirMagnet if you’re in the Decodes screen, then you’re in the wrong place.) The Decodes screen in AirMagnet is the place where you see what is being captured, frame-by-frame. I needed to analyze data going through this 802.11n wireless router to see how ordinary data and Null data (used for power save mode) were interacting with each other, so I wanted that intra-frame depth. 

To look at the data going through the 802.11n wireless router, I went to the Decodes and created a filter. Now, with older versions of AirMagnet this would have been a problem. 

It used to be that AirMagnet only supported simple filtering. I could filter on data or I could filter on the 802.11n wireless router, but I couldn’t create a filter that isolates only data frames going through the 802.11n wireless router.

Today’s AirMagnet (I’m using WiFi Analyzer Pro version 8.6) allows for complex filters. I can choose my protocol and my BSSID at the same time. In fact, it’s really easy. There are check boxes in the Decodes screen for BSSID (AP MAC address), Node (station MAC address), IP address and Frame Type (802.11 frames, only). I checked my two check boxes and within seconds I was seeing what I wanted to see.

In the interest of full disclosure, I should mention that AirMagnet has not quite caught up to WildPackets OmniPeek when it comes to hardcore frame analysis. I still have to stop a capture before I can look at the information inside frames and data rates are still not shown while the frames are being captured. Still, the ability to do complex filters is a huge improvement.

I know I tend to be a real OmniPeek evangelist sometimes, and it really is the clear leader when it comes to in-depth WiFi sniffing. But for those times when you want to find something quickly without having to jury rig your WiFi sniffing software too much, AirMagnet’s improved filtering capabilities make it a great choice.

Written by sniffwifi

March 15, 2010 at 7:47 pm

Posted in Uncategorized

A Pleasant WiSpy Surprise

with 2 comments

The WiSpy spectrum analyzer has long made wireless folks feel ambivalent. We love the cheap price and the USB form factor, but we hate the fact that it lacks the device identification capability that you get with the Cisco Spectrum Expert and Fluke AirMagnet Spectrum XT. I’ve always been one of those folks who tends to think it’s worth the money to have a more professional-grade product, but while working at a hotel last week my WiSpy really helped me out.


Before I get to my story, I’d like to give a little background on WiSpy. WiSpy is a USB spectrum analyzer from Metageek. I was first told about it about four years ago by Devin Akin, who at the time was the top technical guru for the CWNP Program. When I clicked on the link he sent to my email, I was amazed. Metageek had created a 2.4 GHz spectrum analyzer for $99.

Like any good compulsive gadgeteer I ordered my WiSpy shortly thereafter and started playing with it. Unfortunately, it didn’t take long for me to realize that my initial enthusiasm was misplaced. You see, the original WiSpy was a lot like the current WiSpy dBi. It only analyzed the 2.4 GHz band (which admittedly at the time was more annoying than deal-breaking) and it had no external antenna interface. I still kept the WiSpy in my bag and used it for demonstrations, but for professional work I stuck with the Cognio Spectrum Expert (since acquired by Cisco).

Today things have changed quite a bit, as Metageek now offers a wide range of spectrum analyzers. And when you go with the high end model (WiSpy dBx), you get full 2.4 GHz/5 GHz analysis and a RP-SMA detachable antenna interface.

In large part due to these enhancements WiSpy has been lauded by all sorts of folks at the best way to do WiFi spectrum analysis at a low cost. The WiSpy dBx is just $599 while AirMagnet Spectrum XT, for example, retails for over four times that amount. Still, there has always been an elephant in the room with WiSpy that some sharp-as-a-baby’s-ass wireless writers tend to overlook: the compatible software doesn’t do device identification.

Device identification is a major help in solving a lot of typical interference problems. Looking at a basic FFT or spectrum density graph is nice, but if I’m a field engineer who needs to solve problems fast, I’d rather pay more and get software that tells me exactly what type of device I’m supposed to be looking for.

What does this have to do with me using WiSpy at last week, you ask? Well, I was working at a hotel and we wanted to setup some APs using the 5 GHz band. I asked my contact if there are any existing wireless systems I should be aware of, and I was assured that the area was clear. Being my usual skeptical self, I decided to fire up WiSpy anyway. Lo and behold, a trickle of wireless was appearing throughout the UNII-3 channels (149-161). It turns out that their phone system for paging the facilities and food & beverage folks uses the 5.8 GHz ISM band, which overlaps the whole UNII-3 band.

Just to make sure I fired up WildPackets OmniPeek (w/ WUSB600N adapter, as usual) and scanned the 5 GHz band. Sure enough, the hotel had no APs on the channel. Well done, WiSpy. Disaster (being overdramatic here) averted.

Footnote: Some people may note that the premise of this post was flawed in some ways. I shouldn’t need a spectrum analyzer to tell me to avoid 5 GHz channels 149-161 when I’m setting up APs indoors. The UNII-3 band is best suited for outdoor WiFi so I should have been focusing on the UNII-1 band (channels 36-48). That is true, but I find it’s best to still scan 5 GHz channels outside of the UNII-1 band so that you can tell the people who are going to manage the network which specific channels should be avoided.

Written by sniffwifi

March 8, 2010 at 11:29 pm

Posted in Uncategorized