sniffwifi

Just another WordPress.com site

Archive for August 2013

Eighteen Seconds of (a Very Chatty) iPhone

leave a comment »

The iPhone 5 is a chatty device.  How chatty?  I checked, and it is chattier than I thought.

Yours truly has done more WiFi sniffing of iPhones than yours truly cares to recount.  What has always stood out about these captures is the amount of chatter than an iPhone seems to engage in.

I did a little test of my unlocked iPhone 5 to see exactly how chatty it was.  The test involved me turning on the phone’s screen, spending a second looking at iMessage (which happened to be the last app I was on when the screen was turned off), pressing the Home button, opening the Twitter app (because, after all, if you’re not on Twitter these days then you’re not wasting your time properly) and refreshing my Twitter feed.

The test took about fifteen seconds.  My capture saw WiFi frames going to or from my phone for about 17.64 seconds (rounded up to 18 for the purposes of a catchier blog post title).  Here is what it looked like:

The good news is that my phone was using high rates for data.  The highlighted frame above traveled through the air at 121.5 Mbps.  Some of the data frames even went all the way to the iPhone 5’s maximum data rate, which is 150 Mbps.  (And pay no attention to the 6 Mbps or 24 Mbps frames.  That’s control traffic.  Nothing you can do to escape that.)

The bad news is that my phone was very active on the channel despite the fact that all I really did was turn the thing on and refresh my Twitter feed.  Check out the stats from my capture:

The “Displayed” statistics are representing my phone’s traffic only.  And what happened in that 17.6 seconds?  268 kB (or, 0.268 MB if you want to look at it that way) was send across the wireless channel.  That is a pretty large amount of stuff for a simple Twitter feed refresh.  Imagine if I tried to look at a photo or browse the web.

So the iPhone is a chatty Cathy.  It’s not very chatty when the screen is off (unseen above is the fact that the first frame with my phone’s address was sent a full 10 seconds after I started capturing, which coincides with the time I turned on the phone’s screen), but once people start using their iPhones those babies get active even when the user isn’t very active.

What does all of this mean to us?  One thing it means is that conserving battery life ain’t just for the Sierra Club.  Users who keep their screens off are also keeping our WiFi networks clear.  The other big takeaway is that app developers don’t care about us.  They’re gonna make their apps the way they want to make their apps.  I’d bet dollars to donuts (a cliché that no longer makes sense, but still) that developers from Twitter and Apple could have made the iPhone 5 a lot less active on the WiFi channel if they’d have wanted to.  Typically it takes a crisis for app developers to reel in their network consumption.  Who knows if that will happen any time soon.

Written by sniffwifi

August 30, 2013 at 10:52 pm

Posted in iPhone 5, WiFi traffic

Sniffophobia Is Alive and Well

leave a comment »

Fear not your sniffers, dear WiFi folk.  For they are your path to the truth.


I had a conference call today and the topic of carrier devices (smartphones, 3G/4G enabled tablets, etc.) on Wi-Fi networks came up.  The person on the other end needed to make sure that his WiFi devices were optimized for a variety of different WLAN infrastructures.
My first reaction (as is my first reaction to most WiFi related topics) was to sniff.  First set up the infrastructure.  Then use the device (which could mean connecting, roaming or running an app).  Then sniff what’s happening.  
His reaction to my sniffing idea was pretty negative.  Their testing procedures are basically trial & error.  Set up the WLAN, then connect the device and then document what the user experience is.  If the user experience stinks, then make a change.  He was a sniffophobe.
I get why people are sniffophobes.  WiFi sniffers can be expensive and difficult to learn.  The idea that you’re going to have to train a large group of people to understand sniffing software before you even run your first test may seem daunting.
Sniffers are worth it because actions speak louder than words.  The “words” of a device are its GUI.  The “actions” of a device are its WiFi frames.  Sniffing frames reveals the truth.  If you device is too sticky or too slow or too jumpy or too whatever, then those WiFi frames will usually reveal it.  If you don’t have those frames, then you might be seeing a problem that is caused by something that you are unaware of.
WiFi sniffing is a specialized skill.  But for the people who really need to know details on how a device works or why a connection is unstable or if performance will hold up under stress, sniffing is worth it.  Try to avoid letting sniffophobia keep you from getting the information you need.

Written by sniffwifi

August 22, 2013 at 7:43 pm

Can Single Stream Sniffing Work?

with one comment

A bunch of WiFi vendors made presentations at the Wireless Field Day events a couple of weeks ago, and the one that piqued my interest the most (at least in a positive way) was WildPackets’.  The WildPackets OmniPeek software can now sniff 802.11ac traffic, with a catch.  The catch?  It only sniffs single streams 802.11ac traffic.  Is that a useful thing?


First things, first: In order to sniff 802.11ac traffic, you need a AE6000 (Linksys Wireless Mini USB Adapter AC 580 Dual Band) adapter.  (And if you decide to buy one and want to support this blog, you can use that link to Amazon.)

The AE6000 adapter is a single stream 802.11ac adapter with a Ralink chipset.  WildPackets is developing a driver for the Ralink chipset and demonstrated the AE6000 in action.  The expectation is that it will be a month or two before the OmniPeek drivers for the AE6000 actually get released, but I bought one so that I’m ready.

Being able to sniff 802.11ac traffic may be great, but the even greater question is, “how useful is single stream sniffing?”

After all, it was less than six months ago that yours truly was writing that three stream capture is necessary for the modern enterprise.  Without three stream capture, the data going to and from a lot of laptops and media centers is going to be missed.  If you work in an area that needs to support those types of devices, that makes three streams a requirement for in-depth troubleshooting.

There are some use cases for single stream capture.  Smartphones, tablets, bar code scanners, point of sale terminals and a number of other smaller devices all use single stream WiFi, and are expected to for the foreseeable future.  All data going to and from those devices can be captured with a well-placed AE6000.

In the future we may see even more devices embrace single stream WiFi.  Remember, single stream WiFi saves battery life.  We all know how frustrated users get with laptops that can’t hold a charge.  Just from my personal experience, I can tell you that I would gladly trade my MacBook Air’s two stream WiFi interface for my iPad’s single stream interface.  My iPad has slower networking than my MacBook Air, but not slow enough that it bugs me.  I’ll gladly take a little bit of delay in my web surfing, emailing and perusing of Twitter in order to extend my laptop’s battery life.  I have to imagine that there are a lot more people out there like me, and so I expect that laptop makers will start to embrace single stream WiFi radios at some point in an effort to serve us battery life fiends.

For today, though, just make sure you know what you’re trying to sniff.  If you have a bunch of tablets and smartphones that need attention, then the AE6000 works.  If the environment includes some multi-stream devices, then stick to sniffing from an adapter that supports multiple streams.

Written by sniffwifi

August 21, 2013 at 2:24 am

An OmniPeek Deal

leave a comment »

WildPackets has a sizable discount for OmniPeek Professional right now if you bundle it with three OmniWiFi 802.11a/b/g/n 3-stream USB adapters.  

WildPackets OmniPeek has long been my favorite WiFi sniffer, and the OmniWiFi USB adapter is currently my favorite capture device.  So getting a package of OmniPeek Pro with three OmniWiFi adapters at a $900 discount would seem to be an awesome deal, right?  Sort of.

There are several versions of WildPackets OmniPeek, and for the most part the more expensive versions add features that are far more useful for wired sniffing than for wireless sniffing.  One look at the OmniPeek comparison chart reveals that the Compass screen and roaming testing are the only features that could possibly maybe justify a WiFi person spending $3,000 (discounted to $2,400 as part of the deal referenced above) on OmniPeek Pro rather than $1,200 on OmniPeek Basic.

Compass is nice, and if you have a relatively large budget for WiFi sniffing software, then the deal referenced above may be a good deal.  Budget-conscious folks might have a tougher choice.  Do you want OmniPeek for general monitoring, troubleshooting and analysis?  If so, then maybe Pro is the move.  If you’re more of a hardcore capture person who uses OmniPeek for filtering, statistics gathering and deep analysis, then Basic may be better.

Written by sniffwifi

August 12, 2013 at 2:30 pm

Posted in OmniPeek, OmniWiFi

Cutting Though Traffic Like a Flying V

with 4 comments

The 802.11v amendment has been voted, stamped and added.  It is part of the 802.11 standard.  We still are unsure if we’ll ever see it, but if we do it could ease some concerns about high-density WiFi.

Wireless Network Management is its name, and not being adopted is 802.11v’s game.

Wireless network management (WNM) is an addition to the 802.11 standard that puts more control in the hands of admins.  Today, the client/station controls everything: roaming, load balancing and congestion avoidance included.  WNM is designed to put that stuff in the hands of the infrastructure (APs, controllers and management software).

Companies that sell client/stations have (predictably?) declined to adopt WNM thus far.  That means that admins will continue to have to wait for the ultimate careful-what-you-wish for WiFi technology.

There is, however, one part of WNM that is separate from the move to infrastructure control: Multiple BSSID Beacons.  APs have supported multiple BSSIDs for a long time (and Beacons for even longer), but until 802.11v/WNM, the two were never put together.

Multiple BSSID Beacons are important because they could cause a reduction in channel overhead.  Many WiFi networks that support an array of users are hamstrung by the fact that each BSSID takes up about 2.5% of available 2.4 GHz channel time.  (I wish I could take credit for that calculation, but it was an engineer from Ascom who did the math and relayed it to me.)  That means that a hockey arena deployment that supports separate SSIDs for Team, media, concessions, ticket scanning, audio/visual and guests would lose 15% (6 x 2.5%) of available channel time from each AP.  If the big open spaces like the arena bowl have areas where APs on channels 1, 3, 5 and 7 (a bad channel design, but it happens) are covering the same space, then each of those APs would be losing somewhere between 45% and 60% of available channel time before the first data frame is sent.  If all six of those SSIDs could be contained in one Beacon, the Beacon overhead could be reduced to 10% or less on each channel.

Who knows if 802.11v/WNM Multiple BSSID Beacons will ever be adopted.  Hockey fans already saw the Flying V cut through the neutral zone trap to perfection, only to have it go unadopted by those stodgy NHL coaches.  Let’s hope that WiFi vendors treat our V differently.

Written by sniffwifi

August 5, 2013 at 10:34 pm

Posted in 802.11v, WNM