Just another site

Archive for January 2015

Free Sniffing in Windows! (Kind Of)

with one comment

Nine months ago (bad way to start a blog post, I know) I wrote a blog about the future of WiFi sniffing.  In the comments section (perhaps the only worse thing for a blogger to say), someone mentioned a free, Windows-based application called Acrylic WiFi.   I briefly checked out the app and dismissed it as yet another Discovery utility disguised as a something more. 

Then I actually used Acrylic WiFi and…  it works!  It sniffs WiFi frames (sort of) and it does it for free (outside of the cost of an ordinary 802.11 USB adapter)!  This changes everything (kind of)!

For years, the method for free WiFi sniffing on a Mac has been simple.  Head down to the bottom of this post for a reminder.

Now, we can do similar things in Windows.  It’s not quite as simple and it’s not totally free, but it works (pretty much).

1. Download and install Acrylic WiFi Free, including Monitor Mode support (and, actually, if you can find an old download of Acrylic v1, then you’ll be able to save captured frames in a *.pcap file, just like you can in Mac OS X Wireless Diagnostics.  If you download Acrylic v2 [the current version], then you can’t).

2. Procure (see, I can use corporatey talk sometimes too) a USB adapter that allows monitor mode capture in Acrylic (I use the Netgear A6200, and if you use that link then you’ll be supporting this blog by giving me a kickback from Amazon).

3. Open Wireshark (and if you’re a Mac user running 64-bit Windows in Bootcamp or as a Virtual machine, you’ll have to Run as Administrator).

4. Select the Acrylic NDIS Netgear A6200 (or whichever model of USB adapter you procured) Adapter and click Start.

Bingo!  A real-life 802.11 Monitor Mode capture in Windows (just about), done for free!  (Actually, for the cost of an ordinary WiFi USB adapter, but still…)

And here’s a tip for enabling a channel scan by using Acrylic with Wireshark:

Normally, Wireshark only allows for monitor mode capture on a single channel.

Just look at that screenshot above.  No channel scanning option to be found.  

If you decide that you want to scan channels for whatever reason, all you have to do is let Acrylic control the capture.  Just open Acrylic (while keeping Wireshark open and capturing), click Monitor in the upper right until it says, Monitor: ON, and then click the channel number just to the left to choose which channels you want to scan.  See:

Fantastic.  We can not only do a (nearly) free monitor mode capture with channel scanning in Windows (more or less).

About that, “more or less” (and the “kind of” and “sort of” and all the rest)…

Monitor mode capture with an Acrylic driver is flawed.

Check out this little capture I did of my iPod Touch (the most underrated device in the history of WiFi site surveying, troubleshooting and analysis, by the way) streaming the 2015 Royal Rumble on WWE Network:

Specifically, check out the Rate column in that screen shot.  Every single cotton-pickin’ frame captured by my Netgear A6200 using the Acrylic WiFi driver shows the same rate: 0.0 Mbps.

(And just to show that it’s not a problem with my setup, here’s what it looks like when the Airpcap NX adapter does a monitor mode capture into Wireshark:

Notice that the rate of 58.5 Mbps comes through loud and clear.)

So, there you have it.  You can now do free sniffing in Windows, but there are still kinda/sorta limits to how useful it can be.


If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU

ben at sniffwifi dot com

Twitter: @Ben_SniffWiFi


Free sniffing in Mac OS X:

1. Open Wireless Diagnostics (in Mac OS X 10.10 [Yosemite], holding down alt/option while clicking the WiFi Settings icon on the top menu bar reveals Wireless Diagnostics).

2. Open the Sniffer window (older versions of Mac OS X have different methods of sniffing, but a monitor mode capture has always been an option in Wireless/WiFi Diagnostics).

3. Choose your Channel and click Start.

4. When finished, click Stop, and then go to the Desktop to open the captured frames (in the form of a *.pcap file) in Wireshark.

If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU

ben at sniffwifi dot com

Twitter: @Ben_SniffWiFi

Written by sniffwifi

January 27, 2015 at 7:33 pm

How Fast Is My 802.11ac WiFi?

leave a comment »

802.11ac is the latest and greatest WiFi standard, but it’s confusing.  So many questions: Is it really that much faster than 802.11n? (It can be.)  Is it worth upgrading?  (Probably not in the enterprise, but at home, absolutely.)  How fast is my device?  (Data rates as low as 6.5 Mbps and a high as 1.3 Gbps.)  

Getting specific answers to 802.11ac performance questions can be a chore sometimes, but there’s a simple way to check your APs.  All you need is a wireless sniffer and about five minutes.

Today I wanted to find out what my 802.11ac AP is capable of.  I suppose I could’ve gone in search of a data sheet, but instead I decided to break out the wireless sniffer.  It was a quick and simple process.

Step 1: Find the channel of your AP

If you’re a Mac OS X user, you can use Wireless Diagnostics.  If you use Windows, then Acrylic WiFi is probably your best option.

My channel was 48.

Step 2: Capture on your channel 

Using a professional protocol analyzer like AirMagnet WiFi Analyzer or WildPackets OmniPeek is usually best.  If you need to keep it free (but remember, free sniffer software almost always means having to spend/waste more time once it’s time to get a job done), then OS X users can use the Wireless Diagnostics Sniffer window and Windows users can install Acrylic WiFi drivers on certain USB adapters and capture into Wireshark.

I started a capture in OmniPeek on Channel 48.

Step 3: Filter on Beacon frames

If you use Wireshark, then type the following in to the Filter text box and click Apply:

wlan.fc.type_subtype == 0x8

I used OmniPeek, so I went to the Filters window (link on the left hand menu bar), opened the Wireless filters and selected the 802.11 Beacons filter.

Step 4: Open a Beacon from your AP

This is the only step where things could get tricky.  You need to make sure that you are looking at your AP and not the neighbors.  In Wireshark that means you might have to try out source MAC addresses until you find one that looks like your AP.

In OmniPeek, I went to the Packets window (again, via the link on the left hand menu bar), enabled the Decode column (by right-clicking any of the existing columns and scrolling all the way to the bottom in order to select Decode) and then selected the SSID field within the SSID information element.  I was then able to see the SSID of every Beacon frame by looking at the Decode column.

Step 5: View the VHT Supported MCS Set

Once you have found a Beacon from your AP, you’ll have to open up the Beacon’s decode and find the VHT Capabilities information element.

In OmniPeek, the VHT Capabilities information element was down towards the bottom.  Once I found it, I opened it up and was able to see the VHT Supported MCS Set.

The key thing to look for is the number of lines that read “10”.  A line that reads “10” indicates that a spatial stream is available.  A line that reads “11” indicates that no spatial stream is available.  That means if three lines read “10” and the remaining five lines read “11”, then there are three (of the possible eight mentioned in the 802.11ac standard) spatial streams available for my AP.

What does that mean for data rates?

1 spatial stream: 6.5 Mbps to 433 Mbps data rates
2 spatial streams: 6.5 Mbps to 867 Mbps data rates
3 spatial streams: 6.5 Mbps to 1.3 Gbps data rates

The reason that multiple spatial stream devices can use single stream rates like 6.5 Mbps is that all 802.11ac devices allow MIMO (the technology behind multiple spatial streams) to be used to improve range instead of speed.  So, my three-stream 802.11ac AP could use its MIMO powers to increase range by keeping the data rate as low as 6.5 Mbps.

This whole process should take you less time than it took to read this blog post (which doesn’t say much about Yours Truly’s relationship with brevity, but I digress).  Once you know what your APs support, it will be that much easier to set up a WiFi network that fits your needs.

If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU

ben at sniffwifi dot com

Twitter: @Ben_SniffWiFi

Written by sniffwifi

January 27, 2015 at 12:45 am

Posted in 802.11ac, Data rates

Killing My WiFi (With This Song)

leave a comment »

Spec-ing the Layers with WiSpy
(one time, one time)
Channel gone red with this stream
(two times, two times)
Killing my channel with this song
Killing my WiFi
With this song
Taking my WiFi
With this stream
Killing my WiFi
With Bluetooth spe-ee-ee-eeakers…

Wireless streaming (music, video or, in the case of the wonderful song referenced above, a music video) can sure kill a WiFi connection.  It’s good to have a spectrum analyzer to identify the problem.  It’s even better to remember to use it.

Wireless streaming devices are popular nowadays, but most of them are benign.  An AppleTV, for instance, can wirelessly stream audio and video or it can act as a mirroring device for whatever audio or video is on your smartphone, tablet or laptop.  (And mirroring is tougher on WiFi than basic streaming.  When I mirror my iPhone 5, I’m creating three streams.  One from my wireless router to my phone for the Internet stream, a second from my phone back to the wireless router as part of mirroring and then a third from my wireless router to my AppleTV, also as part of mirroring.  Mirroring is a real bandwidth hog.)  When I stream or mirror to an AppleTV, the wireless audio or video is all using WiFi.  The 802.11 standard (which is what WiFi is based on) has excellent sharing protocols built in, so that my other WiFi devices don’t get killed by my streaming or mirroring.

Non-WiFi streaming devices can be a big problem.  Sonos systems, for example, are commonly set up using a non-WiFi wireless technology.  In fact, if Sonos audio is used as part of a home theater, non-WiFi wireless is required.  Sonos, and many other non-WiFi streaming systems, use the 2.4 GHz frequency band.  Some speakers may use Bluetooth and some may use a proprietary technology, but it’s almost all 2.4 GHz.  And when it’s in the 2.4 GHz band and it’s not WiFi, then it doesn’t share the way 802.11 devices do.  It creates interference.

So, what to do about 2.4 GHz interference?  First of all, don’t do what I did when I was trying to help a friend set up his WiFi recently.

My friend is paying for 150 Mbps Internet download speeds, but he was getting less than 1 Mbps.  He was using a wireless modem from the phone company, and the wireless modem is a model that I’ve had problems with before.

I was faced with an important choice:

A) Troubleshoot like a professional by working my way up the OSI layers.  Start with the physical layer by running a spectrum analyzer (I use Metageek WiSpy 2.4x with Chanalyzer software.  Lots of people use WiSpy DBx because it allows for analysis of the 5 GHz band, but that is unnecessary and can sometimes even be counterproductive).  Then move to the MAC layer by checking devices’ WiFi Settings and possibly using a Protocol Analyzer.

B) Act like I know everything and complain to the phone company about their crappy wireless modem.

Naturally, I chose B.  After wasting hours on the phone with the phone company (hours that we were supposed to be spending seeing “Top Five” before the Kings vs. Maple Leafs game), I finally set up a 5 GHz radio with a separate SSID and saw the Sonos interference magically (not magic, of course, because Sonos systems only ruin the 2.4 GHz band) disappear.

The moral(s) of this story?

1) Avoid acting like a know-it-all when troubleshooting wireless problems.

2) Start with a quick spectrum sweep if audio/video streaming is happening nearby.

3) Don’t sleep with your co-star if you don’t want to get divorced.

One last little note: I’m often a critic of spectrum analyzers.  I see people (people on Twitter, people on blogs and especially people in real life) use them incorrectly all the time.  “If you’re looking at Duty Cycle, you’re in the wrong place,” is a saying that I like using when it comes to using spectrum analyzers in WiFi environments, for example.  But spectrum analyzers are darned good for one very specific use: identifying things (speakers, microphones, security cameras, microwave ovens) that are killing your WiFi (with or without this so-oo-ooooong).

If you like my blog, you can support it by shopping through my Amazon link or donating Bitcoin to 1N8m1o9phSkFXpa9VUrMVHx4LJWfratseU

ben at sniffwifi dot com

Twitter: @Ben_SniffWiFi

Written by sniffwifi

January 6, 2015 at 10:07 pm