sniffwifi

Just another WordPress.com site

Archive for the ‘CWAP’ Category

A Choice of Filters

with 5 comments

People who do WLAN analysis agree that filtering is a part of sniffing WiFi frames/packets.  More information can be extracted from captures when the focus is on one AP or station or protocol (or a combination of same).  Where people disagree is on which type of filtering is best: capture filters or display filters?  Yours truly is a capture filter man, and some iPhone analysis was a reminder why.


Filtering 802.11 captures is covered pretty well in the CWAP Study Guide (of which I am a co-author).  A capture filter extracts frames before they are captured.  The only frames captured are the ones that match the filter.  A display filter extracts frames after they are captured.  Every frame is captured.  Then the filter is applied so that only frames matching the filter are shown in the protocol analyzer.  To use the example of a filter on my iPhone, if a capture filter were used then all of the frames from all of the other stations on my iPhone’s channel would be lost.  Using a display filter, on the other hand, would mean that everything is captured.  Nothing is lost.  The filter for my iPhone would be applied after the capture has been done, thus allowing frames from other stations to be analyzed later.
The CWAP Study Guide takes a neutral position on WiFi capture filters, but the CWAP course written by Marcus Burton is friendlier to display filters.  The rationale make sense on the surface: with a display filter nothing is lost.  If an iPhone is being analyzed and the iPhone’s frames appear to betray a congestion problem, the display filter can be removed and frames from other stations or APs can be examined.  If a capture filter is used, then that moment of congestion may have been lost.  Those uncaptured frames can never be examined.
There is a down side to using display filters, especially in a congested area: the lack of real-time analysis.  It can be tremendously valuable to be able to watching frames as they are being captured.  If you know what WiFi should look like, then you may be able to identify cases where the WiFi is having problems.  (That’s how I fingered the APs as the culprit when investigating that iPhone VoIP problem that I blogged about a while back.  I watched the frames show up in OmniPeek in real time and saw a stream of Retrys.)  
In general, the best way to filter will depend on your level of expertise.  If you are relative new to sniffing WiFi, then it’s probably best to use display filters.  You probably won’t know what to look for in real time, so it will be best to keep all captured frames.  Once you become an expert, then switching to capture filters is usually better.  The ability to correlate real world, real time behavior (What app is running now?  Is the tablet moving now?  Is the user actively using her device now?) with that scrolling trace of captured frames/packets is often valuable in identifying what is really going on.

If you like my blog, you can support it by shopping through my Amazon link.  Same Amazon store and prices, but I get a kickback.  Thank you.

Advertisements

Written by sniffwifi

January 30, 2014 at 6:09 pm