Wireless Network Analyzer's Overview - Part 3 (Guest Blog)By Ernesto Fernandez On 09/01/2022
Wireless Network Analyzer Views and Features
In this view, the Wireless network Analyzer will show you all the 802.11 frames that have been captured during particular packet capture. You will be able to see the time, the source MAC address, possibly the Vendor, the destination MAC address, the protocol in use, etc. Different Wireless network Analyzer's vendors will have different views as well. For the most part, you will have a packet list, packet decode, and hex and/or binary data available to you.
In the packet list will find a numbered of different columns, the Wireless network Analyzer's vendors will have different columns available to you, and they can be enabled/disabled based on the needed view. Some important columns, for instance, the flag column could indicate CRC errors, retransmissions, etc. These types of frames will be something you will need to identify quickly.
Other important columns will be the time columns, and you will have three different ones.
Absolute time – is the time when the packet was originally captured.
Delta time – is the elapsed time between packets. You can identify possible contention problems in the environment.
Relative time – is a cumulative time from a selected packet. You can possibly identify the duration of a particular process during the analysis.
This view is very important for you to understand with whichever Wireless network Analyzer you select. In this view, you will have a translation if you will from computer language (ones and zeros) to a more understandable human language. In this view, we have different sections, the first section being.
The packet info/ radio tap header – this information is generated by the Wireless network Analyzer and added to the frame when capturing. This information is not part of the 802.11 MAC frame, some of this information is derived from the PLCP header. Also, it may be provided by the device's drivers, or it may be calculated by the Wireless network Analyzer.
Field Name – these are information included in the frame, for instance, duration, destination, etc.
Field value – this is the information corresponding to a field name, for instance, 233 MS, destination's MAC address, etc. This information is often represented in three different ways, a binary value, which starts with a percentage symbol (%), a Decimal value which is represented by numbers, and a Hexadecimal value, which starts with "0x".
Interpretive text – this is information translated to be more understandable to you.
Raw Hex – this is the data in its original form at the time of the capture as it is seen by the Wireless Network Analyzer.
ASCII Encoding – this is the code used for the translation of the raw hex data.
Wireless Network Analyzer Views
These views are features that would give you a bit more granular information about different statistics or performances of the wireless environment. For instance, you will be able to see in one location how many retransmissions, you can see channel utilization, you can also see a graphical representation of top channels, top talkers, top access points, top protocols, etc. This information can be very useful when analyzing a wireless network.
It is also very important where to see or where to find channel information when capturing data for wireless network analysis. You can find the channel information in the following.
The Radio tap header/Packet info – the channel information would be listed in this section of the packet view.
Packet list columns – the channel information would also be available in one of the columns in this section, you may have to enable it, or you may not have to enable the column view, depending on the vendor.
Channel Information in the Beacon Frame
This is important to note in some instances, the channel information when capturing a beacon frame would be in the radio tap header. However, it could also be in the direct sequence parameter set if you were able to capture it in the packet, such as 2.4 GHz traffic. Very important to notice that the channel you capture the packet on is going to be in the radio tap header, and the channel that the packet was transmitter on is going to be in the frame fields, and sometimes these two may not be the same. For instance, you may capture a packet on channel 2; However, the packet was transmitted on channel 1. The reason is those are overlapping channels, and if the transmission has enough signal strength, you would be able to capture the uncorrupted frame and be able to demodulate and decode that frame on the channel you are on, which indicates a possible problem with channel interference.
This list will give you information such as, who is your top talker in the wireless network, who is sending the most multicast traffic, you can also identify unexpected vendors/devices (rogue devices), or you also would be able to find a device sending too much traffic. You would be able to identify a problematic device and address it quickly once it is identified.
In this view, you will be able to see the different types of protocols/frames, you will also be able to do quick filtering on the different protocols/frames, and in some cases, you can see a brief description of the protocol/frame.
This view would be useful if you can decrypt the upper layer traffic. However, depending on the type of encryption on the wireless network, it is not always possible to decrypt the traffic, and it is necessary to see the upper layer traffic, then it is recommended to do a packet capture on the wire beyond the wireless access point. It would have to be on the traffic path of the particular device, it may be directly past the access point, or it may be directly after the wireless LAN controller depending on which type of wireless environment you are working on.
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.