Wireless Network Analyzer's Overview - Part 1 (Guest Blog)

Wireless Network Analyzer's Overview - Part 1 (Guest Blog)

By Ernesto Fernandez On 07/26/2022

The following content will inform you of four main topics about Wireless network Analyzers (also known as protocol analyzers) when capturing 802.11 frames. You will learn about the appropriate methods and locations for capturing 802.11 frames. You will also learn how to analyze 802.11 frames, discover problems, and find solutions. In addition, you will better understand the application of the common capture configurations. Lastly, you will explore some additional tools to capture 802.11 frames to analyze and troubleshoot Wireless networks in your day-to-day.

Wireless network Analyzer's Overview

Wireless network Analyzer software is a tool used to capture and analyze data traffic over a communication channel. Some of the protocol analyzers options out in the market are, Wireshark, Commview for WiFi, Omnipeek, Airmagnet WiFi analyser pro, etc. Your ability to choose among these common tools would be based on the different factors such as budget, features needed, etc.

Visualization tools are dedicated to analyzing the packets and present a more user-friendly version of the interaction between the device and access point. Such tools are packet analyzers imbedded in different vendors' management platforms, i.e., Mist client insights, Extreme Cloud IQ, Meraki client packet capture, Cisco DNA Center etc. There are also visualization tools that specialize in analyzing packet capture files, such as Eye P.A. from metageek. In a nutshell, visualization tools are a rapid 802.11 packet capture and analytics solution that makes WiFi traffic visible for quick analysis and diagnosis. At a glance, you can find and fix packet loss, monitor channel capacity, minimize congestion, and shed light on network configuration and security issues.

Packet capture options

To perform wireless network protocol analysis, you will have to capture the 802.11 layer 2 frames traversing the wireless network you would like to analyze. You can do that with a portable protocol analyzer such as Commview for WiFi, Omnipeek, Airmagnet WiFi analyzer pro, Wireshark for MacOS, Wireshark for Windows (with the correct wireless adaptor set to monitor mode), Wireshark for Linux, etc. With this method you will be able to take the analyzer close to the device and capture the frames as the device is experiencing (sending and receiving).

Another method of capturing the frames will be with a wireless controller, if you are in a controller-based environment. However, this method would only give you the access points' perspectives and not the devices. Another method is using WIPS (Wireless instruction prevention systems) in which most of these systems will give you the ability to capture wireless layer 2 frames; however, these systems, like the wireless controllers, will only be able to capture at the access point or sensor locations and not at the device location.

Lastly, you can also have a distributed forensics system or monitoring system, which will use dedicated sensors for capturing the wireless layer 2 frames, system such as 7Signal, Omnipeek, or a system like Cisco DNA Center where you would have tri-band access points and you could dedicate one radio to monitor mode. However, these systems will also only be able to capture at the sensor location and not at the device location.

Selecting Adaptors for Wireless network Analyzers

RF Monitor Mode

First and foremost, when doing wireless packet captures, the wireless network adaptor will need to be in RF monitor mode and not in promiscuous mode.

The difference between the two modes is that promiscuous mode will capture everything going in and out of the wireless network adaptor, and RF monitor mode will capture everything on the channel on which the wireless adaptor is listing and that it is capable of "hearing" basde on demodulation capabilities due to the signal to noise ratio (SNR) and the capabilities of the protocol analysis adapter and software. The recommended mode for successful packet capture for wireless network analysis is RF monitor mode, for wireless network analyzer software to utilize the wireless network adaptors in RF monitor mode, you would need to install custom drivers in many systems (particularly Windows-based systems). Most of the time, these drivers will come from the vendor of the wireless network analyzer software, and in some cases like Linux it could be a driver that can change the wireless network adaptor to RF monitor mode. In some cases, the wireless network analyzer software vendor will provide you with a list of network adaptors and their corresponding drivers.

Another important point when selecting wireless network adaptors for packet capture are often done with the use of multiple adaptors with the use of a USB 3 hub. You will have to make sure you select the correct hub in order not to reduce your SNR, some USB 3 hub can reduce SNR up to 20 db, causing your wireless network analyzer not to be able to demodulate the traffic.

Adaptor Selection

The most important point is making sure you get the right wireless network adaptor for the wireless network analyzer software you are using, most of the software out there does not work with all wireless network adaptors and getting the correct wireless network adaptor for the kind of network traffic you are going to be analyzing is very important. For instance, you will need a 3 spatial streams wireless network adaptor to capture 3 spatial streams network traffic. If you are using a 2 spatial stream wireless network adaptor, and your access point is capable of 3 spatial streams, all data sent on the third spatial stream will be missing since your adaptor is only capable of capturing on two spatial streams. The illustration below shows the incorrect adaptor selection in the form of missing data, you will be able to determine it based on the duration times as illustrated.

Click here for part 2.

Reference table:

Material by – CWAP (Certified Wireless Analysis Professional) Study and reference guide, CWAP-403 1st edition by Certitrek publications.

Illustrations by – Wireless Analysis and Troubleshooting CWAP Bootcamp v1.1, MarQuest networking support by Peter Mackenzie.

Tagged with: wireless, wireless network analyzers, packet capture, visualization tools

Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.

Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More