Forum

  • > There should be a simple test to see if it's the cause - change your 10 minute sample period to 30 minutes for a couple of days.

    Changing something so foundational in 10K lines of 20-year-old code is not something I want to play with. Especially when it controls the wood-fired boiler and my solar panel hydronic pumps.

    So I set up a portable test, with the Surface Book using my iPhone Personal Hotspot to access the TP-Link from WAN / outside via cellular and the internet, and listen to a tiny stream of Telnet text from my house computer. The data source is hardwired to the TP-Link router, so the only Wi-Fi involved was what I carried with me.

    Using the Telnet app on the iPhone, it streams full speed constantly, no matter where I'm located. (Using iPhone Telnet to access it via any local Wi-Fi also runs at full speed.) The same stream on the Surface Book via its Wi-Fi slows to as little as 1 char per second, every ten seconds - no matter what Wi-Fi it is connected to. And even with it disconnected from any power wiring.

    There seemed to be locations and orientations that made the problem better or worse at any given moment, but return to them minutes later and the good or bad spots were completely different. There was no spot where the slowdowns were not painfully obvious. I had the Surface Book inches from each of the house computers, from the solar wiring and the MPPT and inverter, from each of the 5 GHz WISP stations, and all over all levels of the house. No repeatable differences. I had it out in the garden beyond any Wi-Fi, in or out of the 5 GHz path - no differences. I really don't think it is interference. At least not from any of my house equipment...

    My 5 GHz WISP station has a Spectrum Analyzer function, so I scanned 4920 to 6090 with it. Nothing above -80 dBm anywhere. Narrowband stations at 5400 and 5600. Something all over 4965-5005, strongest 4975-5000. Somebody at 5225-5245 Wi-Fi Ch.46, but around -100 dBm. Nothing strong enough to interfere with my Wi-Fi.

    Wish I could do that for the 2.4 GHz band... Once in a rare while I see an unknown AP in one of my lists, but never for long enough to try to connect to it. But there could be other kinds of signal. Still, the Surface Book problem is always there, day or night, weekday or weekend, rain or shine. And Linux or the iPhone on the same APs have no problems.


    I did run into a strange problem with Linux the last few days, not being willing to connect to the TP-Link at 2.4 GHz. Perfectly happy on 5 GHz, even with barely any signal at its location. The one incident I've analyzed comes down to this:

    4584 20:19:04.535571 43.812071 Tp-LinkT_ca:85:83 Gazp9.local 802.11 417 Probe Response, SN=1330, FN=0, Flags=........, BI=100, SSID=TP-LINK_2.4GHz_CA8583[Malformed Packet]
    --> BUT the ACK from gazp9 to almost every probe response sets the 'P' flag!!!
    4585 20:19:04.535862 0.000291 Tp-LinkT_ca:85:83 (f8:1a:67:ca:85:83) (RA) 802.11 28 Acknowledgement, Flags=...P....
    --> followed immediately by another request:
    4591 20:19:04.555356 0.014951 Gazp9.local Broadcast 802.11 88 Probe Request, SN=1006, FN=0, Flags=........, SSID=Wildcard (Broadcast)
    --> gazp9 just keeps ignoring responses, sending more requests...

    Eventually...
    5449 20:19:25.377191 0.003021 fe:1a:67:ca:85:83 Gazp9.local 802.11 200 Probe Response, SN=1433, FN=0, Flags=........, BI=100, SSID=GCA8583[Malformed Packet]
    --> with the usual P flag ACK:
    5450 20:19:25.377485 0.000294 fe:1a:67:ca:85:83 (fe:1a:67:ca:85:83) (RA) 802.11 28 Acknowledgement, Flags=...P....
    --> and a good response, no P flag, but not until 3 seconds later:
    5619 20:19:28.390104 0.009840 Gazp9.local Tp-LinkT_ca:85:83 802.11 48 Authentication, SN=120, FN=0, Flags=........
    5620 20:19:28.390392 3.013201 Gazp9.local (30:3a:64:79:8e:de) (RA) 802.11 28 Acknowledgement, Flags=........

    I found that point in the gazp9 journalctl log:
    ---
    Mar 31 20:19:28 Gazp9 wpa_supplicant[610]: wlp3s0: SME: Trying to authenticate with f8:1a:67:ca:85:83 (SSID='TP-LINK_2.4GHz_CA8583' freq=2462 MHz)
    Mar 31 20:19:28 Gazp9 kernel: wlp3s0: authenticate with f8:1a:67:ca:85:83
    Mar 31 20:19:28 Gazp9 kernel: wlp3s0: send auth to f8:1a:67:ca:85:83 (try 1/3)
    Mar 31 20:19:28 Gazp9 NetworkManager[541]: <info> [1554088768.3846] device (wlp3s0): supplicant interface state: scanning -> authenticating
    Mar 31 20:19:28 Gazp9 NetworkManager[541]: <info> [1554088768.3846] device (p2p-dev-wlp3s0): supplicant management interface state: scanning -> authenticating
    Mar 31 20:19:28 Gazp9 kernel: wlp3s0: authenticated
    Mar 31 20:19:28 Gazp9 dbus-daemon[537]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.9' (uid=0 pid=541 comm="/usr/bin/NetworkManager --no-daemon ")
    Mar 31 20:19:28 Gazp9 dbus-daemon[537]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.resolve1.service': Unit dbus-org.freedesktop.resolve1.service not found.
    Mar 31 20:19:28 Gazp9 kernel: iwlwifi 0000:03:00.0: No beacon heard and the time event is over already...
    Mar 31 20:19:28 Gazp9 kernel: wlp3s0: Connection to AP f8:1a:67:ca:85:83 lost
    ---

    Aha! I had missed that until just now - the "dbus-org.freedesktop.resolve1.service not found" error is a bug in the latest Anteros/Arch system update, that I hadn't fixed until today. Still, I don't think it is the cause of the auth failure, since the 3 seconds have already lapsed by the time it is declared. And the connection problem disappeared last night, before I even knew about the update bug. 

    Wireshark shows constant beacons during that three seconds. And a Surface Book power flag and RTS storm in the middle of the delay. I really need to understand how that power flag is supposed to be used! Why would the ACK from gazp9 to almost every probe response from TP-Link set the 'P' flag? Isn't that saying don't bother continuing this, I'm going to ignore you? The Surface Book never sets that flag on ACKs to probe responses.

    There were three other places where I saw ACKs with 'P' set - da:a3:d3:9c:f3:d1, ea:31:70:73:23:3b, and 46:cf:d9:3d:9d:cc - all unknown MACs that don't resolve to any valid company. Each showed one quick burst of interaction, like maybe some phone going past on the highway a mile away. I'm mystified how Wireshark came up with the invalid MACs. But all of their packets in both directions showed the same Signal strength as the TP-Link... So maybe they weren't fleeting glimpses of distant phones... Maybe Wireshark bugs?

    Somehow the problem connecting Linux to 2.4 GHz went away last night, as mysteriously as it had appeared, I have no clue why!


    > In addition, some solar system gear is notorious for creating RF interference, both radiated and conducted (over the cabling). Have you checked that out ?

    I know the MPPT is horribly noisy when the sun is out, and the inverter is not exactly quiet. I had an ancient shortwave receiver that was my main source of entertainment when I first moved here and had only PV panels wired to batteries. Before I sold it last year I checked, and could barely pick WWV out of the noise, even at night with the AC off. Way too many computers here!

    > There is a new book out, called Energy Choices for the Radio Amateur.

    I suspect modern computer-controlled solar is hopeless.

    > I am really interested in your solar setup. I have a small amount of yard, and roof space, that I have been contemplating dedicating to a solar system.

    Step one is considering the power choices you have now. If you need heat and hot water and don't have natural gas, solar thermal has by far the best payback - if you can do it yourself or find someone who is not a fly-by-night idiot to design and build it. Solar electric payback depends on your commercial power rate, your latitude, and your local weather (frequent clouds and fog, or excessive heat, seriously cut the benefit).

    You can see a bit of my systems here:
    https://faircompanies.com/videos/c-programming-pioneer-hacks-off-grid-diy-smart-home/
    https://faircompanies.com/videos/norcal-veteran-coder-customizes-off-grid-home-with-sensors/

  • By Howard - edited: April 11, 2019

    Thanks Loren,

    I'll have to look into this all more later, right now I am upgrading my WLAN hardware.

    I should let you know, if you don't know it already, that  Apple phones (as of iOS 8.0) use fictitious MAC addresses to preclude malicious tracking.   They are nearly random, but the phones can be tracked once they have fully authenticated and associated.

    Originally retailers hoped to use phone MAC addresses, for marketing and sales promotions once a phone was on premise, at either a mall or store.   But Apple changing the MAC address, while roaming, pretty much cancelled that hope.   It can still be done by you or them, to some extent, if you know what's up.

    There are one or two discussions on the algorithm used by Apple.  I think it was Jerome Henry who had published a really good one just a couple years ago.

    I'll be back online in a day or two..

               Howard

    PS:   I've been a proponent of solar water heaters ever since my dad talked about them almost 60 years ago (he was an officer in the AWWA), and I benefited from them myself in Santa Monica during the 1994 earthquake, when most of the gas in the city was off.

  • Interesting about Apple MACs. I have four family iPhones of various ages in my router logs, and all use consistent MAC addresses on any of my Wi-Fi. And all of them trace directly to Apple. But maybe that's only after they are authenticated? I haven't ever captured the whole process from probe request...  Or maybe it is only on cellular they are randomized? 

    I came back here because I was looking in my browser history for a totally different reason, and discovered what fixed the Linux gazp9 access to TP-Link 2.4 GHz Wi-Fi! It was setting WMM back to Enabled! I had Disabled it as mentioned several days ago, only on the 2.4 GHz side. I turned off my "guy mode" technical mind and went off to watch YouTube videos while I made dinner. They were horribly interrupted, and eventually the connection didn't recover. I tried 5 GHz and it was perfect - WMM still enabled. But at the time I totally didn't relate WMM to the connect failure. So glad at least one mystery is solved! 

    Good luck with your network upgrade! My last serious change took most of two days. And then I had to document it all...

  • By Howard - edited: April 11, 2019

    Got my network rebuilt in half a day, but spent another day tuning it.   Busy with other stuff since then including taxes.

    Right this moment, I'll try to comment on several items we have touched on - In NO particular order.

    1) From the MS links you provided earlier, it is apparent that Win-10 makes a point of being able to "reset any hung W-Fi or BT device in a maximum of  10 Seconds."   Note the "10" here (i.e. there are no coincidences !!). 

    2) Also found there is a discussion of how Wi-Fi Native Device support has been deprecated and now uses the so-called WDI model - which only supports the features it supports  - which to me indicates that Win-10 can only be "guaranteed" to support hardware that was built to support Win-10.   And that if you run older hardware with Win-10 all bets are off.

    3)  Relating to unknown MAC addresses - In addition to Apple phones randomizing MAC addresses, I also found this comment in MS Win-10 links under the title MAC Address Randomization

    "In order to improve the privacy of Windows 10 users, configured Wi-Fi MAC addresses are used in some circumstances, such as before connecting to a particular Wi-Fi network or when initiating scans in specific conditions."  It states clearly that "When configuring randomized MAC addresses, the operating system uses the locally administered format defined for IEEE802 addresses."

    So now both Apple phones and Win-10 sets that bit in the MAC address, which make them untraceable as to manufacturer and location, before association.   Note that this bit setting is an IEEE 802, and not strictly an 802.11, convention.   (e.g. 802.3 =  Ethernet))  .  I should have noted the "locally administered" terminology previously .  See also, for example:

    https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

    4)   Like you, I found several reports of horrible Wi-Fi on the Surface Book Pro - especially given its original price.

    5) iPhone personal hotspots are well known to cause nearby Wi-Fi network problems.  In a similar vein, Win-10 does not support true ad-hoc networking and can cause other devices problems when trying to connect to them.   Sorry I can't provide more info on Apple hotspots.

    6)  I am a big proponent of using only Wi-Fi Certifed (WFA) devices in my wireless networks.   There are several devices, including some from TP-LINK, that are not "certified" but DO meet the WFA standards.   It may be non-WFA-conformity, that some people (not me) would call trivia,  that is the cause of some of your problems.

    I  mention TP-Link because I know you use them, but I also have to say that in my "professional" life, and using a couple of their non-certified AP's, I never encountered a problem with them.   My lab only had certified devices, but other labs in the building had the TP-Link.

    As having previously worked as a corporate representative to the WFA, I am still subject to NDA's.  So I can't give you all the details of a certification test.  However, I can say that although the WFA does not test for absolute and strict adherence to the IEEE 802.11 specifications, they do test exhaustively for compatibility with several (usually 4 to 5) chip sets for EVERY device that goes in for certification.   For the last couple years this also includes Speed of Operation, which  is a consequence of using their latest testing engine.  This is both good and bad from a manufacturers PoV, but may mean that some gear doesn't get certified for several years.

    7)  It's a good idea to always go onto the WFA website and examine your devices certifications.   Look at the actual certification link for the specific product.   You may, for example, find a manufacturers 802.11ac radio, only has an 802.11n certification, or that a WMM or PMF certification hasn't been granted.  Use the Advanced search page at:   

    https://www.wi-fi.org/product-finder-results?sort_by=certified&sort_order=desc#advanced_filters.

    8)  Regarding interference with Solar systems- Have you looked into using Snap-on Ferrite cores to reduce the noise ?   With the correct application, these can work miracles.  Is there a way to contact you directly ?  We haven't had the way to connect privately on the Forum here for years.

     9)  WMM can obfuscate real headaches.  Often times, a device's original Power Saving algorithm, for example, can conflict with it.   BTW, some manufacturers Power Save settings had absolutely no effect on the power saved, but were still included in the controls.  And they knew it.

    10) I hadn't mentioned it before, but I hope your 2.4 and 5 GHz links use different SSID's.   Using the exact same name (SSID) has been known to cause big problems in many environments.   This is especially true for non-Enterprise networks that didn't have the resources to perform an adequate site survey.

    Hope something here can help you some more.

    I'm still reviewing your solar videos.

  • Loren,

    I watched your videos.  Now I understand why you didn't want to tinker with your timer settings.

    Enjoyed your water system too.  My dad spent his entire professional life in water treatment, and I think he would have really enjoyed, and been amazed at you house.

    Thanks for sharing.

  • Howard,

    Thanks for the kind words. I take a lot of the complexity here for granted - until something goes wrong and I have to remember where all the details are and why I made each choice. 

    Last two days have been lost to Windows updates, browser updates and mods, a serious relocation of the audio speakers, and long needed vacuuming (it was sunny!)

    I just finished what I'd hoped would be a test of other Wi-Fi adapters on the Surface Book. The newest USB-to-Wi-Fi adapter won't install because of the USB3 invalid serial number string descriptor. Two older TrendNet 'G' adapters plugged in fine and managed to find drivers with prodding in Device Manager. One never connected at all, but the other actually saw my APs and tried to connect. And one time out of about a dozen it actually worked for long enough to check my eMail spam trap. But mostly within about ten seconds (!) it disconnected and showed no APs at all. Local Wireshark never saw it as an interface to monitor, and I didn't have the on-air sniffer running. And then the Surface Book crashed and wouldn't respond to even long-press restarts for awhile, so I decided maybe further testing of those was not smart. 

    It looks like people have had success booting Surface Books from Linux Live sticks. Would be very interesting to see if a different OS could use the Wi-Fi adapter more efficiently. But first tomorrow I get to dig into your previous set of comments...  

    Loren

  • Howard,

    1) From the MS links you provided earlier, it is apparent that Win-10 makes a point of being able to "reset any hung W-Fi or BT device in a maximum of 10 Seconds." Note the "10" here (i.e. there are no coincidences !!).

    <https://docs.microsoft.com/en-us/windows-hardware/drivers/network/wdi-miniport-driver-design-guide>
    -----
    Windows has the ability to resurrect hung devices. It has enough state to reprogram the IHV component and recover within 10 seconds.

    Reset Recovery (RR)
    RR refers to the event sequence of Reset and Recovery.

    For FLR, this includes:
    The request to NDIS, which forwards the request to the bus to reset the Wi-Fi function.
    Recovery of firmware context by the driver.
    Reconnection to the access point if it was connected before the reset.
    -----

    The AP never thinks it has been disconnected, just that Windows set the 'P' flag. I really don't think this is the reason. But maybe there are other facets of the "10 second" philosophy...

    Every actual connect-disconnect is logged:
    ---
    Log Name: Microsoft-Windows-WLAN-AutoConfig/Operational
    Source: Microsoft-Windows-WLAN-AutoConfig
    Date: 4/12/2019 11:41:44 AM
    Event ID: 8001
    Task Category: AcmConnection
    Level: Information
    Keywords: (536870912),(1024),(512)
    User: SYSTEM
    Computer: DESKTOP-OMMHHCL
    Description:
    WLAN AutoConfig service has successfully connected to a wireless network.

    Network Adapter: Marvell AVASTAR Wireless-AC Network Controller
    Interface GUID: {c74721c8-687c-4688-9117-5649990c3bba}
    Connection Mode: Automatic connection with a profile
    Profile Name: TP-LINK_2.4GHz_CA8583
    SSID: TP-LINK_2.4GHz_CA8583
    BSS Type: Infrastructure
    PHY Type: 802.11n
    Authentication: WPA2-Personal
    Encryption: AES-CCMP
    802.1x Enabled: No
    Hidden: false
    ---

    NDIS is in the System log. The only messages are one or two of these a day, looks like every wake from hibernation:
    ---
    Log Name: System
    Source: Microsoft-Windows-NDIS
    Date: 4/12/2019 11:41:35 AM
    Event ID: 10317
    Task Category: PnP
    Level: Error
    Keywords: (16384),(16),(4),(2)
    User: N/A
    Computer: DESKTOP-OMMHHCL
    Description:
    Miniport Microsoft Wi-Fi Direct Virtual Adapter #4, {90a5c503-7de3-4398-a092-dc1a0378e3f5}, had event Fatal error: The miniport has failed a power transition to operational power
    <EventData>
    <Data Name="IfGuid">{90A5C503-7DE3-4398-A092-DC1A0378E3F5}</Data>
    <Data Name="IfIndex">19</Data>
    <Data Name="IfLuid">19985273169379328</Data>
    <Data Name="AdapterName">Microsoft Wi-Fi Direct Virtual Adapter #4</Data>
    <Data Name="MiniportEventEnum">74</Data>
    </EventData>
    ---

    There is one of these every month or two, nothing else from the adapter:
    ---
    Log Name: System
    Source: mrvlpcie8897
    Date: 3/1/2019 2:34:23 PM
    Event ID: 5002
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: DESKTOP-OMMHHCL
    Description:
    Marvell AVASTAR Wireless-AC Network Controller : Has determined that the network adapter is not functioning properly.
    </Event>
    ---


    2) Also found there is a discussion of how Wi-Fi Native Device support has been deprecated and now uses the so-called WDI model - which only supports the features it supports - which to me indicates that Win-10 can only be "guaranteed" to support hardware that was built to support Win-10. And that if you run older hardware with Win-10 all bets are off.

    I don't doubt that. But mine is one of the top models of Microsoft's own flagship Surface Book. You would think they would choose hardware known to work with Win 10. You might be wrong... I get the impression the different MS divisions have little contact with each other.


    3) Relating to unknown MAC addresses - In addition to Apple phones randomizing MAC addresses, I also found this comment in MS Win-10 links under the title MAC Address Randomization

    "In order to improve the privacy of Windows 10 users, configured Wi-Fi MAC addresses are used in some circumstances, such as before connecting to a particular Wi-Fi network or when initiating scans in specific conditions." It states clearly that "When configuring randomized MAC addresses, the operating system uses the locally administered format defined for IEEE802 addresses."

    https://www.electronics-notes.com/articles/connectivity/ethernet-ieee-802-3/data-frames-structure-format.php
    -----
    Destination Address (DA) - This field contains the address of station for which the data is intended. The left most bit indicates whether the destination is an individual address or a group address. An individual address is denoted by a zero, while a one indicates a group address. The next bit into the DA indicates whether the address is globally administered, or local. If the address is globally administered the bit is a zero, and a one of it is locally administered. There are then 46 remaining bits. These are used for the destination address itself.
    -----
    So is that saying these are all claiming local? Even though these are the defaults?
    C8AA2139E94B Motorola Electrify Wi-Fi android_4843f0ca7bc2cf3d
    D05BA858EA2B ZTE Mobley SRQ-VM6200MD_C
    F81A67CA8582 TP-Link TL-WDR3600 LAN (wired)
    F81A67CA8583 TP-Link TL-WDR3600 Wi-Fi 2.4
    F81A67CA8584 TP-Link TL-WDR3600 Wi-Fi 5, "LAN"
    F81A67CA8585 TP-Link TL-WDR3600 WAN
    FA3D24A17F0F Asus EeePC901 Eeebuntu create a wireless network

    And these mystery MACs are local:
    da:a3:d3:9c:f3:d1
    ea:31:70:73:23:3b
    But this one which behaved similarly is not?
    46:cf:d9:3d:9d:cc

    If they come from Win 10, that would explain why their reported signal strength pretty much matched it.


    4) Like you, I found several reports of horrible Wi-Fi on the Surface Book Pro - especially given its original price.

    I love the physical configuration - use it as a tablet, screen reversed out, or angle it up a bit from the keyboard for a "book" experience, or set the whole thing on an easel at eye level for serious work with Bt keyboard and mouse. But functionally it has been a huge pain. Seeing if it will boot Linux is definitely on my list. (After a full backup!)


    5) iPhone personal hotspots are well known to cause nearby Wi-Fi network problems. In a similar vein, Win-10 does not support true ad-hoc networking and can cause other devices problems when trying to connect to them. Sorry I can't provide more info on Apple hotspots.

    I rarely use the iPhone hotspot, except for having an extra internet portal for testing. Seems to do what it should when I try it.


    6) I am a big proponent of using only Wi-Fi Certifed (WFA) devices in my wireless networks. There are several devices, including some from TP-LINK, that are not "certified" but DO meet the WFA standards. It may be non-WFA-conformity, that some people (not me) would call trivia, that is the cause of some of your problems.

    My TP-Link certifications: CE, FCC, IC, RoHS
    <https://www.wi-fi.org/product-finder-results?sort_by=certified&sort_order=asc&keywords=tp-link>
    Looks like TP-Link stopped bothering in 2011...
    My old Linksys APs were certified, but probably not after I put Tomato firmware on them...


    > I mention TP-Link because I know you use them, but I also have to say that in my "professional" life, and using a couple of their non-certified AP's, I never encountered a problem with them. My lab only had certified devices, but other labs in the building had the TP-Link.

    They promised V6 transparency when most vendors wanted seriously too much money for it, and they delivered, after a couple of quick beta fixes.


    7) It's a good idea to always go onto the WFA website and examine your devices certifications. Look at the actual certification link for the specific product. You may, for example, find a manufacturers 802.11ac radio, only has an 802.11n certification, or that a WMM or PMF certification hasn't been granted. Use the Advanced search page at:

    https://www.wi-fi.org/product-finder-results?sort_by=certified&sort_order=desc#advanced_filters.

    Next time!


    8) Regarding interference with Solar systems- Have you looked into using Snap-on Ferrite cores to reduce the noise ?

    I have lots on sensor and control wiring, but never considered putting them on the big high-current cables. Next time I see some big ones...


    > Is there a way to contact you directly ? We haven't had the way to connect privately on the Forum here for years.

    Not sure I want to post my eMail here, but I'm lorenamelang on GitHub, Stack..., LinkedIn, and most anywhere else that might let you send a more private message. And Twitter...


    9) WMM can obfuscate real headaches. Often times, a device's original Power Saving algorithm, for example, can conflict with it. BTW, some manufacturers Power Save settings had absolutely no effect on the power saved, but were still included in the controls. And they knew it.

    Windows has grabbed more and more control away from us, often leaving a long trail of obsoleted "settings" and registry keys. It will soon be "frustration-as-a-service".


    10) I hadn't mentioned it before, but I hope your 2.4 and 5 GHz links use different SSID's. Using the exact same name (SSID) has been known to cause big problems in many environments. This is especially true for non-Enterprise networks that didn't have the resources to perform an adequate site survey.

    Yes, they each include "2.4" or "5" in the SSID.


    So I'm not sure what to try next. More APs doesn't seem hopeful, since the Surface Book chokes on all of the ones I own already. Maybe a top end USB3 to Wi-Fi adapter?
    <https://www.lifewire.com/top-wi-fi-usb-adapters-2377825>
    Not anxious to spend $60 for a test device I wouldn't want hanging off my screen all the time. Or $799 for this:
    http://blogs.metageek.net/2018/05/introducing-a-new-way-to-capture-packets/
    -----
    We’re working on an additional update to Eye P.A. that will allow it to capture 802.11ac packets, set to release this summer. (Posted May 2018...)
    -----
    "The Linksys AE2500 is the best solution", but it is only Wi-Fi N as well.

    Guess I'm back to trying to get Linux Wireshark 3 to capture in monitor mode...

    Loren

  • By Howard - edited: April 14, 2019

    Loren,

    In your latest reply you said:

    But this one which behaved similarly is not?
    46:cf:d9:3d:9d:cc

    Bit-wise, the 46:cf is 0100 0110:1100 1111.    So this is also a local address.

    If they come from Win 10, that would explain why their reported signal strength pretty much matched it.

    Yes, I agree. 

    My old Linksys APs were certified, but probably not after I put Tomato firmware on them...

    Definitely no longer certified, much like any manufacturer denying a warranty after you've opened it up.     I only ever had Tomato running for a very short time once, so I can't speak to all it's foibles - but you definitely could make some untoward changes to the AP's behavior with it, accidentally or not.

    It is extremely easy to configure incompatible settings on some radios, and unless the software has extensive post-configuration validation testing for it, they are liable to occur.   Sometimes the only recourse is to return to factory settings, and start over - ugh.

    And just another thought, before I forget.   No 802.11ac, or newly certified 802.11n AP, will connect at anything higher than 54 Mbps, the highest /a/g rate, unless WPA2 security is configured.   Some might also require WMM and PMF/MFP too.

    I sent you an invite on LinkedIn.  I had to shorten the original message due to their restrictions on 'connect' requests. 

    It will soon be "frustration-as-a-service".   

     I love it !  My latest MS update just messed up my windows settings, including desktop arrangements, icon sizes etc, and a few other things.

    Maybe a top end USB3 to Wi-Fi adapter? 

    I didn't check them all, but neither of the top 2 in that list were WFA certified.     Which, like I said is not necessarily an automatic fail - but is a whole other discussion for another day.

    Beware that some USB-3 devices are Wi-Fi killers, especially those on long cables, or connected through USB 3.0 hubs, or if placed near 2.4 GHz devices.   I couldn't find it just now, but Tom Carpenter has a good video somewhere, on this topic.   If you ever use a USB3.0 cable or hub, make sure they are exceptionally good shielded ones.

  • > Bit-wise, the 46:cf is 0100 0110:1100 1111. So this is also a local address.

    It was late. And I forgot I have a wonderful multi-base calculator a hotkey away. So much for doing it mentally.


    > I only ever had Tomato running for a very short time once, so I can't speak to all it's foibles - but you definitely could make some untoward changes to the AP's behavior with it, accidentally or not.

    Obviously life and Wi-Fi were simpler back then. I loved Tomato's ability to log all my usage precisely and show me who was responsible, back when connectivity was limited and expensive. And the Linksys had very few options. Supposedly there is third-party firmware for my TP-Link, but I have much more important things to do now.


    > And just another thought, before I forget. No 802.11ac, or newly certified 802.11n AP, will connect at anything higher than 54 Mbps, the highest /a/g rate, unless WPA2 security is configured. Some might also require WMM and PMF/MFP too.

    Interesting. I see 72 Mb often in my traces, so I guess that is working here.


    > I sent you an invite on LinkedIn. I had to shorten the original message due to their restrictions on 'connect' requests.

    Thanks! Sent an eMail reply from my personal address. I'd forgotten what a commercial mess LinkedIn has become!


    >> It will soon be "frustration-as-a-service".

    > I love it ! My latest MS update just messed up my windows settings, including desktop arrangements, icon sizes etc, and a few other things.

    I hope I can get moved to Linux before they go full subscription for even personal use.


    >> Maybe a top end USB3 to Wi-Fi adapter?

    > I didn't check them all, but neither of the top 2 in that list were WFA certified. Which, like I said is not necessarily an automatic fail - but is a whole other discussion for another day.

    I fear that unless they tested on a Surface Book it might not mean much here. Windows 10 is not very certified.


    > Beware that some USB-3 devices are Wi-Fi killers, especially those on long cables, or connected through USB 3.0 hubs, or if placed near 2.4 GHz devices. I couldn't find it just now, but Tom Carpenter has a good video somewhere, on this topic. If you ever use a USB3.0 cable or hub, make sure they are exceptionally good shielded ones.

    Maybe USB3 needs ferrites on the cables? I remember some of my first USB cables had thick ferrites on each end. Never noticed any difference from them in USB1 days. Will have to pay attention next time I use my tiny backup drives, the only USB3 I have. The cables are only about 18", so they sit right next to my antenna...


    So I tried the airmon-ng tools in Linux.

    This doesn't help, they immediately restart themselves:
    [loren@Gazp9 ~]$ sudo airmon-ng check kill
    [loren@Gazp9 ~]$ sudo airmon-ng check

    Found 2 processes that could cause trouble.
    Kill them using 'airmon-ng check kill' before putting
    the card in monitor mode, they will interfere by changing channels
    and sometimes putting the interface back in managed mode

    PID Name
    30113 NetworkManager
    30127 wpa_supplicant

    [loren@Gazp9 ~]$


    This stops them both, but also takes down your connections:
    [loren@Gazp9 ~]$ sudo systemctl kill NetworkManager
    [loren@Gazp9 ~]$ sudo systemctl kill wpa_supplicant
    [loren@Gazp9 ~]$ sudo airmon-ng check
    [loren@Gazp9 ~]$


    My mon0 is the dedicated software interface that iw creates:
    [loren@Gazp9 ~]$ sudo iw dev wlp3s0 interface add mon0 type monitor
    [loren@Gazp9 ~]$ sudo airmon-ng start mon0 11

    PHY Interface Driver Chipset

    phy0 mon0 iwlwifi Intel Corporation Wireless 3160 (rev 83)

    Error setting channel: command failed: Device or resource busy (-16)
    Error -16 likely means your card was set back to station mode by something.
    Removing non-monitor mon0 interface...

    WARNING: unable to start monitor mode, please run "airmon-ng check kill"
    [loren@Gazp9 ~]$ sudo airmon-ng check
    [loren@Gazp9 ~]$

    Wasn't due to anything that airmon-ng recognizes. And mon0 was clearly already and is still in monitor mode. I suspect they just don't know about the new tricks you can do with the iw command.


    This actually worked:
    [loren@Gazp9 ~]$ sudo airmon-ng start wlp3s0 11

    PHY Interface Driver Chipset

    phy0 wlp3s0 iwlwifi Intel Corporation Wireless 3160 (rev 83)

    (mac80211 monitor mode vif enabled for [phy0]wlp3s0 on [phy0]wlp3s0mon)
    (mac80211 station mode vif disabled for [phy0]wlp3s0)

    [loren@Gazp9 ~]$

    Wireshark allowed the monitor checkbox to stay checked, and actually captured management frames from the hardware wlp3s0 interface. Of course the machine had no internet while doing that... It sees mon0 as an available interface, and is happy to capture data frames from it, but won't leave the monitor checkbox enabled even when NetworkManager and wpa_supplicant have been totally killed. Oh, well...


    So far it captures the same patterns of Microsoft power flag storms as the ancient Wireshark V1. Still lots of "malformed packets", which I guess I have to take more seriously if V3 is still calling them out.

    Always more to learn,

    Loren

  • I found Tom Carpenters (CWNP -TV) video on USB 3.0 interference here:

    https://www.youtube.com/watch?v=MA979zIpTWg

    And here is Intels' analysis of the matter.   Download the PDF from this link:

    https://www.intel.com/content/www/us/en/io/universal-serial-bus/usb3-frequency-interference-paper.html

    Pay special attention to Figure 3.3 which shows a large amount of noise in the 2.4 GHz band from a USB 3.0 connected Hard Disk Drive.

    One really important aspect of this issue is that USB 3.0 devices don't even need to be powered up, just connected.   Cables near antennas are a no-no.

    I imagine that one of the biggest problems is due to poorly shielded USB connectors inside of either end-port.   I have seen at least three different styles of shielding used, ranging from almost none to quite extensive (i.e. VERY cheap, to more expensive). 

    Having worked for manufacturers before, I have seen commodities departments sacrifice anything to reduce costs.   These departments are filled with bean counters, with almost no understanding of electronics (and we all know "you get what you pay for").

    Because the ports are inside the "box" there is almost no way a user can adequately modify them, and so some devices are stuck with the interference. 

    Here is another video on the MacBook Pro, which very interestingly shows how pulling OUT the USB connector sightly made a tremendous Wi-Fi  improvement.

    https://www.youtube.com/watch?v=L001ARX3Gcw

    Personally, I have seen more problems with Bluetooth  or other wireless mice, but USB 3.0 can definitely create bigger problems.

Page 2 of 3