• By (Deleted User)

    I am a student in the CWAP Train-the-trainer course occuring the week of May 24, 2004.

    I thought it might be interesting to others to read what happens each day in class. I'll use this forum to post my daily diary but I will not post anything that Planet3 might consider proprietary.

    Hope you enjoy it. Your comments and questions are welcome.


  • By (Deleted User)

    Greetings Reader,

    Welcome! I assume if you are reading this, then you have some interest in attaining the CWAP certification. I know I do.

    First, a brief introduction. My name is Joel Barrett and I am a wireless specialist for Cisco Systems. I handle our wireless partners throughout the southern United States. I have the CWNA certification and Cisco WLAN specializations. I've co-authored one book and tech edited several books on WLAN technologies, including the CWSP Study Guide. You can go here if you'd like to see my resume:

    I really enjoy working with wireless LAN technologies. I never thought I'd be able to use the knowledge I gained in RF and electronic warfare as an Anti-Submarine Warfare Operator in the Navy many years ago. I guess all things have a purpose because I'm certainly using that knowledge now.

    I was very excited when I was invited to attend the new Certified Wireless Analysis Professional course. I hope all that time I spent doing network analysis consulting gigs back in the late 1990's comes back to me. I'm sure I'll need it for the class and, more importantly, I'm sure I'll need it for the CWAP exam. I understand that test is going to be painful.

    Today was all about getting into the subject of wireless (802.11a/b/g) protocol analysis. So far we've covered over 170 pages of information on OSI layer 2 and layer 3 frames.

    We discussed some layer 1 information but since WLAN protocol analyzers can't do layer 1 analysis of the PMD sub-layer, there's no reason to cover it much in this class. So we started with the PLCP sub-layer frames (PSDUs) and worked our way up into layer 2 to discuss MAC and LLC frames like MPDUs and MSDUs. We took each of these frame types and broke them down into their individual parts to understand what each does and why.

    We had a great discussion on the real differences between long versus short preambles and their impact on the WLAN. We also talked about the differences between DSSS-OFDM and ERP-OFDM. Next we had some interesting discussions on Interframe Spacing (IFS) and all the different types of IFS methods.

    PCF modes and QoS mechanisms were our next topic. Then we moved into the layer 2 MAC sublayer and went into excruciating detail about each and every field found in the frame. We began discussing how this information is displayed in protocol analyzers like AirMagnet, NI's Observer, Airopeek, and others. We looked at Management, Control and Data frames and learned things like exactly what occurs during authentication and association (yes, authentication does come before association). We compared WEP to TKIP to MIC.

    Near the end of the day we discussed how to best go about performing WLAN protocol analysis and how to characterize network traffic. All-in-all, it was a very interesting and educational day. I'm glad this portion is behind us though because tomorrow we begin our labs with the protocol analyzers. That's going to be very cool.

    In addition to copious notes, I'm also creating a glossary of acronyms since the book doesn't have one (yet). So far I've collected almost three pages.

    Stay tuned for more!

    See you tomorrow,

  • By (Deleted User)


    Thanks for taking the time to publish your classroom experiences in this forum. I am very interested in the CWAP certification, but being able to attend the class in the near future is doubtful, so for me the information is priceless!! It will certainly help me focus my study time in preparing for the test.

    I have been hitting the IEEE 802.11 Designers Handbook pretty hard, and from your first day’s report it seems like I haven’t been wasting my time.

    Thanks again for your altruism. Good luck in class and good luck on the exam.

  • By (Deleted User)

    Hello Reader,

    Today was a deep dive into AirMagnet Trio. I have a pretty good background in this product but every time I use it, I find out something new.

    After installing AirMagnet Trio and the license, we spent the day running labs and performing protocol analysis using AirMagnet Trio, Distributed, Hardware Sensors (the software sensors are no longer being sold), and Reporter.

    We received excellent chances to understand the intricacies of WLAN protocol analysis and apply the concepts we learned on Day One. We learned how to create and apply filters that prevent constant bombardment by beacons so that other packets can be easily seen. We used every feature of AirMagnet, including the Tools menu.

    The labs allowed us to specialize in one area of analysis and incrimentally compare one capture to the next -- for example, we looked at wireless-to-wireless communications versus wireless-to-wired and were easily able to see the difference in acknowledgements.

    Seeing what encrypted frames and decrypted frames look like helped many students get a better grasp on what hackers might be attempting to accomplish, especially when using EAP-based protocols.

    We also got a chance to understand the impact of short vs. long preambles and their impact on the WLAN. Another major application of knowledge occurred when we looked at the impact 802.11b associated stations have in an 802.11g environment.

    At the end of the day we were given a hands-on quiz which made us do quite a bit of thinking and poking around for the answers. It was a good way to cement the knowledge we gained.

    Tomorrow we'll work with AiroPeek NX.

    See you then!

  • By (Deleted User)

    Constant Reader,

    Deeper and deeper we dive. We now know how to perform protocol analysis on two of the top WLAN protocol analyzers -- Notice I'm not saying the "S" word (sniff, sniff, wink, wink). That "S" word product is highly copyright protected but, interestingly enough, it didn't make the "cut" for Planet3's CWAP course. I've used it a lot in the past and have tried it on WLANs... P3W's right, it just "ain't up to snuff" when it comes to comparing against the other WLAN analysis products, at least not yet. Maybe we'll see some changes in it when the reformed Network General company settles down and gets back on track.

    Anyway, we've got two down and three to go. WildPacket's AiroPeek got their turn today. There are some interesting differences between AiroPeek and AirMagnet and I like them both for different reasons. I think AiroPeek has a much more robust protocol analysis engine while AirMagnet is an excellent site survey tool. Both do great jobs at troubleshooting WLAN problems.

    We had some interesting discussions on fragmentation, duration values and interframe spacing. We checked out AiroPeek's ProConvert and iNetTools add-ons. We learned what typical/acceptable values are for CRC counts. We even resolved a long-standing question about how to keep .11b clients from associating to a .11g AP without disabling .11b datarates on the AP. This was important because we didn't want .11b clients to cause protection mode to kick in and decrease our .11g throughput. If you're interested in how we did that, just ask and I'll post it in a reply.

    We were also able to check out WildPacket's RF Grabber hardware probe which is part of their distributed analysis offering. This was interesting but their offering is limited since only one person can use a probe at a time and only one probe can be configured from a single console at a time. Could be time consuming in a large environment.

    We had an very good quiz near the end of the day that continued the test of our analysis expertise. Following that we were shown how the hacker tool called Asleap can decrypt weak passwords in a LEAP environment. Needless to say, it's very important to implement strong password policies in LEAP-protected WLAN implementations or go to something much stronger like PEAP or Cisco's new EAP-FAST protocol.

    Tomorrow's class will cover Network Instruments Observer and I'm looking forward to that.


  • By (Deleted User)


    Thanks for the class update, this information is invaluable to me. I appreciate your time and the effort it takes to sit down and write up the day’s activities after a long day in the classroom.

    I am a little bit foggy on exactly what happens when a 802.11b station associates to a 802.11g AP. What is protection mode? Does it cause all mobile stations that are associated to the AP to reduce data rates to the .11b rate? Can’t the AP talk .11g to some clients and .11b to others?

    When I went to CWNA class our instructor wasn’t quite clear on what really happens, but believed that it reduces throughput because the AP needs to slow down to .11b to talk to 11.b clients and the .11g clients had to wait while the AP serviced the .11b stations. Protection mode was never brought up, so my interest is high.

    Bravo Zulu on the fine service you are providing us fledgling wireless students!

  • By (Deleted User)

    Hello Reader,

    Today we covered Network Instrument's Observer 9.1 software. I've used Observer Basic for some time and I really like it. Even the Basic version is very robust and allows for wired and wireless LAN analysis.

    There's a lot to do in Observer. You can use it for protocol analysis, site survey, network documentation, inventory, and reporting. It's an extensive product that requires an in-depth understanding to get its full benefits but you can also be up and running quickly if you just need the basics.

    In protocol analysis, it is important to be able to filter out what you don't need so you can determine the real problem. Observer allows you to do this several ways. You can setup a filter or you can do display, or Post Filters (as Observer calls them). The cool thing about Post Filters is that you can right click on a frame and select Fast Post Filter to quickly get just the associated frames of the selected frame. This lets you see conversations between just those devices.

    Observer's distributed analysis tool uses their Advanced MultiProbe software. The remote interface is the same as if you were sitting at the main analysis device.

    Observer's main difference compared to other protocol analysis tools is that Observer can show application analysis and several advanced trending reports.

    All-in-all, Observer is a very capable, high-end, reasonably priced solution for WLAN (and wired) analysis.

    Regrettably, tomorrow is the last day and we'll cover CommView and Network Chemistry.

    See you then,

  • By (Deleted User)


    Glad I'm able to assist you with your studies.

    Protection mode is the ability of .11g APs to support 802.11b datarates and modulation. There's plenty of information about protection mode, modulation types and .11 standards in the CWNA course and study guide.

    These were our questions and the answers we found working with an AP1200a/b/g and several types of clients and then using AirMagnet and AiroPeek to watch what was happening.

    1) What is the decision making process for protection mode on the AP? In other words, what exactly causes the protection mode to become enabled in a .11g AP? Does protection mode become enabled when it is responding to a request frame or when it just hears a request frame?

    We found that the AP1200 enables protection mode when it answers a .11b client's probe request frame with a probe response frame.

    2) Is there any way at all to enable protection mode support for .11b clients only AFTER they associate?

    We determined that we can prevent an AP from going into protection mode by disabling Broadcast SSID and implementing an association filter (available in at least 12.2(13)JA3 and higher) tied to a MAC filter. This disallows all clients that aren't identified in the MAC filter and prevents them from associating to the AP thus preventing the AP from answering probe requests.

    There are some caveats to this:
    - We know you can turn off support for .11b datarates but we didn't want to disable support for .11b entirely, we just wanted to prevent .11b rogues/passers-by from associating thereby causing protection mode to become enabled and thus significantly reducing overall throughput (and mucking up the classroom labs in the process).
    - RF interference from rogues/passers-by is still going to cause some performance hits but this is something the APs are designed to handle, especially when OFDM is in use.
    - Enabling and managing MAC filters is typically not something I'd recommend for large enterprise environments. They can become unwieldy and expensive to manage.

    Hope that helps,

  • Like Joel, I am currently sitting in the CWAP class here in GA...just wanted to drop a quick note to echo Joel's comments on the class as we wrap up the last day. I'm sure I'll add more later. It's been alot of fun and very educational. I can certainly recommend this class to anyone in the field and if you want the certification, you are going to need this class.

    More to follow!

  • By (Deleted User)


    I searched my .pdf version of the CWNA book for protection mode without success. But I did a little more research and found a terrific white paper on the subject titled “Maximizing Your 802.11G Investment” that explains it very well, and shows the math to prove what it says. It can be found at

    I now have a handle on the protection mode and your lab results you reported make sense to me.

    Thanks, keep the information coming!

Page 1 of 3