cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12896
Views
20
Helpful
0
Comments
Aaron
Cisco Employee
Cisco Employee

 

 

Introduction

 

Fundamentals of Wireless Sniffing

 

The process of collecting a good wireless sniffer trace, in order to analyze and troubleshoot 802.11 behavior, can be a difficult and time consuming operation. But there are a few things to bear in mind that will help simplify and speed up this process. With Wireless sniffing it helps to have an idea of what you are really trying to do - you are trying to capture the raw wireless frames from over the air, as seen by the wireless sniffing device itself.  

 

Some considerations to bear in mind

 

Step 1)    Since the sniffing device, client device and AP are all using RF generating radios for transmission or reception, it helps to have your wireless sniffer close to your target device (the client machine). This will allow your sniffing device to capture a good approximation of what your client device is hearing over the air.

 

Step 2)    Use a separate device to act as your wireless sniffer - you cannot take a good wireless sniffer trace if it is running on the device under test (the client machine you are trying to get a wireless trace of).

 

Step 3)    Understand exactly what 802.11 Channel and Band your client device is using before setting up your capture. Lock your sniffer to the channel of interest - do not use the sniffer's "scan channels" mode!  (With "scan channels", the sniffer will cycle from channel to channel every second or so - useful for a site survey or to find "rogues", but not when attempting to capture an 802.11 problem.)

 

 
Also bear in mind that your client device may roam to another AP which is on a different RF channel or Band, so you need to plan accordingly. Typically in the 802.11b/g (2.4GHz) environment, using a three channel sniffer may be required. This involves using 3 Wireless adapters on your sniffing device, with each one set to channel 1, 6 and 11.   Using USB wireless adapters works best for this type of setup.

 

Step 4)    If you are troubleshooting 5GHz, then the number of channels will dramatically increase. Since you might not have enough cards to capture all channels, it is a good practice for the test, to operate on not more than 4 channels on your surrounding Access Points.

 

 
 
 

Step 5)    If you can reproduce the problem when a client roams from one channel to another, then a 2-channel sniff should suffice.  If you have only a single channel sniffer available, then have it sniff the roamed-to channel.

 

Step 6)    Always NTP sync your sniffers.  The packet capture will need to be collated with debug captures, and with other wired and/or wireless captures.  Having your timestamps even one second off will make the collation much more difficult.

 

 
 
 

Step 7)    If you are capturing for a long period of time (hours), then configure your sniffer to cut a new capture file every 30MB or so.  In order to avoid filling up your hard drive, you will want to put an upper limit on the number of files written.

 

Note: The Linksys USB600N does not reliably collect 11n packets with short guard interval. Missing 20% to 30% of short guard interval packets. If necessary the WLC configuration can be changed to only use the slower long guard interval. This should be only a temporary configuration change. The command is: config 802.11 {a | b} 11nsupport guard-interval {any | long}

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: