An Introduction to Wireless Sniffing and Dissection

Lets try to understand and learn how sniffing wireless networks work and how to configure it in different platforms like Windows and Linux.

Our primary concentration will be Omnipeek and Wireshark the 2 most used Packet Capture and Analysis Tools predominant in wireless LAN industry.

1. Sniffing Wireless in Windows
2. Sniffing Wireless in Linux
3. Sniffing through Multiple Interfaces
4. Monitor Vs. Promiscuous Mode (Coming Soon)
5. Automate Sniffing Process (Coming Soon)

Sniffing through Multiple Interfaces

Sniffing Wireless in Windows

Sniffing Wireless in Linux

Sniffing through Multiple Interfaces

Monitor Vs. Promiscuous Mode(Coming Soon)

Automate Sniffing Process (Coming Soon)

Most of the tools provide a feature called "channel hopping"  where in a single adapter switches its frequencies and sniffs the packets and all the packets are show in a single display window for analysis. But during this channel hopping we get to lose some packets often important for analysis, So this is not so useful. Only place this is useful is in the "scanning" process where we can get list of STA's/AP's surrounding the area.

The main use case of this is roaming, while a STA roams from one AP to other AP and if the AP's are in different channels its difficult to test roaming functionality/performace without seeing packets from all channels together. The below tools provide this facility

Omnipeek

It provides a plugin called "multi-channel aggregator" which aggregates packets from multiple NIC's operating in different channels in to a single display window, making it easier for packet analysis.

Linux

From wireshark version 1.8.0 we can even capture from multiple interfaces simultaneously, it aggregates them and shows them in a single instance and in a single list. Pretty useful in doing multi-channel roaming.

Before wireshark 1.8.0 we need to use a bond the 2 adapters together and then use them as a single adapter for sniffing.

A nice picture from omnipeek explains this.

Sniffing Wireless in Linux: How it works?

Sniffing Wireless in Windows

Sniffing Wireless in Linux

Sniffing through Multiple Interfaces

Monitor Vs. Promiscuous Mode(Coming Soon)

Automate Sniffing Process (Coming Soon)

Wireshark:

The one and most used sniffer in linux world is wireshark. It works perfectly in linux given the OS support and driver support. Most of the NIC's are supported, all the list of NIC cards and drivers can be found at http://linuxwireless.org/en/users/Drivers.

Its recommended to install the package for your kernel from compat-wireless or compat-drivers. 

It supports all kinds of wireless meta data formats.

Kismet:

It has a sleek UI basically aimed at user level testing and site-survey. But not a good tool for doing a full pledge protocol testing.

It used the vendor's driver to sniff packets. It uses PPI based reporting.

How to Configure NIC in Promiscuous Mode?

ifconfig <interface> down

iwconfig <interface> mode monitor

iwconfig <interface> channel <channel no>

               (or)

iw dev <interface> set channel <chanel no> <HT20/HT40+/HT40->

ifconfig <interface> up

How to Revert NIC to AP/STA Mode?

ifconfig <interface> down

iwconfig <interface> mode managed

ifconfig <interface> up

Sniffing Wireless in Windows: How it works?

Sniffing Wireless in Windows

Sniffing Wireless in Linux

Sniffing through Multiple Interfaces

Monitor Vs. Promiscuous Mode(Coming Soon)

Automate Sniffing Process (Coming Soon)

Sniffing wireless is based on the promiscuous/monitor mode support for capturing all packets in along with a good UI/CLI based tool to view and analyze packets.

• NIC HW . 
• Driver 
• OS/NDIS

Lets take a look at some of the famous packet capture and analyzers in windows

a) Omnipeek

We all are familiar with sniffing in windows using omnipeek which provides a beautiful and flexible UI. It definitely is popular especially among the testers and end-users.

But it is costly and also closed-sourced meaning we cannot learn, customize and contribute to it. 

It installs its own driver for the given NIC card (it has a list of supported NIC cards) so overcomes the limitations of poor/no promiscuous mode support in the driver.

b) Wireshark

Even though for wired captures we have wireshark , but when it comes to sniffing wireless packets it doesn't work in windows basically due to lack of good support for promiscuous mode in Windows and Also in many wireless NIC's.

But we still can use wireshark for wireless for 2 uses

a) Traffic intended/originated from US. They still can be seen with Link Type as Ethernet. Mainly used for checking contents of above layers like IP/TCP.

b) To see encrypted packets: As wireshark is working in a non-promiscuous mode either AP/STA, all the packets undergo normal processing and are decrypted by the HW and then given to OS which in turn gives to wireshark unlike special processing mode called monitor mode/promiscuous mode.

It doesn't need a separate driver for the NIC card, it used the built-in driver for the NIC from the vendor and captures the packets hence lacks good support for promiscuous mode.

Biggest advantage being customization and faster development time for new features as we have access to the source code which is pretty self-explanatory and easy to add dissectors for new protocols. If something is not supporting yourselves can add the support :-)

There is a command line version called tshark and its sister-tools which make it easy to automate things like capturing and post-processing files.

c) AirPcap: 

Its a combination of both the above, it uses its own driver and  NIC but uses wireshark as the tool for displaying packets captured.

It has some extra plugin's and its own software called cascade pilot and is medium costly compared to omnipeek. It is recommended by wireshark for windows environment.

d) NetMon

An entry from the microsoft itself to capture packets in promiscuous modes, even though its not so great and useful as above as only very few HW support it.

It is being replaced by Microsoft Message Analyzer (still beta). It still has the same format but UI is similar to omnipeek, lets say what it has to offer.

In all these above mechanisms:

a) 802.11 header and Payload is provided as is by the driver with the exception of PHY and security related info stripped by the HW. 

b) PHY and Security Related information which will be used by HW and normally isn't shared with above layers SW, can be conveyed by the driver to the sniffer tool in below formats, predominantly

• Radiotap: Airpcap
• PPI:
• Proprietary: Omnipeek
• Wireshark: It supports all kinds of wireless meta data formats.

Lets discuss these formats some other time.

How to Put NIC in Promiscuous Mode

In windows we can configure the mode 

a) Packet capturing tool: "Capture settings"
b) Advanced Properties Tab specific to the NIC.
c) Rarely, Windows Registry.

MU-MIMO and 802.11n/ac:An User Level Overview

Multi User MIMO, the technology introduced first in 802.11ac (By first means in to the IEEE std's) and is known to increase the spectral efficiency of the wifi channel by using multiple antennas for multiple recipients in the Downlink.

When a 11n/11ac AP with 4 antennae transmitting to a smart phones with typically a single antenna, the AP is forced to use single antenna only, causing high spectral wastage. Now imagine, if we can make use of the other 3 antennas to transmit data to other connected clients while antenna1 is transmitting to STA1? 

Here's a quote from the 802.11-ac-draft-4.0:

The support for VHT transmit beamforming sounding and VHT MU PPDUs in a VHT AP and more than oneVHT STA within a VHT BSS enables the optional use of DL-MU-MIMO. 

With DL-MU-MIMO the AP can create up to four A-MPDUs each carrying MPDUs destined for an associated MU capable STA. The AP uses group identifiers (GIDs) to signal potential recipient STAs. 

The AP transmits the A-MPDUs simultaneously in separate space-time streams such that each recipient STA is able to demodulate the space-time streams carrying its A-MPDU. 

The simultaneous transmission of A-MPDUs in a single VHT MU PPDU provides a means to increase aggregate throughput over that which would be achieved by sending the A-MPDUs in separateSU PPDUs.

That's MU-MIMO causing us a higher DL throughput even when there are many STA's connected to AP. Now for a technical mind, we shall discuss the below queries in the upcoming 802.11ac article.

a) How the CSMA/CA works here?

b) How the ACK procedure works? 

c) Why TxBF is mandatory for DL-MU-MIMO

d) Can we explot this for Multi AP and Multi Channel COncurrency...so on

Here's a nice video demonstration by qualcomm R&D, Enjoy.

View More Qualcomm Videos

OFDM in WLAN: 802.11n: Similar to 802.11a and 802.11g with minor changes

In the previous article we have discussed about OFDM in 802.11 a/g, now let's take a look at how OFDM works in 11n. 

OFDM has little to do with the drastic 11n rate boost, MIMO is the key player there. Lets leave the MIMO part aside, its a candidate for next article. As far as OFDM is concerned it will work per antenna, but the basic concept per antenna is the same as 11g with few changes.

20 MHz:  This is same as 802.11 a/g but 

a) With an extra 4 sub carriers.

In 802.11a/g we use 48 sub-carriers for data and 4 sub-carriers for pilot. But in 11n we make use of an extra 4 sub-carriers from the reserved for data sub-carriers.So this results in increased throughput.

b) Short Guard Interval (Optional)

we have short guard interval introduced in 11nIn the previous article we have take the guard interval as 1/4 of symbol time, now in 11n they have still decreased the guard interval to 1/8 of the symbol time. So it comes down to,                          3.2us *1/8=0.4us 

Lets take an example to understand:

a) Full Guard Interval

20MHz/64=0.3125; 1/0.3125 =3.2us + 1/4 * 3.2 us=4 us

b) Short guard Interval

20MHz/64=0.3125; 1/0.3125 =3.2us + 1/8 * 3.2 us=3.6 us

Note: Important point to note here is that while doing the calculations for the FFT period we have considered the maximum carriers 64 not the used carriers, so the above calculation of 3.2us holds good in spite of increased sub carriers.

40 MHz: 

Its same as 20MHz but the process repeated in both primary and secondary channels.

So as derived above the total no of sub-carriers in  a 40MHz channel is 52*2 (primary and secondary) + 4 (extra).

The reason for these extra 4 data sub carriers is that we don't need that many (8) pilot sub-carriers combined for both the channels, so we converted some of them to data sub carriers.

Data Sub-Carriers = 52 *2 = 104

Pilot sub-carriers  = 4 + 4  = 8

======================

Total Sub-carriers = 112 with 8 pilot sub-carriers.

Now out of that if remove 2 sub-carriers from 8 and convert them to 2 and add 2 more (why?) 

======================

Data Sub-carriers = 104+2 (from pilot)+2 (extra)=108

Pilot sub-carriers = 4-1 + 4-1=6

======================

Total sub-carriers = 108+6 =114

I am not sure of the exact rationale behind adding some number of sub carriers  but its safe to attribute that to the evolution, as the IEEE std progresses they are trying to make use of all the reserved sub-carriers in that process.

With the same logic in the previous article we can similarly derive the rate calculations for the above 20MHz and 40Mhz as well. The above tables from the IEEE 802.11-2012 will help you.

OFDM in WLAN: 802.11a and 802.11g: Detailed Analysis with Data Rate derivation

Previously we have learned about the fundamental concepts of OFDM, generic and independent of technology. Now lets take a more specific look at use of OFDM in 802.11.

Before, OFDM Wi-Fi was suffering from low data rates it was more like a PAN rather than a LAN. OFDM was first introduced in to Wi-Fi in the year 2003 with standardization of 802.11a (5GHz) and then with 802.11g (2.4GHz). Only then people started seeing Wi-Fi as something useful rather than a pure experimentation technology.

802.11b offers us atmost rate of 11Mbps through the use of CCK/HR-DSSS. But 802.11a/g offer 54 Mbps of data rate which is a drastic 5 fold increase compared to 802.11b.

Where as 11n gives us 600 Mbps of data rate a tremendous 11 fold increase. of course they are lots of factors involved there but whats the role of OFDM in this? Lets dive in to know.

802.11a/g: 

The IEEE 802.11 standard reserves 64 sub-carriers for use with OFDM but not all are used practically. Only 52 of them are used, remaining 12 are reserved.Enough theory lets get to some mathematics and see how OFDM achieves those fancy data rates.

802.11-2012: 20.6 has a good tables w.r.t data rates of 11n
Now before we start with the data rate calculations we need to understand a few terminologies, concepts and transmission process. 

1. What parameters govern the Data rate?
2. Modulation Scheme & Coding Rate (MCS)
3. Bandwidth
4. OFDM:  No of data sub-carriers
5. Guard Interval

Modulation : With (A) and (B) from above, lets choose a modulation now modulation decides how many bits can carried for Eg. In case of QPSK we have 4 phases to choose from so using QPSK, so with the help of 2 bits we can choose one of the 4 possible phases meaning we can transport 2 bits. Similarly for 64 QAM (which is the highest modulation supported up to 802.11-2012 standard, 802.11-asc has 256 QAM support) we can transport 6 data bits (2^6=64).

Coding Rate: Any form of wireless communications suffers bits dostortion/corruption, so its important to know that our data Rx is intact and if its wrong we need to have capability identify the defect. For this we insert some extra bits in to the actual data so that we can do some error detection/correction, these are called parity bits and we have different coding schemes to employ Eg. convolutional encoding.

Shannon’s Noisy Channel Coding Theorem

“With every channel we can associate a “channel capacity” C (bits/sec). There exist such error control codes that information can be transmitted at a rate below C (bits/sec) with an arbitrarily low bit error rate.”

Coding rate determines the ratio of data to the extra parity bits. Higher the coding rate better the throughput because we are actually transporting more data bits.

OFDM Encoding Process: Group of all sub-carriers transmitted at once,so in .11a/g we have 52 sub carriers constituting a OFDM symbol.

We directly go to the source the standard 802.11-2012: 18.3.2.2 Overview of the PPDU encoding process, it says

i) Divide the resulting coded and interleaved data string into groups of NBPSC bits. For each of the bit groups, convert the bit group into a complex number according to the modulation encoding tables.Refer to 18.3.5.8 for details. 

This is the first step in the OFDM process after the scrambler and interleave  basically it is grouping the incoming data.

j) Divide the complex number string into groups of 48 complex numbers. Each such group is associated with one OFDM symbol. In each group, the complex numbers are numbered 0 to 47 and mapped hereafter into OFDM subcarriers numbered –26 to –22, –20 to –8, –6 to –1, 1 to 6, 8 to 20,and 22 to 26. The subcarriers –21, –7, 7, and 21 are skipped and, subsequently, used for insertingpilot subcarriers. The 0 subcarrier, associated with center frequency, is omitted and filled with the value 0. Refer to 18.3.5.10 for details.

 This is a crucial step, where in we map 48 bits of data to each sub carrier, all the mathematical representation is in form of complex numbers leaving space for pilot sub carriers. Here we don't use the subcarrier 0 which is the DC subcarrier because to avoid complexity in RF while performing D/A or A/D.

k) Four subcarriers are inserted as pilots into positions –21, –7, 7, and 21. The total number of thesubcarriers is 52 (48 + 4). Refer to 18.3.5.9 for details.

Insert the pilot sub carriers at predefined positions.  

l) For each group of subcarriers –26 to 26, convert the subcarriers to time domain using inverse Fourier transform. Prepend to the Fourier-transformed waveform a circular extension of itself thus forming a GI, and truncate the resulting periodic waveform to a single OFDM symbol length by applying time domain windowing. Refer to 18.3.5.10 for details.

Here comes the IFFT, faster way of doing DFT which converts from frequency domain to time domain. The CP (Cyclic Prefix) is also done after IFFT.

Data Rate Calculation:       Data rate is the "No of bits transported per sec" now with the above concepts we can see that,  

 Data Rate (bps)= No of bits in Modulation/OFDM carrier * No of data sub carriers *Coding Rate * Time Spread/sec 

As discussed above 802.11a/g standard specifies 64 sub carriers out of which 52 are used in a/g.

1. Total Theoretical sub carriers: 64
2. Total Sub carriers used: 52
3. Total data sub carriers used: 48  ====> A
4. Pilot sub carriers: 4 

Now with this, we know that the standard bandwidth in WLAN is 20MHz, (802.11-2012 introduces half and quarter rates also, but lets leave that as home work :-) anyways they are just inverse exponential to 20MHz).       

We also need to know about a few FFT related paramters. Refer Table 18-5 in 802.11-2012.

With 20 MHz bandwidth and 64 subcarriers: The sub carrier frequency spacing comes to
                 (SCFS) : 20MHz/64=0.3125 MHz.

So the IFFT/FFT has to run at a period of 1/SCFS to convert it to time/frequency domain:
                  IFFT/FFT period =1/0.3125 MHz=3.2 us.

So the total symbol duration is 3.2us and the thumb rule in .11a/g is that we leave a guard interval of 1/4 symbol time i.e., 0.8 us. 

                    So the total symbol time = 3.2us + 0.8 us = 4us. ====> B

 The above formula for data rate becomes,

Data Rate (bps)= No of bits in Modulation/OFDM carrier *A*Coding Rate * B

So for a BPSK we can transport 1 bit per sub carrier which makes 48 bits per OFDM symbol which spreads 4us in time domain. Now with coding rate of 1/2 it comes to, 

Data Rate =1*48*1/2*4=6 Mbps

Similarly for 64QAM with data rate 3/4 (The highest coding rate in 802.11), 

Data Rate=6*48*3/4*4=54 Mbps

Frequently Asked Questions:

1) Is OFDM performed first and then modulation or vice-versa?

First we divide and map the incoming bits to the "constellation mapper" in to N streams (N=no of sub-carriers) and  based on the encoding tables/modulation scheme converts to the complex number. Which is given as input to the IFFT for conversion to time domain, it also acts as a parallel to serial converter N-Frequency domain modulated streams to a single time domain stream for transmission.

2) Is there any rule between a modulation scheme and coding rate?Why cant i use 5/6 coding rate with BPSK?

Yes. Generally the more the no of bits carried by the modulation the more it is error prone but carrying more bits gives us high data rate. Its always a tradeoff between BER and Data Rate. In that aspect BPSK has the highest BER but lowest data rate. 

Here's the results from agilent on EVM and Constellation Errros (Measures the Tx Modulation Quality) , as you can see BPSK in the best in the table.

Allowed EVM and Relative Constellation Error

Data Rate (Mbps)	Relative Constellation Error (dB)	EVM (% RMS)
6	-5	56.2
9	-8	39.8
12	-10	31.6
18	-13	22.3
24	-16	15.8
36	-19	11.2
48	-22	7.9
54	-25	5.6

But, The error rate in BPSK is high as there is only one 

bit for representing data so slight error causes high BER. So it depends on the channel and type of fading whether BPSK can cause high BER or Low BER.

Hence the 802.11 standard has fixed these mappings for modulation and coding rates.

References:

1. MCS
2. BPSK Disadvantages
3. BPSK and QPSK BER Comparison
4. OFDM Implementation
5. Higher Rate codes with less PAPR OFDM
6. Coding and Interleaving

What is OFDM?: Simplified..

Lets take a look at the technology that literally commanding all and any form of wireless communications OFDM without requiring any prior electronics knowledge.

Orthogonal Frequency Division Multiplexing is the most sought modulation technique in today's cutting edge wireless either it be 802.11 (WLAN), 802.16(WiMax), 3GPP 36 series (LTE)..

Single Carrier Modulation:

In the traditional communications we make use of a single Tx antenna and a single Rx Antenna. All the incoming data is modulated using a single carrier and sent OTA, at the Rx side its is  demodulated and data after removing the carrier is given out.

Multi-Carrier Modulation:

FDM: 

But in order to gain high throughput a new scheme is introduced. Where in we divide the channel in to different sub channels and assign a carrier to each sub-channel for modulation known as sub-carrier and finally multiplex all the carriers+data and send using the single Tx Antenna.
But in order to avoid interference (inter-symbol interference) we use a guard spacing between the sub channels causing in bandwidth wastage.

OFDM: 

In order to save the wastage and use it effectively we choose the sub-channels and sub-carriers such that they are orthogonal to each other meaning they don't interfere with each other. So we can skip the guard spacing between the sub-channels and save bandwidth.

FDM Vs. OFDM

Truly speaking it should be termed as FDMO, as you will see why just in a moment. lets understand each word in detail in the acronym.

Frequency Division (FD):

Instead of modulating all data with one carrier, divide the bandwidth in to equally separated sub-channels and assign a carrier to each sub-channel called sub-carrier.

Multiplexing (M):

As we have multiple sub-carriers but a single Tx antenna we need to map all the sub-carriers rather we need to multiplex all of them and send OTA. We make use Parallel to Serial converter for this.

Orthogonality(O):

We all know from the high school maths that orthogonality means "product of slopes = -1" meaning one signal will not overlap with the other.

In a similar context in the time domain a sub channel is represents as a rectangle which in a frequency domain converts to a "sinc" wave, now if we multiplex the "sinc" waves of all sub carriers sub channels it will look something like the below.

Now at the Rx side we can decode this wave because of the orthogonality, see the "arrows" they represent the frequency at which impact of all other sub carriers is zero, so we get to Rx only that particular sub-carrier we are interested in.

*2: By using an IFFT for modulation we implicitly chose the spacing of the subcarriers in such a way that at the frequency where we evaluate the received signal (indicated as arrows) all other signals are zero.

Advantages:

1. Saves bandwidth
2. Carries more no of data than a conventional carrier.

Disadvantages:

1. Highly depends on the orthogonality achieved, need a good sync on Tx and Rx and also no multipath effect.
2. High PAPR: Peak to Average Power Ratio.

The reason for high PAPR is that, as we use many sub-carriers with same bandwidth, the sum of peak power of all the sub-carriers varies instantaneously.
OFDM exhibits peaks whose power strongly exceeds the mean  power: the signal is said to have a high PAPR. This prevents use of high-efficiency amplification devices (High Power Amplifiers, HPA), which can cause nonlinearities reuslting in in-band distortion and increases Out-Of-Band  Radiation (OOBR), inter Symbol Interference and a high Bit-Error-Rate (BER).

Mitigations

1. 

a) Pilot: Instead of using all the sub-carriers/channels for data, use some selected sub carriers to send with zero-data so that the Rx can tune itself with the Tx. These are kind of training subcarriers.

b)  Cyclic Prefix (CP): In order to overcome the MultiPath effect, OFDM implements a clever technique of CP where in we first need to find the "Doppler Spread" of the multipath channel and then copy that amount of time from the data signal from the last to the first. So that even if that signal undergoes the multipath fading, we still have the data intact only the copied part is lost.

Doppler Spread: The amount of delay induced by the multipath channel to the 1st signal causing to overlap with the 2nd singal leading to infamous inter symbol interference. 

2.  There are many methods but below are famous ones

• Clipping and Filtering

• Peak Windowing

References:

1. History behind OFDM
2. Orthogonality in OFDM

3. Why High PAR 

4. PAPR Reduction Techniques

Note: All the pictures here are taken from the references and some additional resources. The author do not claim any copy right.