DWA-160 Good; 802.11n Bad (Or At Least Annoying)

I am going to have to expand upon this topic in another post somewhere down the road, but 802.11n continues to annoy me. The technology is revolutionary and inexpensive and blah, blah, blah, but it's dang near impossible sniff it! Oh, does this tick me off. And to make matters worse today I finally got to use my D-Link DWA-160 dual-band 802.11n USB adapter with AirMagnet WiFi Analyzer so I really wanted to do some sniffing.


Let's start off with the 802.11n thing first. 802.11n is a great technology that increases both the speed and the range (and even the security, in a way) of your WiFi. Unfortunately for people who dabble in WiFi sniffing, 802.11n also makes it virtually impossible to do traditional sniffing.

The problem with 802.11n is that with most setups the Data frames going in one direction will be missed. I don't know exactly why this is and I don't know all of the technical reasons behind it, but trust me, it happens. If you set your 802.11n capture to a standard channel (in my case today, a 20 MHz wide, 2.4 GHz channel 1) you'll almost always capture data going in one direction but not the other. You will usually get non-data frames going in both directions (identified by frequent acknowledgments without data preceding), but not all of the data.

My guess is that the problem is the wide variations in 802.11n antennas. I think that for whatever reason my capture antennas (usually from USB adapters) tend to be of a much lower quality than my connection antennas (usually from a Mini-PCIe adapter). If I'm correct then that means that my connection adapter is capable of sending and receiving at a higher rate than my capture adapter is capable of sniffing at.

A solution to this problem would be to use the same card to capture that I use to sniff, but that's easier said than done. The Intel 5100 AGN adapter is just about the only internal WiFi adapter I'm aware of that does 802.11n capture. I'm using a Broadcom 802.11n adapter to connect and Broadcom adapters don't do monitor mode so I'm out of luck.

All was not lost today, however, as I did get to briefly check out AirMagnet WiFi Analyzer version 8.7 with the DWA-160. I had been eagerly anticipating the arrival of my DWA-160 ever since I stumbled upon the fact that version 8.7 offered support for it while on AirMagnet's website last week. A big pet peeve of mine with AirMagnet has been their slow adoption of support for dual-band 802.11n USB adapters. They made some some progress with version 8.6 when they started offering support for the Ubiquiti SR71-USB model, but that was a half-baked solution. The SR71-USB is nice in a lot of ways, but it does not have an internal antenna. That means that to effectively use it you need to carry around external antennas and set them up any time you want to sniff. I don't like that, so when support for a USB adapter with internal antennas showed up on their website, I was excited.

Upgrading to WiFi Analyzer version 8.7 was the usual simple process. I downloaded the new version from the MyAirMagnet site, ran through the licensing wizard and I was off. I didn't notice anything different between 8.6 and 8.7 in terms of the interface, but that's OK because the old version was great anyway.

As I wrote above, my one big annoyance was that I could not capture 802.11n data frames being transmitted by the AP on 2.4 GHz channel 1. When I went to the Infrastructure screen and clicked on my station, the counter for received data frames just stayed stuck at 0. It was really frustrating.

Being the optimist that I am (or at least try to be), I figure that 802.11n capture adapters will improve and that eventually I won't run into these annoying problems. Until then, just be careful when you need to sniff an 802.11n WiFi network. It's a good idea to always run a quick check to make sure that data in both directions is being captured before you engage in any detailed frame analysis.

Comments

  1. Ben,

    Sounds like you have some sort of configuration issue going on. I've not found that problem that you mentioned. But I don't have the DWA-160 that you have.

    I've tested it with the following USB adapters
    - Ubiquiti SR71
    - Netgear WNDA3100
    - Proxim 8494 abgn

    As well at this PCMCIA adapters
    - AirMagnet C1060 abgn

    But normally I just use the internal Intel 5300 abgn (I've also used the Intel 4965 quite a bit in the past)

    I'll see if I can re-create you issue. Though I normally find much easier ways to answer whatever the question is with the AirMagnet's interface than I ever can delving down to the packet level for deep analysis. (Though AirMagnet can do the decode thing and I do go down there every once in a while when I'm doing some research or something)

    Keith

    keith@inpnet.org
    http://wirelesslanprofessionals.com

    ReplyDelete
  2. Thing I don't get is if it's config then why is data from the sta showing up perfectly?

    It is a high noise environment so maybe that's a factor. I've had a similar problem with omnipeek in the past using the wusb600n.

    Also, I agree on avoiding the decodes. In this case I went there just to check and saw data onlyncoming from the station.

    ReplyDelete
  3. "Broadcom adapters don't do monitor mode" - they do, if the tool is right. Use CommView for WiFi. It supports Broadcom, Intel, and Atheros chipsets. Here is the full list:

    http://www.tamos.com/download/main/ca.php

    ReplyDelete
  4. This is a damn fine post Ben. Very helpful.

    Devin

    ReplyDelete
  5. hai ben,

    i use airmagnet 8.7 demo with DWA-160 OS: Windows 7, i have problem with windows 7 32, because Airmagnet demo not support, i must download in my airmagnet site, i dont have account, can u help to upload the driver ?

    thx ben

    ReplyDelete
  6. Hi,

    I am seeing this same issue , am able to sniff data traffic from the client ( TCP Acks ) to the AP but not from the AP to the client. Is this because the client is transmitting the Acks in a different mode ( g for example ) and the AP is transmitting in n mode. My sniffing device supports n. Did you ever get to the bottom of your issue ?

    ReplyDelete
  7. Leon: I think that's the problem.

    ReplyDelete

Post a Comment

Popular posts from this blog

Chips, Glorious Wi-Fi 6E Chips!

Five Facts About 6 GHz Wi-Fi

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone