A Choice of Filters
People who do WLAN analysis agree that filtering is a part of sniffing WiFi frames/packets. More information can be extracted from captures when the focus is on one AP or station or protocol (or a combination of same). Where people disagree is on which type of filtering is best: capture filters or display filters? Yours truly is a capture filter man, and some iPhone analysis was a reminder why.
Filtering 802.11 captures is covered pretty well in the CWAP Study Guide (of which I am a co-author). A capture filter extracts frames before they are captured. The only frames captured are the ones that match the filter. A display filter extracts frames after they are captured. Every frame is captured. Then the filter is applied so that only frames matching the filter are shown in the protocol analyzer. To use the example of a filter on my iPhone, if a capture filter were used then all of the frames from all of the other stations on my iPhone's channel would be lost. Using a display filter, on the other hand, would mean that everything is captured. Nothing is lost. The filter for my iPhone would be applied after the capture has been done, thus allowing frames from other stations to be analyzed later.
The CWAP Study Guide takes a neutral position on WiFi capture filters, but the CWAP course written by Marcus Burton is friendlier to display filters. The rationale make sense on the surface: with a display filter nothing is lost. If an iPhone is being analyzed and the iPhone's frames appear to betray a congestion problem, the display filter can be removed and frames from other stations or APs can be examined. If a capture filter is used, then that moment of congestion may have been lost. Those uncaptured frames can never be examined.
There is a down side to using display filters, especially in a congested area: the lack of real-time analysis. It can be tremendously valuable to be able to watching frames as they are being captured. If you know what WiFi should look like, then you may be able to identify cases where the WiFi is having problems. (That's how I fingered the APs as the culprit when investigating that iPhone VoIP problem that I blogged about a while back. I watched the frames show up in OmniPeek in real time and saw a stream of Retrys.)
In general, the best way to filter will depend on your level of expertise. If you are relative new to sniffing WiFi, then it's probably best to use display filters. You probably won't know what to look for in real time, so it will be best to keep all captured frames. Once you become an expert, then switching to capture filters is usually better. The ability to correlate real world, real time behavior (What app is running now? Is the tablet moving now? Is the user actively using her device now?) with that scrolling trace of captured frames/packets is often valuable in identifying what is really going on.
If you like my blog, you can support it by shopping through my Amazon link. Same Amazon store and prices, but I get a kickback. Thank you.
If you like my blog, you can support it by shopping through my Amazon link. Same Amazon store and prices, but I get a kickback. Thank you.
Have you by any chance figured out how to use display filter during live captures in Omnipeek?
ReplyDeleteAfter you stop capturing, go to the Packets screen (use the menu on the left hand side). There is a funnel icon above that allows you to choose any of your filters.
ReplyDeleteThanks Ben!
DeleteBut I wanted to use display filter during live captures (like what you could do with Wireshark); I guess that is not supported.
Sadly you can't. From the manual: "Display filters are available from active capture windows only after the capture is stopped. They are always available from saved capture files"
DeleteI think this has more to do with the situation than the level of expertise. If a problem can be reliably reproduced, then capture filters are fine; however, if it's intermittent (but persistent), then I always advocate grabbing everything to try and understand the complete situation.
ReplyDeleteThe tools make a difference too - Wireshark allows applying display filters on a live capture, while OmniPeek doesn't, etc. If I'm trying to debug a problem in real-time I tend to use Wireshark as it allows much more 'down and dirty' analysis, but OmniPeek is far better for deep or trend analysis.