Sniff Wi-Fi

Today it was announced that 7 Signal  would be a first time presenter at Wireless Field Day in August.  7 Signal offers a product that uses distributed sensors that analyze a WLAN. Wait a moment.  This sounds familiar... It was a mere fifteen months ago that yours truly spouted a  negative opinion of distributed sensors for WLAN analysis and troubleshooting.  To be precise, distributed sensors were accused to producing a worthless capture. A company like 7 Signal, then, offers both good news and bad news. The Good: People are starting to care more about WiFi sniffing and analysis.  A company like 7 Signal can only exist if networking folks appreciate the value of seeing what it happening in the air. The Bad: Distributed sensors produce worthless captures.  Does it matter if a 7 Signal sensor can connect if an iPad cannot?  Does it matter if good channel quality is seen at the ceiling (where the Sapphire Eye sensors are supposed to be m...

As long time readers of this blog might know, WildPackets OmniPeek has been my favorite WiFi sniffer for nearly a decade.  Then I found out about WildPackets' OmniWiFi 3-stream 802.11n USB adapter and I fell even more in love.  Now I learn that OmniPeek 7.5 has added wireless features to the Compass screen.  A good product has been made better (though time will tell if it lasts). First, OmniWiFi: The fact that different 802.11n devices have different capabilities is one of those things that sometimes flies under the radar.  The standard may say 600 Mbps, but just on the Apple website one can buy 802.11n devices with maximum rates of 65 Mbps (iPhone 4S), 150 Mbps (iPad Mini), 300 Mbps (Macbook Air 2012) and 450 Mbps (Macbook Pro 2012). 450 Mbps WiFi devices are the ones that give WiFi pros trouble because so many sniffing tools fail to capture 450 Mbps traffic.  The popular (at least with Wireshark devotees) AirPcap NX from Riverbed, the beloved (at least b...

Quiet when standing still; active when moving.  That is the way that WiFi devices should treat Probe Requests.  Android devices (at least, Android devices that act like yours truly's Samsung Galaxy Tab 2) probe the right way .  After doing a quick test on the iPhone 5, it appears that Apple has their devices probe based on movement as well. Apple iOS devices have a terrible reputation in some WiFi circles.  The author has heard complaints about mobility, stickiness, throughput capabilities and just about anything else under the sun.  Heck, just today an article was published decrying the throughput ( WHO CARES? ) limitations of of the new MacBook Air (not iOS, but still Apple) was viral'd around the web. To check to see if the iPhone 5 matches the probing behavior of an Andoid device, I associated the iPhone to the office network on channel 36/+1 and started a capture on channel 44/+1.  Then I got up from my chair and started walking around while conti...

When we last left off, yours truly had noticed that an Android tablet was probing for Wi-Fi networks even when associated.  This behavior would have been unusual, as consumer-grade Wi-Fi devices historically would probe when unassociated and stop probing once a connection is made.  After a little bit more investigation, it appears there was an extenuating circumstance that was causing all of the extra probing. I wondered if the Android tablet I have (Samsung Galaxy Tab 2.0 with 65 Mbps 802.11b/g/n WiFi) might have its probing behavior affected by movement, and sure enough it does. I'll try to amend this blog post later to add screenshots of my captures, but for now here is a summary of what I saw: I associated my Galaxy Tab to a WLAN that is on channel 1.  Then I captured on channel 11.  My hypothesis is that an associated device should stop probing on other channels as long as the signal is solid. Sure enough, once I was associated on channel 1, I...

No bold type introducing today's post, as I'm going to keep things short. I was doing some work last week looking at Android devices (specifically, a Samsung Galaxy Tab 2) and I noticed some very heavy probing behavior.  We were checking out the device's behavior when it moves from AP to AP, so I set a capture for the target second AP.  I did the test (things went fine, but the WiFi Analyzer app in particular seems to really make Android devices stick to their currently associated BSS) and looked at the capture. Seeing a ton of Probe Requests from the Tablet was expected.  What wasn't expected was the Android tablet probing even while associated to the first AP.  Even when the received signal was strong (in the -50 to -63 dBm range), the Android was going off channel to probe and probe excessively. At this point I'm still trying to figure out if physical motion or an app (or lack thereof) caused the probing.  One thing I am pretty confident in saying alre...

Happy (belated) Cinco de Mayo!  In honor of Mexico (whose El Tri I actually like a heck of a lot less than Les Bleus ), today's discussion of Guerra de Conduccíon has a Spanish language title.   As noted by noted sarcastor Keith R. "The R Stands for Reassociation" Parsons , in some ways wardriving is a topic whose time has passed.  We've known about it for years.  Wardriving tells hackers where your network is.  Most WiFi networks are encrypted.  What else is there?  Hackers can try to connect, but if you use a long WPA2 Personal passphrase , they won't be able to.  Hackers can try to sniff, but if you're using WPA2 Enterprise, then decryption of data frames is impossible (as far as us non-NSA employees know). But imagine you are an NSA employee.  Or the CEO of a noted defense contractor .  Or holder of some other high-profile job where the nation's prosperity is dependent on your secrecy (like USC's head football coach). ...

Ahh, the good ol' days.  The days when USC was beating UCLA by 50 points, AirTran was flying nonstops from LAX to Milwaukee and WiFi sniffing folks only had to carry one USB card for 802.11 protocol analysis.  Those days are gone, my friends.  It's time to update which cards we need for which applications. December of 2011 was a time yours truly looks back on with fond memories for the reasons cited above.  In the wireless world, the good news was that WildPackets OmniPeek had begun supporting monitor mode capture from Atheros-based 802.11a/b/g/n chipsets, thus allowing one USB adapter to be used for any good WiFi sniffing app. Things change, and when WLAN infrastructure vendors began selling APs that support three-stream spatial multiplexing (thus rendering high rate data frames un-sniffable to the D-Link DWA-160 802.11a/b/g/n USB adapter), the handwriting was on the wall.  The halcyon days of only needing one USB adapter for wireless protocol analysis we...