What is RF Monitor-Mode & Why Does It Matter?

In a previous article I did a high-level overview of what wireless site surveys are and what they are used for. In this article I'll dive in a little deeper to give some insight on what packet captures and RF Monitor-Mode are, are and what they can reveal.

There are two modes a wireless NIC can be in - connected/disconnected, and monitor-mode. Connected is exactly what it sounds like - the NIC is connected, or in 802.11 parlance, "Associated", to an access point. When a device is associated it can transmit/receive data through the AP. This is how most people experience Wi-Fi - associated to an AP, doing whatever it is they are doing - watching Netflix, sending an e-mail, upload a file to a server, etc.

Monitor-mode, or "RF" monitor-mode implies you are not associated/connected to the WLAN, so you are DISCONNECTED, but you are LISTENING, or "monitoring". This mode is often not simple to achieve. It requires the ability to manipulate the wireless driver to set the NIC into this mode. Monitor-mode allows the wireless NIC to listen to a specific channel, a set of channels, or ALL the channels in 2.4/5GHz.

Also, if you cannot place your NIC into monitor-mode you cannot see wireless frames. When you are associated/connected to a WLAN, all you can see are the upper layer data flow. This would include things like DHCP, IP addresses, DNS, webpages, etc. That may be fine if you are looking to troubleshoot something in the network, for YOUR device, but not so much if you are trying to troubleshoot a WIRELESS/802.11 problem in the AIR.

Everything I've highlighted so far is related to what we call wireless PACKET CAPTURE. The purpose of a packet capture is to "capture" all the data transpiring during the error you are troubleshooting. You can then review the data in your chosen packet analysis software and dig in to potentially discover the reason for the problem your device is experiencing.

The most common use-case for monitor-mode is to perform wireless packet captures. This can be difficult to achieve. You need specific hardware, and custom drivers, that allow the NIC to use this mode. For Windows, this is almost impossible with the built-in adapter. Mainly due to the fact that there is no standardized NIC that all Windows machine use, so you are often left with researching and purchasing a 3rd party adapter that can use monitor-mode. Even then, the adapter you may have limitations of what information it can actually present to you. So, you wind up purchasing and testing several adapters until you find the one that works best for you intended use.

For Windows, the best results can be found by using 3rd party software, and their recommended adapters. With limited success, Wireshark 3.0 and newer, will allow for monitor-mode captures with some adapters. I have a video on how to do this on YouTube. Commercial software such as MetaGeek Eye P.A., TamoSoft, CommView for WiFi, and LiveAction’s Omnipeek are popular and easier to implement.

On Linux and MacOS, things are a bit better. Specifically, macOS, since the NICs used are limited across the platform, and the OS is based of a UNIX variant, you can set the internal adapter to monitor-mode at will. This makes Macs a favorite among some wireless engineers, along with Linux, of course. One caveat, the new M1 MacBooks use a new 802.11ax adapter that does not render monitor-mode data correctly when capturing on 80MHz channels, so until that is resolved, only pre-M1 Macs are reliable for 80MHz captures.

So, Monitor-Mode is critical for doing in-depth 802.11 analysis. Like troubleshooting why a particular device, or application, is not performing as expected, or validating if that client, or application is functioning as expected.

I think of packet captures as more of a “micro-level” tool, as opposed to say a wireless site survey which is more of a “macro-level” tool. In other words, if the issue is “our Wi-Fi sucks”, or general wireless malaise, then doing a wireless survey is most appropriate. If the issue is with a specific device, application, or set of devices, I may focus on packet captures to see what specifically is going on with those devices or applications.

For more on performing wireless packet captures see my YouTube channel.

Ways to Do Wireless Packet Capture on Windows by Cost

Ways to pcap WiFi on der Windows in order of $$$$…

• Wireshark, npcap & supported NIC (free + $20 to $50)
• @WLANPi ($150-ish?)
• @TamoSoft CommView for WiFi ($499)
• @MetaGeek Eye P.A. ($799)
• @LiveActionIT Omnipeek ($pendy)
• @Ekahau Sidekick (Extra $pendy)
— Ξ D D I Ξ ★ F 0 R Ξ R 0 (@HeyEddie) May 18, 2021

I got more in-depth stuff on packet captures over on the YouTubes ⇢

Wireless Site Surveys Explained

(This blog swiped from my company website.)😎

What is a wireless site survey? Seems like a pretty straight forward question until you hear someone ask for a "predictive" survey. How does that work? how do you "predict" a survey? The truth is, there is no such thing as a "predictive" site survey. We can make a PLAN, or a Predictive DESIGN/MODEL. And better yet, we can collect data before we start to better inform our predictive model.

Webster’s Dictionary defines the word survey as:

survey (verb)
sur·vey | \ sər-ˈvā , ˈsər-ˌvā \
surveyed; surveying
transitive verb
1a : to examine as to condition, situation, or value : APPRAISE
1b : to query (someone) in order to collect data for the analysis of some aspect of a group or area
2 : to determine and delineate the form, extent, and position of (such as a tract of land) by taking linear and angular measurements and by applying the principles of geometry and trigonometry
3 : to view or consider comprehensively
4 : INSPECT, SCRUTINIZE
: to make a survey

So, to survey is to examine, query, inspect, scrutinize data, etc. What is the data we collect? It depends on what it is you want to analyze. What's the percentage of people that are ok with clubbing baby seals? Will you be voting for expanding rights to indignant penguins? Or, for us, can the Wireless LAN (WLAN) provide what the end users need?

REQUIREMENTS GATHERING

First, we start by determining requirements. I consider this "surveying". It doesn't necessarily involve walking around, with your survey gear, measuring the Wi-Fi. It's conversation. It's taking notes and pictures on the wall types, and ceiling heights, and any other oddities that can impact your potential design. It's asking questions, "What type of devices are the most critical?". "What applications does your organization rely on?". "How many devices will be connected at peak, in the morning, on the 2nd shift?". "What are the areas of highest user density?". "What will they be doing on those devices?". Real-time services/applications such as voice, video conferencing, etc. have different requirements than say, web-browsing, e-mail, and accessing a database. Are you looking to perform large data-transfers? That's different than needing to open a file from a shared network folder, or printing.

These questions may seem inconsequential unless you understand the limitations of 802.11. Every organization does not have the same needs. And those needs can be different based on location and can change over time. A cafeteria may be a "high-density" area but will have a vastly different design requirement than say, a large auditorium/lecture/training facility. Wireless Voice-over-IP has different requirements then a straight data-only design. Do you need seamless roaming, where you can stay on a audio, or video call without dropping as you walk from place to place? That is a different design from one where roaming is not required. A supervisor may have a different idea of wireless use-cases versus the employees, on the floor, using the wireless day-to-day, with specific devices. So, I start ALL my surveys with a requirement gathering, data collection meeting.

I do this wether I am preparing for a WLAN design, a Validation Survey, or a Troubleshooting Survey. How do I know if things are "good", or "bad", if I don't know what good, or bad is for this particular deployment? This is a critical step that many fail to do, and therefore, fail with their WLAN deployment, because it cannot support whatever it is the customer needs.

A survey, is a survey, is a survey. Or, is it?

WALL ATTENUATION MEASUREMENT

Once I've determined the customer requirements I can get started on the "wireless" data collection piece. Often, I will perform what I call Wall Attenuation Measurements. This typically involves placing an access point in a room, and taking measurements on both sides of a wall/obstruction to determine just how much "attenuation", or signal loss, is seen in 2.4 and/or 5GHz. This is important if the purpose of the site visit is to gather pre-design data, to help make our Predictive Model more accurate.

In this scenario, I am collecting requirements, and RF data to get as much detail BEFORE I begin the design, so I have greater confidence that my prediction, my mathematical model, will be as accurate as I can get it. I would much rather KNOW that the walls in the offices are 5dBm of attenuation, than simply choosing the default "Dry Wall" from my planning software, hoping for the best. What if there was a wall that looked like drywall, but in actuality, is brick covered with drywall for aesthetics reasons? If you didn't ask, or measure, you would have no idea, and may cause your design to fail. You can view a detailed explanation on how to perform a Wall Attenuation Measure Survey here.

So, Wall Attenuation Measurements are a type of "survey".

AP-ON-A-STICK SURVEYS

AP-on-a-Stick, or APoaS, simply means I have a pole, or mounting system of some kind, and place an access point (AP) temporarily, at a location and height, where I would like to see how the RF from this specific AP propagates in the environment. APoaS surveys are helpful in complex environments like warehouses, production facilities, or other environments, where modeling in planning software can be difficult due to the complexity 3D environment, you’re in. So, by placing an AP at a specific height, on a specific channel, at a specific power level, I can measure in the real world, and know, exactly, how this AP will cover the area we are interested in. This removes guessing, and we are using REAL data, not PREDICTED data, to evaluate coverage and inform our WLAN design.

There are many use cases for APoaS. I won't explain them all here, but common ones are:

Pre-Design: to validate what AP, or antennas, work best for your design
Post-Design: to validate a portion of your predicted AP locations before you deploy
Wall Attenuation Measurements: to confirm RF loss through an obstruction

There are others, but these are the ones I use the most when I do APOS.

VALIDATION SURVEYS

Like the name implies, this type of survey is used to "validate" that a particular WLAN implementation meets the requirements of the project. The WLAN is already in place, configured, and running as intended. With your survey software, and adapters, you capture data throughout the entirety of the facility where Wi-Fi is a requirement. Once you've collected all the data, on all the channels that you care about (I typically survey ALL Wi-Fi channels), you can analyze the data, and compare it to your requirements to see if it "passes". Things you could look at could be: Primary Signal Strength, Secondary Signal Strength (for roaming), Co-Channel and Adjacent Channel Interference, Interfering networks, Rogue APs, misconfigurations, Channel-width, Channel usage, and more.

When something is found that does not meet the requirements, you can then resolve the issue(s), and perform the survey again, to confirm the changes made now allow the WLAN to meet the requirements you have set. I may not always do a pre-design wireless survey, but I ALWAYS do a Validation Survey.

ACTIVE VS. PASSIVE SURVEYS

"Active Surveys" - Ooh, that SOUNDS important. As in, "we need an Active Wireless Survey, STAT!" I want to be Active, not Passive, don't I? Well, in the case of wireless surveys, Passive is where it's at. Let me clarify.

ACTIVE survey implies there is activity. In this case, we mean actual data being transmitted and received. In order to perform an Active Survey, you MUST be connected to an AP. How many APs can a device connected simultaneously? "There can be only one, Neo". This means that in order to perform an Active Survey you MUST be connected to one AP, and pass traffic. What DON'T you see when you are connected to a WLAN? Prepare to be shocked, you do not see ANY wireless frames! Zip. Zero. None. You can only see your own traffic, not that of any other devices, and what you see is upper layer traffic - things like DHCP, DNS, IP addresses, webpages, SMPT, etc. Now, that may be great if all you are interested in is your own traffic, but you won't see the stuff that MATTERS when monitoring/surveying Wi-Fi - that is 802.11 frames. That's where the magic is - in those Management, Control, and Data Frames that are completely invisible when you are connected to a WLAN.

Also, when you are CONNECTED to a WLAN you only see your own traffic, at that time, at that location, with that specific device. You don’t see the ENTIRETY of the WLAN and how neighboring WLANs interact with it. Your view is extremely limited and tells you nothing about the the health of the WLAN. Suffice it to say, that for me, Active Surveys are rare, if I do them at all.

"PASSIVE Survey" sounds weak. Who wants to be passive? The Terminator's not passive, Sarah Connor ain't passive - I don't wanna be lame! The truth is Passive Surveys is what you NEED if you want to see what matters in understanding the health of a WLAN. By “Passive” we mean, you are NOT connected to the network. You can only monitor if you disconnected and listening ONLY. Passive Surveys allow you see ALL the channels and networks around you, not just the one you are connected to for an Active Survey. AND you see all the 802.11 frames! The magic of how Wi-Fi actually works! Only a passive survey will reveal how bad your Co-Channel, or Adjacent Channel Interference is, or if you have coverage in all the areas you care about, or SECONDARY coverage for seamless fast roaming. Passive Surveys can even reveal details about the configuration of the WLAN, if you have the right security, are your Basic, or Supported channels a potential problem, is there a rogue AP that was brought into your environment that shouldn't be there? These are things you cannot see with Active Surveys.

You can skip an Active Survey, but ALWAYS do a Passive Survey.

TROUBLESHOOTING/OPTIMIZATION SURVEYS

These types of surveys are essentially the same as a Validation Survey, the main difference is the Validation is simply to confirm that an implementation meets a set of requirements, usually as the final part of the planning, design, and implementation of a new WLAN, whereas these surveys are to TROUBLESHOOT the cause of a wireless issue, or to determine if the existing WLAN design can be improved upon, or OPTIMIZED for a new, changed, or updated use case. The process is the same - passive survey, on all the channels that matter, in all the areas that matter to the customer. You then analyze the data and determine if that data meets the REQUIREMENTS based on what you have determined by talking to the customer about the project.

That’s all for now…

As you can see, the word SURVEY is a loaded term. It can mean many things to different people. So, it's important to understand what it is exactly you are looking for, and how you need to collect that data. It should always start with determining the REQUIREMENTS for the WLAN. Gather as much data as you can BEFORE you begin a WLAN design. Collect data with a Passive Survey on all the channels you care about and in all the areas that matter. Finally, analyze the data and hold it up against the requirements you have determined, to confirm the WLAN meets those requirements, or not.

SURVEY - not as simple as it seems.

Download this as a white paper.

Netsh WLANMon - A New Tool in the Fight Against Bad-Fi on Windows from @MackenzieWiFi

Those of you lucky enough to have a Mac are very familiar with @AdrianGrandos WiFi Signal app that shows detailed information about your Mac’s wireless connection. This is a useful tool for doing some basic troubleshooting for your connection.

Unfortunately, Windows has not had the ability to see this information easily, if at all. That has changed with a new tool developed by the great, and generous, Peter McKenzie (@mackenziewifi) . Peter has scripted up a handy little tool, using Power Shell, that shows useful information about your Windows machine’s current wireless connection.

He has basically taken the “netsh wlan” command and wrapped it in a simple UI that breaks down the information shown in the CLI in a nice simple display.

It shows things like channel info, auth type, BSSID, and it even converts the “signal quality” percentage, that Windows uses, in to a usable dBm value.

As of now, it does not show the one thing we Mac users have had access to for years - the current wireless connection’s MCS. But, Peter is working to add that. Other things he’s looking to add are:

MAC OUI lookup
AP name lookup
Other WLAN metrics, such as MCS
Log configuration

If you are a Windows user, or support Windows users, you owe it to yourself to add this little tool to your arsenal.

Get It Here!

Source: http://mackenziewifi.com/index.php/2020/01...

Ep. 001: PCAP'n with Eddie!

The first in what will be a regular set of videos on Wi-Fi related things. To start things off: a series of videos on packet capture and analysis.

Ep. 001 is a basic intro on wireless packet captures, on a Mac, using Wireshark and Adrian Granados' Airtool.

Ep. 002 will be on doing the same thing, but on Windows! 😱

My WLPC 2019 Presentation - "WiFi-Shark Fu"

THE BLOG ★ Ramblings on WiFi & stuff.