Wireless Black MagicThe Secret Tips for Monitoring your Wireless Network

Lifting the Veil

Many people refer to the skills required to deploy and manage a wireless network as black magic, a secret art practiced by a rare breed of radio experts. This article will help lift the veil of mystery around wireless networks and give you essential insights to effectively manage your wireless network.

The only certainty about wireless networks is that they are constantly changing. In a wired network, assuming that no one cuts through the wire, the available bandwidth and reach on a wire is static and does not change significantly over time. This is in stark contrast to a wireless network where cell coverage and throughput is constantly changing. Given this the four critical things you need to be monitoring in your wireless network are coverage, performance, traffic and rogue Access Points.

Monitoring Coverage

The most common causes of changes to coverage are the introduction of new obstacles which block the signal such as new cubicle partitions or the introduction of new interference sources, such as a new neighboring Access Point.

The only effective way to determine coverage is to take measurements in the field. A simple low cost approach is simply to do a walk around and look at the data rate and signal quality indicator on a laptop. The illustration 1 below shows an 802.11n connection with a data rate of 130 Mbps indicating good coverage, and an 802.11n connection at the lowest data rates of 6 Mbps indicating that you are on the edge of cell coverage.

Figure 1: Determining signal quality

This is a reasonable test if all the devices that will connect to the wireless network are laptops. However this test may not be adequate if you have other devices such as smart phones and tablets connecting to the wireless network. The reason is that different devices have different radio capabilities. For example smart phones typically transmit at lower power levels than laptops. As such the signal does not go as far. This means that although you can receive the signal on the laptop, a smart phone may not be able to communicate with the Access Point.

The alternative is that you purchase a spectrum analyzer. A spectrum analyzer can range in price from a few hundred dollars to thousands of dollars depending on the functionality. A simple low cost spectrum analyzer should enable you to both measure the received signal strength, and provide analysis on how the received signal strength changes over a period of time. This is important as it will tell you now the received signal strength is fluctuating during the day. Widely fluctuating signals warrant further investigation, as it is an indication that something is changing in the environment. It could be as simply as people using nearby microwave ovens at lunch time, or something more difficult to find such as rogue Access Points.

Signal strength is measured in decibels (dB). Figure 2 below a screen capture from a spectrum analyzer that is recording the received signal strength from an example 802.11n Access Point. This Access Point is transmitting in the 2.4 GHz band using a 40 MHz channel. Typically for data applications you will want to make sure your received signal strength does not drop below -70 dBm. If you are implementing wireless phones a higher threshold will be needed, for example -67 dBm.

Figure 2: Determining the received signal strength

Monitoring Wireless Performance

A user’s data rate varies depending on the received signal strength. A weaker signal will result in a lower data rate. Throughput of an Access Point therefore can vary based on where the users are in the cell. This means that fluctuation in cell capacity is normal in wireless networks. However there are two things that you should monitor that will impact the performance of your Wi-Fi network: Interfering sources and collision rates.

To understanding the impact of interfering sources and collisions you need to understand how Wi-Fi operates.

Before a Wi-Fi device transmits it listens to the frequency channel. If it detects noise on this channel above a threshold defined in the 802.11 standards it will not transmit. The performance of Wi-Fi networks can therefore be significantly impacted if other devices are transmitting in the same channel. These interfering transmissions could be from with Wi-Fi devices such as neighboring Access Points operating on the same channel or non-Wi-Fi devices such as microwave ovens, cordless phones and cameras. Surveillance cameras can be particularly disruptive to Wi-Fi networks as they transmit 100% of the time.

The best way to detect interference sources is to use a spectrum analyzer. Spectrum analyzers display all received signals in a selected frequency. Transmissions from Wi-Fi devices, microwave ovens, cordless phones and cameras have different transmission profiles. Some of these transmission profiles are illustrated in figure 3. By looking at the shape of the signals on the spectrum analyzer you can identify the probable type of interfering sources.

Figure 3: Detecting interfering sources

When you have identified the interfering source the best solution would be to remove it but this is not always a viable option. If the interference is being caused by a neighboring Access Point you could remove the interference by either reducing the transmission power of the Access Point or reconfiguring the Access Point to operate on a different frequency channel. If the interfering source is a non-Wi-Fi device your best option is to move your Access Point to a different frequency channel.

The other factor that affects performance is the collision rate. Collisions occur in Wi-Fi network when two devices transmit at the same time on the same frequency channel. When a Wi-Fi device does not receive a response to their transmission it assumes a collision has occurred. The device will then double the contention window, calculates a new back-off period and try to transmit again. This process repeats until the device transmission is successful.

You can identify retransmissions by looking at the packets being transmitted between devices and the Access Point. You should look for data frames that have the same sources address and sequence number, and management frames such as Authentication and Association Requests from the same source address. A traffic analyzer can be used to capture the traffic entering or leaving a wireless device. Figure 4 shows some sample traffic on an Access Point capture by a wireless traffic analyzer. You can see the different Wi-Fi MAC frames being transmitted such as the beacon, RTS and data frames. Parsing this data to look for duplicate frames will identify retransmissions.

Figure 4: Capturing WLAN traffic

There are a couple of Access Point configuration values that can be set to minimize the risk of collisions. You should consider reducing the number of users that can associate with the Access Point and reducing the size of the RTS threshold.

Monitoring Changes in Traffic

In addition to monitoring the data traffic, it is recommended that you monitor the growth in voice and video traffic. Both wired and wireless networks are experiencing significant increases in voice and video traffic.

To manage this increase in traffic, many businesses upgrade their wireless networks to 802.11n to support higher throughput and implementing 802.11e Quality of Service (QoS) to distinguish between voice, video and data traffic and assign the desired transmission priority. It is important to note that setting your QoS policy does not always mean that you prioritize video traffic over data traffic. Some businesses actually deprioritize video traffic such as video traffic to take a lower priority than critical business data.

The best way to monitor changes to your voice and video traffic is to use a packet analyzer and collect the packets being sent to and from the Access Point. You can parse the collected packets looking for port numbers and QoS classifiers, which indicate the type of traffic being transmitted. It is important to collect this data over time as understanding changes to the type of transmitted data will indicate whether the wireless network needs to be redesigned to accommodate these changes. You should also look at the 802.11 handover messages to identify changes in how users are roaming between Access Points.

Monitoring for Rogue Access Points

Unless you work within a radio secure building, encased in lead with restricted access, there is nothing you can do to prevent someone sniffing the air and capturing transmissions. Thus, any confidential business data over a wireless network can be captured by an unauthorized person listening to the over-the-air transmissions.

To protect your data it needs to be encrypted. Fortunately Wi-Fi Protected Access WPA2 provides the ability for you to encrypt your data using AES encryption.

A more ominous concern is the ability for someone to access your network through a wireless connection. Companies can apply authentication to the wireless network using RADIUS, 802.1x and EAP just like they do in the wired environment. However the wireless networks have a threat that the wired networks do not have. That threat is rogue Access Points.

Rogue Access Points are Access Points that are operational but they are not officially part of the company’s network. They are probably not running the preferred company Access Point configuration. Rogue Access Points are most often deployed by employees with no malicious intent. These individuals do not realize that rogue Access Points create security breaches and could expose the company’s network to attack.

An attacker may install a rogue Access Point configured with the same SSID as the authorized Access Points. By setting the rogue Access Point to transmit at a higher power, nearby Wi-Fi devices will attempt to connect with the rogue Access Point rather than a legitimate Access Point. The attacker can then capture user’s credentials and authentication information, exposing the network to a man-in-the-middle attack.

Monitoring for rogue Access Points is a critical aspect of securing your Wi-Fi network. Maintaining a list of authorized Access Point models, MAC addresses and configurations will help you identify rogue Access Points. One approach is to simply walk the office or campus with a WLAN sniffer and look for unauthorized Access Points. Alternatively you can deploy a Wireless Intrusion Detection System (WIDS).

Wireless Networks Require Extra Attention

Monitoring a wireless network can be a challenge; however this paper shows you how tools like a spectrum analyzer and packet sniffer can monitor and assess the essential aspects of your wireless network.

Wireless networks are continually changing as the RF environment changes. Changes caused by new obstacles to the signal path and the presence of new interference sources. By using the techniques above, you can become familiar with the normal operational behavior of your wireless network. Recognizing normal behavior for a wireless network is the first step to recognizing abnormal activities and becoming a master at managing your wireless network.

Once you have grasped the essential monitoring techniques, you will be in a great position to make decisions about whether you need to invest in more sophisticated wireless network management tools.

About the Author