Wireless Capturing With Network Monitor 3.1

Wireless Capturing With Network Monitor 3.1

  • Comments 13
  • Likes

One of the exciting new features in NM3.1 is the ability to capture wireless network data and management packets on Vista. This new feature provides Network Monitor a useful tool for trouble shooting wireless problems.

What do you mean, wireless Management packets?

With the introduction of NDIS6, we now have the ability to query the OS in a standard way to receive information regarding data that is specific to wireless transmission. The first piece of info we see on wireless frames is stuff like signal strength and data rate. This is available for any wireless card that supports Native WiFi; more on that later. We now append a WiFi structure which contains the 802.11 MAC frame plus Metadata such as Signal strength.

But even more exciting than that, (ok I’m a geek, but I’m guessing you may be one too! J), we can now sniff management packets. These are the cool packets that need to occur in order to find a WiFi Access Point (AP) and that the AP can send out in order to announce itself. Now you can find out what’s going on when your WiFi signal disappears. Or you can see what other AP’s are broadcasting in your area.

Supported Hardware

In this section I will list the current hardware with MS drivers which support Native WiFi, and thus sniffing of management packets. This list is sure to change and be updated as drivers are updated, new adapters are added, or new hardware appears. There is more hardware out there that uses the same chipsets. (We do not have the time to test every single adapter on the market). I will attempt to keep this section up to date, though contacting your vendor may be the most reliable way to get accurate information.

Warning: OEMs (Original Equipment Manufacturer) may change the chipset without modifying the product name or in some instances the version number.

Chipset

Driver

OEM Retail Model

RTL8185

6.1099.312.2007

Xterasys2526g

Belkin F5D7010v7

Belkin F5D7000v7

Netgear JWAG511

CompUSA 54Mbps Wireless G PC Card

Ralink RT73

3.0.2.0

Dlink WUA-1340

Ralink RT61

2.0.3.0

Hawking HWPG1

Marvell Libertas (USB)

1.0.0.49

Dlink DWL G122d1

Marvell Libertas (PCCard)

1.0.0.49
1.0.0.52

Trendnet TEW-421PCH/W:B1
Netgear WG511v2
Netgear WG511U

Atheros 5002..5005

7.3.1.42

Dlink DWL G650
Dlink DWI G520

Dlink DWA-642

Netgear WG511U

D link DWA-556

Dlink DWA-643

Dlink DWA-552

Dlink DWA-542

Dlink DWA-645

 

  Last updated 6/28/2007 2:10 pm PST

NOTE: That the Windows Logo Kit 1.0c has released.  Please verify with your manufacture that your NIC has passed this certification to determine if NM3.1 supports wireless sniffing.  The list above will no longer be updated now that the certification is complete.

Manufactures may provide their own drivers which may also support Monitor mode, but you’ll have to contact them directly to see if that is the case. Some information may be altered or omitted by the NIC upon reception of a data or management packet and thus not be correctly presented to NM3. An example is the CRC of packets.

Important Note: Switching into this mode with a driver that has not been verified, may cause your system to hang or blue screen. Be careful and save you data before using NM3.1 on a system with a wireless card.

Wireless Meta Data

As I mentioned above, each wireless packet will have a header. Like Ethernet, this contains the hardware address info, but this may also contain information about the transmission. While this metadata may differ for each vendor, there are some common fields which we return from the driver and display in the frame details. Some of the more interesting fields are listed below:

PhyType – Shows you the physical media type for this packet, for example, 802.11b.

Channel – The physical WiFi channel for this packet. This is usually a number, but the range of which depends on the PhyType and manufacturer. Normally channels for 802.11b range from 1-11. Now you can see if you are using the same channel as your neighbor, and change your AP base channel to improve your connection.

lRSSI – Receive Signal Strength Indicator is a measurement of RF Energy as detected by the hardware. This value does not measure signal quality, only its strength. It is possible to have high strength but not high quality. But you can use this to get an idea of the power of the signal at a given location.

Rate – The current transfer rate. Wireless will change the transfer rate based on the quality of the signal. While you may think you are getting 11 Mbps or 54 Mbps, you may only be getting 1 Mbps!

Cool Wireless Tricks

Now you can track down the dead spots at your location and see if there’s a way to affect your signal strength. For instance you could continually ping your router as you walk around the house. Then setup color filters to signal packets with low or marginal signal strength and/or data Rate. A sample color filter could be set as follows:

WiFi.MetaData.lRSSI < 20 OR WiFi.MetaData.Rate < 10

It’s important to note, that the RSSI value is based on your adapters definition of a max. For instance some cards return a value between 0 and 60, and others between 0 and 100. You’ll have to check with your manufacture for details, but you can probably get a good idea of the max by getting close to your Wireless AP, and using that to approximate your max.

So with your continuous ping going, walk around to places where you normally sit with your laptop and look for any RED frames, or whatever color you chose. You can also experiment with the orientation of your wireless router. You may find you get a better signal strength when you face it a different direction, or even when you turn it on its side.

Working with WiFi Monitor Mode

By default when you start a trace with a wireless adapter, you are normally already connected to a wireless AP. In this mode, you only see traffic to and from your machine and various types of broadcast traffic. But before you have already connected to an AP, the wireless NIC is sending network traffic in order to find an AP to connect to. NM3.1 can put your wireless NIC into monitor mode to see this type of traffic.

Important Note: When you place you WiFi NIC in monitor mode, you will disconnect your current wireless network connection! You will not be able to access the internet or your local network in this mode.

So with a NIC that supports the NWifi standard, NM3.1 can now place your NIC in monitor mode and do some interesting things. With NM3.1 you can perform two types of scanning modes. In the first mode, you select a specific PhyType and Channel to sniff on, and you’ll see all traffic only on that Channel.

clip_image002

In the dialog above, we choose the radio button for “Select a layer and channel”, and then we have the ability to choose one of the PhyTypes (802.11a, 802.11b etc…). And with each PhyType, you get another drop down with all of the available channels for that PhyType.

Once you hit the Apply button, your NIC will disconnect from the AP (you’ll lose your network connection), and set the NIC to monitor traffic on the selected channel. If NM3.1 is currently capturing, the traffic will start capturing this channel only. Also, while in this mode, you must keep this dialog box open. It is actually a separate EXE which will bring up the LUA dialog and ask for permissions when you click on the Properties for a Wireless NIC. Once you close this dialog box, the NIC will return to normal operation and reconnect to the AP as if the machine was trying to connect for the first time. If NM3.1 is capturing, you will see traffic that occurs after the AP negotiation is complete.

You can also put the NIC in a scanning mode. This briefly scans each Channel in each PhyType you have checked and captures traffic. Once the timeout is reached, it moves on to the next selected channel.

clip_image004

If focus is on this dialog, you can see which channel is currently being scanned. This information is updated in the status bar at the bottom of the dialog.

This gives you the ability to capture a swath of data from each channel and determine stuff like, how many APs are available in reach of my machine and what strengths? Or what channels are not being used at all? This could allow you to pick a channel that’s not so crowded and thus increase your wireless throughput. You can also use this to t-shoot why you can’t get connected at all, given you have two wireless NICs or two machines, one to capture and the other to attempt to connect.

A Brand New Sniffing Experience

NM3.1’s new WiFi Features give you a new experience and present new ways to t-shoot problems that were not easy to figure out before. Determining wireless signal strengths and channel usages are just a few of the ways you can improve your wireless experience.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Suppose I am intercepting traffic between my PC and remote Linux box. I need to change few bytes in particular packet before it reaches Linux. Is this possible in NM 3? Or planned?

  • We do not have that type of functionallity in Network Monitor.  You can change a packet after you've captured it, but there's no way to create a live kind of filtering.

    For that type of functionallity, you'll probably want to create your own NDIS filter driver.  This way you can modify the packets live and send the resulting packets to another machine.  I guess this would be like a firewall, except that you are modifying the packet info.

    We currently don't have any plans to add this type of functionallity.  We may, however, provide an API which would at least allow you to parse the packets so you'd know how to change the data you are looking at.

    Thanks,

    Paul

  • Microsoft Network Monitor (NetMon) 3.1 is a network analyser or protocol analyser or even a &ldquo;Packet

  • I was trying out the 'Filter by lRSSI' and I have been getting a reading of

    "Frame:

    - WiFi: [ ManagementBeacon] ......, (I), SSID =, Channel = 6

     - MetaData:

        Version: 2 (0x2)

        Length: 32 (0x20)

      + OpMode: Extensible Station Mode

        Flags: 0 (0x0)

        PhyType: Undefined Value (0)

        Channel: 6

        lRSSI: -28 dBm

        Rate: 1 Mbps

        TimeStamp: 08/25/2007, 07:35:01 PM

     + FrameControl: ...... (0x8000)

     + Management:

     + WiFiPayload: "

    and was curious about the negative signal reading that it seemed to be displaying.  Is that normal?

  • The lRSSI value is determined based on the WiFiPhyType which is zero in your case.  It should be 4,5, or 6.  So I'm wondering why the PhyType would be set to zero in your case.

    Can you tell me what kind of Wireless NIC you are using?

    Thanks,

    Paul

  • Intel(R) Wireless WiFi Link 4965AGN

    I just saw in another post that you are working with Intel to include Native WiFi support!

  • Yes, Intel should be releasing a new driver and we also intend to update the driver on Windows Update.  I believe th 4965AGN uses this same driver, though you should probably verify with Intel to be sure.

    Thanks,

    Paul

  • Are there any sources available that could show me how to get the same type of wireless metadata via NDIS that NetMon provides? I've been all over MS's website and I can't seem to find one definitive answer.

  • Yes, this information is available in the WinDDK.  NM3 capture information from NDIS as a light weight filter driver.  So you could do the same thing and capture the same type of information.

    Thanks,

    Network Monitor Team

  • Routers have come a long time in the last few years it's amazing how much they've changed.

  • NM Team,

    Did NM3 SDK has the API for switching to netmonitor mode & changing wifi channels?

  • thanks

  • thanks