Hi, I have two APs operating on different channels and I need to do some troubleshooting in my network. I'm using Linux, capture with dumpcap and analyze with T-shark. So I have a script that scans first one channel to check a few things, then jumps to the other one and so on. The problem: I see the same AP MAC on both channels eventhough I know they're operating on different ones. So my question is if someone knows why this happens. If I lock the radio card to monitor on say channel 1 there is no chance a packet from channel 2 could slip in as the receiver is set to only listen for preambles at channel 1. Could it be that the cash somehow has stored old packets or the driver doesn't deliver them fast enough? For fun I tried to scan on more channels and the MAC from my APs are popping up on three-four each. I'm not much of a HW person and don't know the details of how a packet is received and handled by T-shark, maybe someone else knows? I remember that I've seen someone else having the same problem but can't find anything about it now. Cheers! Z asked 14 Mar '15, 12:23 SamA edited 14 Mar '15, 12:25 |
One Answer:
The reason is, in 2.4Ghz, the channels are overlapping. Each channel is spaced at 5Mhz distance, but the bandwidth of transmitted signal is 20Mhz (for 11g/11n) or 22Mhz (11b). So there will be over lapping of 11Mhz each side from center frequency of current channel you are operating. Which will be a min of 2 channels each side. And theorically books will say, channels 1, 6 & 11 are non-overlapping. But it isn't the case. You will see the packets coming in channel-1, even in channel-11, if the signal strength is very high. That's due to side lobes spanning across..... You will not see this problem typically in 5Ghz, as each channel is spaced at 20Mhz and bandwidth of each transmission is also 20Mhz. So the probability of overlap is very low, unless you keep both transmitted ans received very close to each other. answered 24 Mar '15, 12:41 Ramprasad Hi, Thanks for your reply. I know what the channel overlap looks like, but being a radio guy means I know that the receiver only is set to listen to the center frequency of incoming signals. If your channel is 6, the energy that is captured goes through A/D conversion, filtering, decoding, demodulation, descrambling and a few other things. This means, if I transmit on channel 6 and you try to decode that signal on channel 5 you will only see noise. There is no chance you can decode the actual content and see the SSID. This is what makes it fishy. And in some of the other similar threads I have found you also find people having the same issue at 5GHz. I'm not an expert on how the beacons are sent out in Wi-Fi, but the only explanations I can come up with are that either the AP broadcasts on adjacent channels (for backwards compatibility reasons, i.e. to "warn" other systems about its presense, OR there is an error with either of dumpcap or the monitor mode of my wireless card. Need to figure out which one it is. :) (25 Mar '15, 17:55) SamA 1 Your understanding in second paragraph is not correct. APs definitely won't beacon in overlapping/adjancent channels. It's not required at all. When clients need to connect, they scan all channels and find out where the AP is present and make a connection request. Answer to your first paragraph point, the frequency is overlapping between chanel-5 and channel-6 and thus you can see other channel packets. You can talk to any Wi-Fi expert and I'm sure this is the answer you will get :) (28 Mar '15, 07:52) Ramprasad Thanks. The only problems are: 1. I still don't believe that a beacon at channel x should be visible on channel x+1 even if they overlap. If that was the case, I would expect many more beacons (plus, that's not how OFDM decoding works). Now the beacon count on channel x+1 is maybe 5-10% of the count on channel x. And sometimes it's zero. 2. The beacons don't always pop up on the adjacent channel. Could also be that they come on a channel further away. Have asked numerous people but noone can provide a decent explanation. Kind of weird given how much experts there must be out there. (24 Mar '16, 14:11) SamA SamA: 1. is definitely your problem and you are the only one to correct it: A DSSS (802.11b) signal is 22 MHz wide. With each Channel having a width of 5 MHz [f(Ch)=(2407+Ch5)MHz for channels 1-13] this means a 802.11b signal spans 4.4 Channels. With OFDM 20 MHz channels (802.11g/n) each signal spans slightly more than 20 Hz or 4 channels. So in both cases all the wireless traces I have created in the last 17 years in the 2.4 GHz band can see beacons from ch-2, ch-1, ch, ch+1 and ch+2. This is not about believing, it's about technical understanding*, and that can be grained by e.g. reading up on the wikipedia articles on ieee802.11, the ieee standards themselves (not recommended for beginners) and last but not least: Try it. Put an AP on channel 5, then put your sniffer on channels 3-7 and you will see the beacons. (24 Mar '16, 16:51) jmayer |
Hey! I found other people with the same problem here. Does someone know what's going on or how I can solve it? https://www.wireshark.org/lists/wireshark-users/200710/msg00141.html
The behaviour is normal for adjacent channels. But I would not expect to see an AP that is on channel 6 when you scan on channel 1.
Hi SamA, Are the AP's configured to operate on non-overlapping channels? If you are unsure, can you post what channels each AP is configured.
Hi, Thanks for your answers. My AP is configured to operate only on channel 11 with 802.11n. Could it be that beacons are sent on secondary channels for backwards compatibility reasons (with 802.11b)? Will hard code it on 802.11b tonight and check again.
Aha! Some testing done. When I configure my AP to run on 802.11g or 802.11n only, no SSIDs are popping up on a secondary channel. But when I'm in 11b/g/n mode a beacon pops up on the SECONDARY channel. I don't know what this channel refers to. Have to check. Some of my neighbors APs have SSIDs on adjacent channels though. This is interesting. If someone has an 802.11ac AP in the building I would die for a capture. Those are occupying 80 or 160 MHz and operate on several sub-channels. Should be beacons everywhere. If anyone has the chance, please provide a trace. I will try to find the reason for the extra beacons and post the answer here in some point. Thanks for all help and suggestions.