This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

AirPcapNX packet capture 802.11n at 2.4Ghz

0

I'm using AirPcapNX to sniff 2.4Ghz clients, dongle configured for channel 1,+1. (Channel 1 - 40Mhz)

Test is to sniff my connection while downloading a 2MB file with success from server to client.

Traffic from Client to AP:

  • Client connected at 130/195Mbps on channel 1 (as Christian_R noted, this is 20Mhz connection speed)
  • Management frames seen
  • 1700 packets data seen, mostly valid, all at 20Mhz (pure-g)

Traffic from AP to Client:

  • Management frames seen
  • 68 packets data seen, all with bad FCS, all pure-g

->I'm missing all data packets coming from the AP to my client. (2MB file download!)

My guess is that they're being sent over 40Mhz and AirPcap is missing them?

This work perfectly in 5Ghz, where with 36,+1, I see 802.11n packets when needed.

Anyone has tried AirPcapNX + 2.4Ghz + 802.11n ?

asked 05 May '15, 07:22

TomLaBaude's gravatar image

TomLaBaude
66171724
accept rate: 66%

edited 06 May '15, 10:36

  1. Is the AP configured for 40MHz channel bandwidth on channel 1 (2.4GHz)?

  2. Does your AP and client support LDPC coding at 2.4GHz? Does your WiFi adapter used for sniffing support LDPC coding?

(05 May '15, 07:29) Amato_C
  1. Yes definitely and my client is connected at 130Mbit/s in 802.11ng
  2. No idea, Wifi adapter is dongle AirPcapNX
(05 May '15, 07:33) TomLaBaude

Regarding #2 (LDPC coding).
1. Perform a WiFi capture between the AP and the client during the Association.
2. Make sure you have captured the Beacons and Association Response from the AP.
3. Make sure you have captured the Association Request from the client.
4. In the Association Request and Response, look for the HT Capabilities Information Element (ID = 45). Then open the HT Capabilities Info. 5. At the top you should see LDPC coding capability. 6. If this field = 1, the LDPC coding is supported. If 0, then no.

(05 May '15, 07:43) Amato_C

0 -> LDPC is not supported - What does this mean?

(05 May '15, 07:51) TomLaBaude

LDPC = Low Density Parity Check. On the hardware level, 802.11n packets are encoded using either Binary Convolutional Code (BCC) coding or Low Density Parity Check (LDPC) coding. BCC is the default coding method used by most older 802.11n devices. However, LDPC is an optional coding method supported by newer 802.11n devices. When a client associates to an AP, the HT Capabilities Info element in the association request and association response packets determine the use of one of the two coding methods. For example, if the default BCC mode is being used, the HT Capabilities Info contains the "HT LDPC coding capability: Transmitter does not support receiving LDPC coded packets" field. If the WLAN being monitored uses LDPC coding, your monitoring adapter must support LDPC coding too; otherwise, packets sent at HT rates in one or both directions will be missing or damaged.

Since your WLAN (AP and client) do not support LDPC, you do not have a hardware issue. Now we need to troubleshoot other issues.

What is the difference between the 5GHz WLAN and 2.4GHz WLAN? Same client? Same WiFi adapter used for monitoring? Same AP?

(05 May '15, 07:58) Amato_C

All the same, to me it's like if AirPcapNX doesn't support it, would be nice to have a confirmation of someone who have seen it

(05 May '15, 08:06) TomLaBaude
2

Maybe I am wrong. But I think, that when you see a Datarate of 130Mbit/s you have a Channelwidth of 20 MHz with 2 MIMOs.

(05 May '15, 15:10) Christian_R

@Christian_R = Good catch! 130Mbps data rate at 11n is indeed only available using a 20MHz channel.

@TomLaBaude = did you try performing the same capture using a 20MHz channel (i.e., no extension channel) on the AirPcap NX adapter in the 2.4GHz? Some wireless routers do not allow 40MHz channels in the 2.4GHz range

(05 May '15, 17:55) Amato_C

I've reformulated the question to be more clear with numbers.

@Christian_R = very good catch, client is connected at 130Mbps & 195Mbps which are 20Mhz connections But this is only informative in my case.

Why don't I see no valid data packets from AP to client?

(06 May '15, 10:39) TomLaBaude

I think what Amato_C wants to tell you is that you don´t need to confiure the channel 1+1 in the 2,4 GHz Band. You only need to configure Channel 1 because you use only the 20MHz Bandwidth.

In the 5 GHz you use a 40 MHz Bandwith which is mostly common and you need to define the capture with 36+1.

@Amato_C : Am I right so far? If I am not right, then I will delete this comment.

(06 May '15, 15:01) Christian_R

Actually I started sniffing on 1+0 at 20Mhz, seeing all these packets. Then on 1+1 as all data packets were missing from AP, and I haven't seen any difference.

I'd just need a confirmation from someone using AirPcap dongle as well that it might encounter problem to sniff 40Mhz in 2.4Ghz range. Or have to wait SharkFest to ask Riverbed's guys!

(06 May '15, 15:07) TomLaBaude

@Christian_R = Yes you are right.

@TomLaBaude = What if you connect the AirPcap NX adapter to an AP configured for 40MHz channel in 2.4GHz? I am not sure if the AirPcap NX will act as a normal WiFi station. The best scenario would be if you have another WiFi sniffer. Then you could examine the Probe Requests and Association Request from the AirPcap NX and determine if it supports 40MHz channel in 2.4GHz range (refer to the HT Information Element).

(06 May '15, 16:43) Amato_C

The AirPcapNX adapter is only a sniffer dongle, you can't use it as a wireless client, it even doesn't appear as a valid network interface in your network preferences.

(07 May '15, 04:05) TomLaBaude
showing 5 of 13 show 8 more comments

One Answer:

0

This connection was made with 20Mhz bandwidth, without Short Guard Interval nor Greenfield (as the beacons says).

But AirPcap only supports 2 spatial streams, and at 195Mbps the client is using 3 spatial streams, cf www.mcsindex.com

This missing spatial stream is the best guess to explain those missing data packets for the moment.

answered 14 May '15, 04:44

TomLaBaude's gravatar image

TomLaBaude
66171724
accept rate: 66%

Thought about it two days ago and came to the same comclusion in my mind.

(14 May '15, 10:43) Christian_R

If you are looking for a 3x3 WiFi adapter, check this out: http://www.sparklan.com/p2-products-detail.php?PKey=d5fd_dqbL2NKwu5b_JCPIM-ygiNu_Wl4Z7XxB9ot&WPEA-128N

I use it to capture WiFi traffic

(14 May '15, 12:35) Amato_C