Sunday, 3 November 2019

Wireshark Plugin To Capture Wireless Frames Using a WLANPi (Windows 10)

Want to be able to capture wireless frames via a WLANPi using just Wireshark on your Windows 10 machine? ...And be able to configure the capture configuration on the WLANPi using just Wireshark too?  Read on...



Earlier this year, I put out a command-line script called WLANPiShark that allowed Windows 10 users to configure a WLANPi and initiate a frame capture stream in to Wireshark. Though a little clunky, it worked quite reliably for most of the time and, judging by feedback I received, was quite popular.

As Windows users, we've always been the poor cousins to our Apple brethren who are able to use their Macbook to capture over the air using the internal NIC card of their Mac in monitor mode. Getting a low cost adapter that could be put in to monitor mode on a Windows machine was as rare as hen's teeth.

Having access to the WLANPi and being able to fire up WLANPiShark opened up wireless capturing to many folks who have to use Windows machines, but were unable to easily get a wireless capture (without investing in some quite expensive tools).

With the arrival of Wireshark 3.0.x, new options became available that allow us even better ways to capture in Windows using a WLANPi. SSHDump was a newly introduced package that allows a easy method of initiating an SSH session in to a remote device and firing up commands to initiate a tcpdump capture stream (in a far less clunky way that we did in WLANPiShark).

Adrian Granados kicked off a project called wlan-extcap on GitHub, based on a Python script, that leveraged the new SSHDump Wireshark package via a plugin that he created. It also added new functions directly it to the Wireshark GUI to allow configuration of a WLANPi (...yes, the guy's a genius coder!). The project was primarily aimed at Mac users, but could potentially be used by Windows users if they installed Python on their Windows machine.

Inspired by his amazing work on his project, I decided to take the principles of his project and write a similar utility written in native Windows batch-file format. This would allow Windows users to simply copy a batch file in to their Wireshark directory to obtain the same functions as Adrian's plugin and not have to worry about adding any supporting software packages.

The result is my own project called: wlan-extcap-win

Rather than documenting the plugin on my blog, I have created a fairly lengthy ReadMe on the GitHub site where the script has been developed so that you can download the script and give it a try.

I hope you find this just as much fun as WLANPiShark and even easier and more convenient to use.

References



Friday, 23 August 2019

Wireless Analysis Resources



Wireless traffic capture and analysis can be a tricky business and is often seen as something of a dark art to newcomers to the world of Wi-Fi. There are a huge variety of options when considering how to capture wireless traffic over the air, with many of the solutions being paid-for options that may be out of reach for many individuals.

Many people approaching wireless analysis may already be familiar with Wireshark, based on their previous experience on wired networks, where they may have used it for troubleshooting and analysis purposes.  They may wonder if they can use Wireshark for their initial foray into wireless analysis.  Using Wireshark for wireless capture and analysis on Wi-Fi networks can be a little tricky and presents the newcomer with a whole new slew of frame types to learn.

There are many good articles, videos and podcasts out there looking at wireless analysis, particularly if Wireshark is your tool of choice. I thought it would be good to pull them together in one place to make it easier for the newcomer to find the resources they may need. I've grouped together various resources below that will hopefully help those on their Wireshark/wireless analysis journey.

Please let me know if you have other resources that you find or have found useful yourself (wifinigel@gmail.com)

Wireless Capture:

Wireshark Customization:

Wireless Analysis Podcasts:

CWAP Study Notes:

Books:

Paid-for Online Training:

Online (Cloud) Capture Analysis Tools:




Tuesday, 11 June 2019

Metageek Wi-Spy Air Review

In this article, I take a look at the recently released Metageek “Wi-Spy Air” wireless analysis module and its accompanying “Air Viewer” smartphone application. Metageek supplied me with a beta unit a couple of months ago to help with some initial testing of the product. I’ll take a look at some of the features of the product, together with some observations of my testing of the product to date.

Fig 1: Spectrum Analysis in Air Viewer (Smartphone (Landscape)  Screenshot)

Background

Having the right tool for the job when supporting Wi-Fi networks is essential. Those tools may come in many shapes and sizes, with each having its place depending on the task at hand.

Whichever tool is chosen, it needs to be  “professional” grade to ensure it can provide the depth and quality of data required to support the mission critical infrastructures that Wi-Fi networks have become. To date, professional wireless tools for both IOS and Android smartphones have been thin on the ground (in my experience), with many being few low-grade applications that offer rudimentary Wi-Fi scanning capabilities. This is, in part, due to the lack of access to Wi-Fi related data being available to software developers on both platforms.

Given the fact that the majority of IT support staff will be equipped with a smartphone of some type, it makes a lot of sense to have an option that allows them to perform Wi-Fi network diagnostics using the smartphone in their pocket. Metageek have stepped in to this area of the market with their new Metageek “Wi-Spy Air” module and its accompanying “Air Viewer” smartphone application. The solution allows the Wi-Spy Air module to be plugged in to the smartphone lightning (Apple) connector or micro-USB (Android) connector and gather Wi-Fi “over-the-air” data, presenting it in the AirView smartphone app. And, by Wi-Fi data, we’re not talking just lightweight lists of SSIDs and signal level you might get off a freebie app store wireless scanner, this thing is pulling packets out of the air for analysis, as well as providing RF spectrum analysis data!

What Does The Wi-Spy Air Look Like?

Here’s a quick overview of the hardware: the Wi-Spy Air unit is a plastic moulded case with an external (detachable) antenna and a mini-USB connector to attach the cable that hooks up to the smartphone. A mini-USB to micro-USB cable is provided for Android phones/tablets, and a  mini-USB to Lightning connector for Apple phones/tablets.

The unit is self-powered by 4 x AA batteries, so that it won’t drain your phone battery. They probably account for around 50% of the unit’s size.

The images below provide an overview of the physical aspects of the Wi-Spy unit:

Fig 2: Wi-Spy Air Component Parts

Fig 3: Wi-Spy Air Battery Compartment

Fig 4: Wi-Spy Air Hooked Up To Android Phone (Samsung S7)

The Wi-Spy Air unit has no on/off switch, it simply needs to be connected to the smartphone to activate it. There is a red LED that illuminates on the unit to indicate it is active. On my Android phone, the Air Viewer app automatically launches as the Wi-Spy Air is plugged in to the phone (I have not tested the Apple version of the app).

What Does The Air Viewer App Look Like?

Once the Wi-Spy Air is connected to a smartphone the Air Viewer App provides visibility of the data it collects. The interface is simple to use and initially looks pretty much like your average Wi-Fi scanner app. But, don’t be fooled, it actually gives access to very detailed information about both wireless networks and clients. Due to the limited real-estate of the smartphone or tablet screen, it relies on scrolling and drilling down from screen to screen to reveal the true depths of detailed network data it collects. It took me some time to get used to using it as I’m so used to laptop-based apps, but I was impressed with the detailed data available once I started digging around and became familiar with the app navigation.

At the bottom of each screen is a navigation bar to access the 3 main app areas:

  • Networks : the Wi-Fi scanner (on steroids) showing SSID details
  • Channels: the spectrum analysis area (with network a details overlay if required)
  • Setup: stop/start, channel selection & scan rates

We’ll take a quick look at each of these areas below:

Networks

On the face of it, the “Networks” area is a simple Wi-Fi scanner application. It scans the bands configured in the “Settings” section (both 2.4 & 5GHz are supported) and shows the familiar channel occupancy of various SSIDs overlaid on each channel. However, thanks to the Wi-Spy Air module, this is far more sophisticated than a simple Wi-Fi scanning app. The Wi-Spy Air module performs the channel scanning, rather than relying on the Wi-Fi chipset of the phone. It has the capability to capture and decode 802.11 frames, which provides far deeper analysis capabilities than a simple smartphone scanner.

Scrolling down, an information panel for each SSID is shown, showing summary details for each one. By tapping the panel, all instances of the selected SSID are highlighted in the spectrum display - the example below shows my home SSID highlighted, with 3 BSSIDs shown:


Fig 5: Air Viewer > Networks tab with my home network selected

Each SSID allows a drill-down to reveal more detail about the underlying BSSIDs and clients. Drilling down into the SSID shown above reveals a wealth of information, including security methods, client counts, PHY types and BSSID summary information:

Fig 6: Air Viewer > Networks tab > drill down in to my home network

Fig 7: Air Viewer > Networks tab > scroll down to BSSID summary of home network

Drilling down in to one of the BSSIDs starts to show the real power of the app and the depth of the collected data.

In addition to the usual suspects of BSSID MAC, security method, channel details, PHY type etc., we also get access to data that relies on frame analysis. Details such as retry rates, channel utilization, client counts and even AP names are made available if present in the 802.11 beacon frames. The screenshot below shows the BSSID data available. It’s also good to see an SNR value shown - another value you won’t see in a standard scanner app:

Fig 8: Air Viewer > Networks tab > drill down in to BSSID

Once you’ve looked through the BSSID data, you can scroll down to see the clients that have been detected as associated with the BSSID. This is an amazing level of detail for a smartphone app, which, again, relies on the 802.11 frame decode capabilities that the Wi-Spy Air provides. A high level summary of the clients is initially shown, with the option to drill down. Note that this summary includes client utilization and retry information to highlight potential problem clients:

Fig 9: Air Viewer > Networks tab > drill down in to BSSID, scroll down to clients

Each client has the option to drill down even further to reveal client-specific detail including the AP it is connected to (if its name is broadcast by the AP), its signal level (observed from the Wi-SPy Air), manufacturer, phy type,  retry rate and utilization. A summary of the client’s roaming history is also shown by the Air Viewer app:

Fig 10: Air Viewer > Networks tab > drill down in to BSSID, drill down to specific client


Channels 

The “Channels” area of the app is where we see the spectrum analysis capabilities provided by the Wi-Spy Air. For those less familiar with spectrum analyser tools, the role of this tool is to report the levels of RF energy detected across the Wi-Fi bands. It’s job is not to collect and decode Wi-Fi (802.11 frames), but to detect raw RFenergy. This is the only way to detect if your Wi-Fi network is suffering interference from non-Wi-Fi RF sources, which can be very disruptive to Wi-Fi network performance.

A spectrum analyser is an essential tool for maintaining Wi-FI networks and definitely falls into the “professional level tool” category. This functionality is only provided by specialist wireless tools - the existing Metageek Chanalyzer/DB3 solution for Windows provides similar functionality.

When the “Channels” area is selected, the Wi-Spy Air scans the band selected to show the  RF energy levels across that band. Wi-Fi networks detected by Wi-Spy Air can be turned on or off as an overlay via the “Networks On” button. This can provide some context for the RF energy levels observed by the spectrum analysis scanning. The spectrum plot itself is shown as a spectrum density graph, with the colouration of the plot indicating the relative utilization level across each part of the band. As the level of RF airtime occupancy rises, the colours change from a “background/low ” level of purple through to green, yellow and red to indicate increasing density (and possibly interference for non-Wi-Fi sources).

The screenshot below shows the 2.4Ghz band with low levels of spectral activity and channel 6 highlighted in the networks overlay:

Fig 11: Air Viewer > Channels tab > select a specific channel (6)

To show the impact of an interfering device, I fired up a cheap 2.4Ghz video camera near to my laptop and the Wi-Spy Air. The resulting spectrum plot is shown in the screenshot below. Note the waveform with 3 peaks that indicates the area of 2.4Ghz affected by this interferer. Also, note the red colouration due to the high duty cycle of the interfering device. For anyone investigating wireless network issues, this would be invaluable information:

Fig 12: Air Viewer > Channels tab > video camera interferer

In addition to detecting interferers, a spectrum analyser may be used to indicate areas where Wi-Fi networks may be causing higher levels of spectrum utilization (which may be an indicator of capacity issues). In the next example, I associated my laptop with an AP on channel 11. The SSIDs on channel 11 are highlighted below by selecting the channel in Air Viewer:

Fig 13: Air Viewer > Channels tab > channel 11 selected to show SSIDs

Next, I fired up a speed test on my laptop to generate some Wi-Fi traffic on channel 11 and observed the change in spectral density on Air Viewer that was reported by the Wi-Spy Air. You can see the green and yellow colouration that resulted from the increase in traffic (and hence airtime/spectral density) on channel 11:

Fig 14: Air Viewer > Channels tab > client running a speedtest on channel 11

As well as the spectrum plots discussed above, it is also possible to observe much of the SSID/BSSID/Client information that is presented in the Networks section of the app. This is achieved by scrolling down to the channel summaries below the spectrum plots shown above.

Settings

The settings areas provides simple controls to allow control of channel scanning of Wi-Spy Air and adjustment of scan rates. A sample screenshot is shown below.

Fig 15: Air Viewer > Settings tab

Conclusion

I think I have been guilty of initially underestimating this product. My initial impressions were based on the (incorrect) assumption that it was similar to a basic Wi-Fi scanner app with maybe a little spectrum analysis thrown in for good measure. I’m also guilty of looking at this through the eyes of someone who has been a long-time user of a variety of laptop spectrum analyser tools, with their larger screen real-estate and a variety of supporting hardware platforms.

As I said at the beginning of this article, maintaining Wi-Fi networks requires professional level tools. This is a professional level tool. Metageek have succeeded in packing a lot of functionality in to a small package that provides the convenience of both detailed Wi-Fi network analysis, together with spectrum analysis, and making it available via a smartphone app.

In my opinion, the obvious sweet spot for this product is going to be for organizations who have technicians who need a device that can provide detailed diagnostic information in a small, convenient form factor. Obvious sectors would be service providers and large Enterprises who may have teams of technicians covering a number of technology areas who need to convenience of whipping out a small device from their toolbox and hooking it up to their phone to perform detailed wireless diagnostics.

I can also see the smaller form factor of the Wi-Spy Air being useful in some instances for Wi-Fi pros too. Occasionally, we all hit those instances where we have to travel uber-light, enter areas where laptops may not be allowed or just want to have a device to give to a colleague to “go get some data”. On those occasions, the Wi-Spy Air could be very useful.

Apart from the features I’ve seen and tested to date, I know that this is an evolving product. Given its already-impressive capabilities, I can imagine some exciting times ahead for this product. I would hope, at some stage, to see some type of reporting or data export capabilities, which raises all sorts of fascinating remote support options. Also, given the data that could be derived from the obvious frame capture capabilities of Wi-Spy Air, there is scope to provide even richer app information.

I think this tool is going to be well placed in a market segment that is almost certain to see continuing growth. I look forward to seeing the evolution of this innovation from Metageek.

References

List of references from this article & further reading:


Notes


  • The screenshots in this article were taken in May 2019 using a Samung S7 (Android) smartphone. The layout and content of the Air Viewer app is likely to change over time and between device types.
  • The review unit and application were provided to me free of charge by Metageek for support of their beta program. I have no commercial arrangement with Metageek for this article and am under no obligation to provide any opinions other than my own.