Friday, 23 August 2019

Wireless Analysis Resources

Wireless traffic capture and analysis can be a tricky business and is often seen as something of a dark art to newcomers to the world of Wi-Fi. There are a huge variety of options when considering how to capture wireless traffic over the air, with many of the solutions being paid-for options that may be out of reach for many individuals.

Many people approaching wireless analysis may already be familiar with Wireshark, based on their previous experience on wired networks, where they may have used it for troubleshooting and analysis purposes.  They may wonder if they can use Wireshark for their initial foray into wireless analysis.  Using Wireshark for wireless capture and analysis on Wi-Fi networks can be a little tricky and presents the newcomer with a whole new slew of frame types to learn.

There are many good articles, videos and podcasts out there looking at wireless analysis, particularly if Wireshark is your tool of choice. I thought it would be good to pull them together in one place to make it easier for the newcomer to find the resources they may need. I've grouped together various resources below that will hopefully help those on their Wireshark/wireless analysis journey.

Please let me know if you have other resources that you find or have found useful yourself (

Wireless Capture:

Wireshark Customization:

Wireless Analysis Podcasts:

CWAP Study Notes:


Paid-for Online Training:

Online (Cloud) Capture Analysis Tools:

Tuesday, 11 June 2019

Metageek Wi-Spy Air Review

In this article, I take a look at the recently released Metageek “Wi-Spy Air” wireless analysis module and its accompanying “Air Viewer” smartphone application. Metageek supplied me with a beta unit a couple of months ago to help with some initial testing of the product. I’ll take a look at some of the features of the product, together with some observations of my testing of the product to date.

Fig 1: Spectrum Analysis in Air Viewer (Smartphone (Landscape)  Screenshot)


Having the right tool for the job when supporting Wi-Fi networks is essential. Those tools may come in many shapes and sizes, with each having its place depending on the task at hand.

Whichever tool is chosen, it needs to be  “professional” grade to ensure it can provide the depth and quality of data required to support the mission critical infrastructures that Wi-Fi networks have become. To date, professional wireless tools for both IOS and Android smartphones have been thin on the ground (in my experience), with many being few low-grade applications that offer rudimentary Wi-Fi scanning capabilities. This is, in part, due to the lack of access to Wi-Fi related data being available to software developers on both platforms.

Given the fact that the majority of IT support staff will be equipped with a smartphone of some type, it makes a lot of sense to have an option that allows them to perform Wi-Fi network diagnostics using the smartphone in their pocket. Metageek have stepped in to this area of the market with their new Metageek “Wi-Spy Air” module and its accompanying “Air Viewer” smartphone application. The solution allows the Wi-Spy Air module to be plugged in to the smartphone lightning (Apple) connector or micro-USB (Android) connector and gather Wi-Fi “over-the-air” data, presenting it in the AirView smartphone app. And, by Wi-Fi data, we’re not talking just lightweight lists of SSIDs and signal level you might get off a freebie app store wireless scanner, this thing is pulling packets out of the air for analysis, as well as providing RF spectrum analysis data!

What Does The Wi-Spy Air Look Like?

Here’s a quick overview of the hardware: the Wi-Spy Air unit is a plastic moulded case with an external (detachable) antenna and a mini-USB connector to attach the cable that hooks up to the smartphone. A mini-USB to micro-USB cable is provided for Android phones/tablets, and a  mini-USB to Lightning connector for Apple phones/tablets.

The unit is self-powered by 4 x AA batteries, so that it won’t drain your phone battery. They probably account for around 50% of the unit’s size.

The images below provide an overview of the physical aspects of the Wi-Spy unit:

Fig 2: Wi-Spy Air Component Parts

Fig 3: Wi-Spy Air Battery Compartment

Fig 4: Wi-Spy Air Hooked Up To Android Phone (Samsung S7)

The Wi-Spy Air unit has no on/off switch, it simply needs to be connected to the smartphone to activate it. There is a red LED that illuminates on the unit to indicate it is active. On my Android phone, the Air Viewer app automatically launches as the Wi-Spy Air is plugged in to the phone (I have not tested the Apple version of the app).

What Does The Air Viewer App Look Like?

Once the Wi-Spy Air is connected to a smartphone the Air Viewer App provides visibility of the data it collects. The interface is simple to use and initially looks pretty much like your average Wi-Fi scanner app. But, don’t be fooled, it actually gives access to very detailed information about both wireless networks and clients. Due to the limited real-estate of the smartphone or tablet screen, it relies on scrolling and drilling down from screen to screen to reveal the true depths of detailed network data it collects. It took me some time to get used to using it as I’m so used to laptop-based apps, but I was impressed with the detailed data available once I started digging around and became familiar with the app navigation.

At the bottom of each screen is a navigation bar to access the 3 main app areas:

  • Networks : the Wi-Fi scanner (on steroids) showing SSID details
  • Channels: the spectrum analysis area (with network a details overlay if required)
  • Setup: stop/start, channel selection & scan rates

We’ll take a quick look at each of these areas below:


On the face of it, the “Networks” area is a simple Wi-Fi scanner application. It scans the bands configured in the “Settings” section (both 2.4 & 5GHz are supported) and shows the familiar channel occupancy of various SSIDs overlaid on each channel. However, thanks to the Wi-Spy Air module, this is far more sophisticated than a simple Wi-Fi scanning app. The Wi-Spy Air module performs the channel scanning, rather than relying on the Wi-Fi chipset of the phone. It has the capability to capture and decode 802.11 frames, which provides far deeper analysis capabilities than a simple smartphone scanner.

Scrolling down, an information panel for each SSID is shown, showing summary details for each one. By tapping the panel, all instances of the selected SSID are highlighted in the spectrum display - the example below shows my home SSID highlighted, with 3 BSSIDs shown:

Fig 5: Air Viewer > Networks tab with my home network selected

Each SSID allows a drill-down to reveal more detail about the underlying BSSIDs and clients. Drilling down into the SSID shown above reveals a wealth of information, including security methods, client counts, PHY types and BSSID summary information:

Fig 6: Air Viewer > Networks tab > drill down in to my home network

Fig 7: Air Viewer > Networks tab > scroll down to BSSID summary of home network

Drilling down in to one of the BSSIDs starts to show the real power of the app and the depth of the collected data.

In addition to the usual suspects of BSSID MAC, security method, channel details, PHY type etc., we also get access to data that relies on frame analysis. Details such as retry rates, channel utilization, client counts and even AP names are made available if present in the 802.11 beacon frames. The screenshot below shows the BSSID data available. It’s also good to see an SNR value shown - another value you won’t see in a standard scanner app:

Fig 8: Air Viewer > Networks tab > drill down in to BSSID

Once you’ve looked through the BSSID data, you can scroll down to see the clients that have been detected as associated with the BSSID. This is an amazing level of detail for a smartphone app, which, again, relies on the 802.11 frame decode capabilities that the Wi-Spy Air provides. A high level summary of the clients is initially shown, with the option to drill down. Note that this summary includes client utilization and retry information to highlight potential problem clients:

Fig 9: Air Viewer > Networks tab > drill down in to BSSID, scroll down to clients

Each client has the option to drill down even further to reveal client-specific detail including the AP it is connected to (if its name is broadcast by the AP), its signal level (observed from the Wi-SPy Air), manufacturer, phy type,  retry rate and utilization. A summary of the client’s roaming history is also shown by the Air Viewer app:

Fig 10: Air Viewer > Networks tab > drill down in to BSSID, drill down to specific client


The “Channels” area of the app is where we see the spectrum analysis capabilities provided by the Wi-Spy Air. For those less familiar with spectrum analyser tools, the role of this tool is to report the levels of RF energy detected across the Wi-Fi bands. It’s job is not to collect and decode Wi-Fi (802.11 frames), but to detect raw RFenergy. This is the only way to detect if your Wi-Fi network is suffering interference from non-Wi-Fi RF sources, which can be very disruptive to Wi-Fi network performance.

A spectrum analyser is an essential tool for maintaining Wi-FI networks and definitely falls into the “professional level tool” category. This functionality is only provided by specialist wireless tools - the existing Metageek Chanalyzer/DB3 solution for Windows provides similar functionality.

When the “Channels” area is selected, the Wi-Spy Air scans the band selected to show the  RF energy levels across that band. Wi-Fi networks detected by Wi-Spy Air can be turned on or off as an overlay via the “Networks On” button. This can provide some context for the RF energy levels observed by the spectrum analysis scanning. The spectrum plot itself is shown as a spectrum density graph, with the colouration of the plot indicating the relative utilization level across each part of the band. As the level of RF airtime occupancy rises, the colours change from a “background/low ” level of purple through to green, yellow and red to indicate increasing density (and possibly interference for non-Wi-Fi sources).

The screenshot below shows the 2.4Ghz band with low levels of spectral activity and channel 6 highlighted in the networks overlay:

Fig 11: Air Viewer > Channels tab > select a specific channel (6)

To show the impact of an interfering device, I fired up a cheap 2.4Ghz video camera near to my laptop and the Wi-Spy Air. The resulting spectrum plot is shown in the screenshot below. Note the waveform with 3 peaks that indicates the area of 2.4Ghz affected by this interferer. Also, note the red colouration due to the high duty cycle of the interfering device. For anyone investigating wireless network issues, this would be invaluable information:

Fig 12: Air Viewer > Channels tab > video camera interferer

In addition to detecting interferers, a spectrum analyser may be used to indicate areas where Wi-Fi networks may be causing higher levels of spectrum utilization (which may be an indicator of capacity issues). In the next example, I associated my laptop with an AP on channel 11. The SSIDs on channel 11 are highlighted below by selecting the channel in Air Viewer:

Fig 13: Air Viewer > Channels tab > channel 11 selected to show SSIDs

Next, I fired up a speed test on my laptop to generate some Wi-Fi traffic on channel 11 and observed the change in spectral density on Air Viewer that was reported by the Wi-Spy Air. You can see the green and yellow colouration that resulted from the increase in traffic (and hence airtime/spectral density) on channel 11:

Fig 14: Air Viewer > Channels tab > client running a speedtest on channel 11

As well as the spectrum plots discussed above, it is also possible to observe much of the SSID/BSSID/Client information that is presented in the Networks section of the app. This is achieved by scrolling down to the channel summaries below the spectrum plots shown above.


The settings areas provides simple controls to allow control of channel scanning of Wi-Spy Air and adjustment of scan rates. A sample screenshot is shown below.

Fig 15: Air Viewer > Settings tab


I think I have been guilty of initially underestimating this product. My initial impressions were based on the (incorrect) assumption that it was similar to a basic Wi-Fi scanner app with maybe a little spectrum analysis thrown in for good measure. I’m also guilty of looking at this through the eyes of someone who has been a long-time user of a variety of laptop spectrum analyser tools, with their larger screen real-estate and a variety of supporting hardware platforms.

As I said at the beginning of this article, maintaining Wi-Fi networks requires professional level tools. This is a professional level tool. Metageek have succeeded in packing a lot of functionality in to a small package that provides the convenience of both detailed Wi-Fi network analysis, together with spectrum analysis, and making it available via a smartphone app.

In my opinion, the obvious sweet spot for this product is going to be for organizations who have technicians who need a device that can provide detailed diagnostic information in a small, convenient form factor. Obvious sectors would be service providers and large Enterprises who may have teams of technicians covering a number of technology areas who need to convenience of whipping out a small device from their toolbox and hooking it up to their phone to perform detailed wireless diagnostics.

I can also see the smaller form factor of the Wi-Spy Air being useful in some instances for Wi-Fi pros too. Occasionally, we all hit those instances where we have to travel uber-light, enter areas where laptops may not be allowed or just want to have a device to give to a colleague to “go get some data”. On those occasions, the Wi-Spy Air could be very useful.

Apart from the features I’ve seen and tested to date, I know that this is an evolving product. Given its already-impressive capabilities, I can imagine some exciting times ahead for this product. I would hope, at some stage, to see some type of reporting or data export capabilities, which raises all sorts of fascinating remote support options. Also, given the data that could be derived from the obvious frame capture capabilities of Wi-Spy Air, there is scope to provide even richer app information.

I think this tool is going to be well placed in a market segment that is almost certain to see continuing growth. I look forward to seeing the evolution of this innovation from Metageek.


List of references from this article & further reading:


  • The screenshots in this article were taken in May 2019 using a Samung S7 (Android) smartphone. The layout and content of the Air Viewer app is likely to change over time and between device types.
  • The review unit and application were provided to me free of charge by Metageek for support of their beta program. I have no commercial arrangement with Metageek for this article and am under no obligation to provide any opinions other than my own.

Friday, 4 January 2019

The Windows WMM User Priority Issue - A Fix?

There is a known issue with Windows clients when it comes to marking applications for QoS over wireless. In short, even if a Windows client application is configured to use DSCP 46 (EF), for example to mark voice traffic, it will translate this over the air to to use a layer 2 UP value of 5, rather than 6. This means that it will end up in the Video WMM queue rather than the Voice queue that we’d like. This has an impact on traffic prioritization over the air and could have a negative impact on our high priority traffic. This has been an issue that people have just “lived with” for quite a while, but I suspect there is a solution to this issue. I’m “putting this out there” for feedback as I can’t find any information about others using this technique. I’d like feedback from my peers to understand if the approach is viable or anyone else has used/tried it


Generally in my articles, I like to provide plenty of background information about a topic to encourage others to research and learn. But, in this instance, I’ll get straight to the point as there is too much ground to cover. If you’d like to know more about this topic, then please have a look at the following references:

The issue is shown on slide 47 of the presentation from Cisco Live referenced above:

As you can see, Microsoft translate the 3 most significant bits of the DCSP value in to a UP value of 5, which means that packets that are correctly marked with DCSP for EF end up in the WMM video queue, rather than the voice queue. The slide below (also borrowed from the same presentation) demonstrates the point (hopefully my friends at Cisco will excuse this liberty I'm taking with their content):

This means that both voice and video traffic (marked with DSCP 46 and 34 respectively) end up in the same WMM queue over the air from the client to an access point. Ideally, we want traffic marked with DSCP 46 to end up in the WMM voice queue and traffic marked with DSCP 34 to end up in the WMM video queue. But, this doesn’t happen by default when assigning QoS marking via the group policy editor

QoS Marking Tests

Application Marking With Group Policy Editor

The traditional method of marking applications with QoS is to use the Windows group policy editor. I 'll run through a basic example to show the process and result. However, note that the settings shown are definitely not what you would use in production. I’ll mark all Skype traffic from my laptop to send with DSCP value 46. In the real world, voice, video signalling etc. would be marked individually, so don't take this as a config to use in the real world.

I’ll then make a test voice call and capture a data frame that contains a Skype packet. I’ll also use an open SSID so that we can see both layer 2 & layer 3 decodes.

Here is the policy in the Group Policy Editor, showing the QoS policy:

Here is the resulting Skype packet showing the layer 2 priority 5 marking, together with the layer 3 DSCP marked (as expected) with EF. As mentioned previously, note that the layer 2 marking is using UP 5, so will be using the video WMM queue over the air, rather than the voice WMM queue we’d like to use:

Application Marking With Powershell

Ok, now to get to point of this blog article…

If we repeat the previous exercise, but this time set the QoS policy via Powershell, we can actually specify the layer 2 QoS marking that we actually want (i.e. set it to 6).

This is achieved by using the command “New-NetQosPolicy” in a Powershell console on your Windows laptop. Note that you need to run the command in a Powershell console opened as an administrator.

Note that we have now removed our original QoS Policy applied via the  Group Policy Editor (see screenshot above)

Here is the syntax required, together with a screenshot of the command being applied in Powershell:

New-NetQosPolicy -Name "Skype" -AppPathNameMatchCondition "Skype.exe" -DSCPAction 46 -PriorityValue8021Action 6

One point to note here is that when applying policy by this method, it is not shown in the policy configuration of the Group Policy Editor.The only way to check the applied QoS policy is to the use the “Get-NetQosPolicy” in a Powershell console on the Windows machine.

Now, if we look at the Skype packets from my laptop during a test call, we see that layer 3 is still marked with EF, as expected, but layer 2 is now marked with UP 6. This means that our traffic will use the correct WMM queue (i.e. the voice queue) over the air.

Using the correct WMM queue will ensure that our voice traffic can leverage the additional advantage in ECDA that this provides, which could be quite important on a busy wireless network carrying a mix of voice, video & data.


OK, this seems to be a reasonable approach to technically achieve the desired outcome for improved QoS marking over the air for Microsoft Windows clients. However, I don’t see anyone recommending this approach…

So, my questions are:

  • Is this a valid approach? 
  • Has anyone else used this approach? 
  • What are the pitfalls of this approach (if any)? 
  • Are there any flaws in my logic here? It seem strange that I don't find any information anywhere about this

Just a couple of caveats:

  • I’ve only tried this on my personal WIndows 10 machine that runs Win 10 Pro 
  • I’ve no idea if this approach would be scalable or supportable in a large Enterprise environment
  • I’m not a Windows or AD “Expert”

Please...let me know your thoughts (comments section at the bottom of this blog page, or track me down on Twitter - @wifinigel)


List of references from article & further reading: