You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Analyzing and fixing Wi-Fi issues<br />
Cisco WLC tools and packet capture<br />
analysis techniques<br />
Jerome Henry, Technical Leader<br />
<strong>BRKEWN</strong>-<strong>3000</strong>
Agenda<br />
• Introduction:<br />
• WLC / AP Toolkit (wireshark, packet dump, sniffer mode)<br />
• Where to Capture, What to Capture (strategies for capturing from the cell)<br />
• Working with Wireshark (short Wireshark survival basics)<br />
• Statistical Analysis In Excel (Use Excell to detect behavioral patterns and<br />
spot issues visually)<br />
• Conclusion<br />
Demo files are at:
Troubleshooting Methods
Troubleshooting Methods<br />
A troubleshooting method is a guiding principle that determines how you<br />
move through the phases of the troubleshooting process.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
The “Shoot from the Hip” Method<br />
Quickly formulating a first hypothesis based on common problem causes<br />
and corresponding solutions can be very effective in the short run<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Divide and Conquer<br />
This method starts in the middle of the OSI model and moves up or down<br />
depending on results.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Top Down Troubleshooting<br />
This method follows the layers of the OSI model starting from the Application<br />
Layer and moving down to the Physical Layer.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Bottom Up Troubleshooting<br />
This method follows the layers of the OSI model starting from the Physical<br />
Layer and moving up to the Application Layer.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Follow the Path<br />
Tracing the path of packets through the network eliminates irrelevant links<br />
and devices from the troubleshooting process.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Where Are We Focusing?<br />
• This session focuses on the wireless<br />
space<br />
WLC, switch,<br />
rest of the universe<br />
• You may have gotten there through any<br />
troubleshooting method.<br />
AP<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
WLC / AP Toolkit
Capturing Traffic – CA Wireshark<br />
To Analyze what is Wrong in the Air, your First Step is to See the Air<br />
• On Converged Access Switches, you can Wireshark directly from the switch<br />
• A Wireshark capture is called a “capture point” (what packets to capture, where to<br />
capture them from, what to do with the captured packets, and when to stop).<br />
• Capture points may be modified after creation and do not become active until explicitly<br />
turned on via a separate ‘start’ command.<br />
• A Capture point uses an attachment point (a point in the logical packet process path<br />
with which a capture point is associated):<br />
Interface type<br />
L2 port (physical port)<br />
L3 port (routed/physical port)<br />
VLAN<br />
L2 / L3 Etherchannel, Tunnels (GRE an others)<br />
SVI<br />
CAPWAP tunnel<br />
Wireless Client<br />
Wireless SSID<br />
Capture Supported<br />
Yes<br />
Yes<br />
Yes<br />
No<br />
Yes<br />
Yes<br />
Yes (via CAPWAP tunnel)<br />
Yes (via CAPWAP tunnel)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Wireshark on CA Logic<br />
1. To use Wireshark, you have to define:<br />
• The attachment point (where you want to capture from)<br />
• Optionally, a capture filter (what should be captured from that attachment point, called<br />
“core filter”)<br />
• When capturing wireless traffic from an AP, do not use core filter<br />
• You can use core filter to capture traffic from a specific client<br />
• A destination (where do you send the captured packets)<br />
2. You then start/stop the capture, only one capture at a time<br />
• You can add destinations there too<br />
• You can also use display filters if you send to the console<br />
3. Most of the time, you then use the capture in a PC Wireshark<br />
• You can then use display filter there as well<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Wireshark Configuration Command Structure<br />
3850-B#monitor capture ?<br />
WORD Name of the Capture<br />
3850-B#monitor capture mycap2 ?<br />
access-list access-list to be attached<br />
buffer<br />
Buffer options<br />
class-map class name to attached<br />
clear<br />
Clear Buffer<br />
control-plane Control Plane<br />
export<br />
Export Buffer<br />
file<br />
Associated file attributes<br />
interface Interface<br />
limit<br />
Limit Packets Captured<br />
match<br />
Describe filters inline<br />
start<br />
Enable Capture<br />
stop<br />
Disable Capture<br />
vlan<br />
Vlan<br />
Attachment point<br />
Pick one or more<br />
Core filter Pick one only<br />
Destination Pick one only<br />
(but start can add another one)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Wireshark on CA – Example Wireless Capture<br />
Let’s try to Capture all Traffic From One AP<br />
3850-T#monitor capture mycap1 interface capwap 0 ?<br />
both Inbound and outbound packets<br />
in Inbound packets<br />
out Outbound packets<br />
3850-T#monitor capture mycap1 interface capwap 0 in<br />
3850-T#monitor capture mycap1 file location flash:mycap.pcap<br />
3850-T#monitor capture mycap1 file buffer-size 1<br />
3850-T#monitor capture mycap1 start<br />
3850-T#<br />
*Nov 13 07:05:02.000: %BUFCAP-6-ENABLE: Capture Point mycap1 enabled.<br />
I just want to see what is received<br />
In MB, nice to have to limit flash overload<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Wireshark on CA – Example Wireless Capture<br />
Let’s try to Capture all Traffic From One AP<br />
3850-T#show monitor capture mycap1 parameter<br />
monitor capture mycap1 interface capwap 0 in<br />
monitor capture mycap1 file location flash:mycap.pcap buffer-size 1<br />
3850-T#dir flash:<br />
Directory of flash:/<br />
…/…<br />
30979-rw- 32854 Jun 13 2016 07:10:24 +00:00 mycap.pcap<br />
3850-T#dir flash:<br />
Directory of flash:/ Growing = good!<br />
…/…<br />
30979-rw- 52707 Jun 13 2016 07:12:51 +00:00 mycap.pcap<br />
3850-T#monitor capture mycap1 stop<br />
3850-T#<br />
*Apr 13 07:14:16.100: %BUFCAP-6-DISABLE: Capture Point mycap1 disabled.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Wireshark on CA – Example Wireless Capture<br />
You can check the file from the Console, but export is usually better<br />
3850-T#show monitor capture file flash:/mycap.pcap ?<br />
brief<br />
brief display<br />
detailed detailed disaply<br />
display-filter Display filter<br />
dump<br />
for dump<br />
Full hex dump<br />
| Output modifiers<br />
<br />
Just tell me what packets you saw<br />
3850-T#show monitor capture file flash:/mycap.pcap brief<br />
1 0.000000 00:00:00:00:00:00 -> 64:d9:89:46:ba:80 IEEE 802.11 Probe Request, SN=0,<br />
FN=0, Flags=........<br />
2 5.053998 10.10.21.221 -> 10.10.21.2 DTLSv1.0 Application Data<br />
3 5.060010 10.10.21.221 -> 10.10.21.2 DTLSv1.0 Application Data<br />
4 5.064999 10.10.21.221 -> 10.10.21.2 DTLSv1.0 Application Data<br />
5 6.287995 00.00.26 -> 03.1a.f8 FC [Malformed Packet]<br />
6 7.000000 00:00:00:00:00:00 -> 64:d9:89:46:ba:80 IEEE 802.11 Probe Request, SN=0,<br />
FN=0, Flags=........<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Wireshark on CA – Example Wireless Capture<br />
You can check the file from the Console, but export is usually better<br />
3850-T#show monitor capture file flash:/mycap.pcap detailed<br />
Frame 1: 122 bytes on wire (976 bits), 122 bytes captured (976 bits) Packets in detail<br />
Arrival Time: Jun 13 2016 07:05:04.053982000 UTC<br />
Epoch Time: 1415862304.053982000 seconds<br />
[Time delta from previous captured frame: 0.000000000 seconds]<br />
[Time delta from previous displayed frame: 0.000000000 seconds]<br />
[Time since reference or first frame: 0.000000000 seconds]<br />
Frame Number: 1<br />
Frame Length: 122 bytes (976 bits)<br />
Capture Length: 122 bytes (976 bits)<br />
[Frame is marked: False]<br />
[Frame is ignored: False]<br />
[Protocols in frame: eth:ip:udp:capwap:wlan]<br />
Ethernet II, Src: 44:d3:ca:42:59:61 (44:d3:ca:42:59:61), Dst: 68:bc:0c:5b:f4:68<br />
(68:bc:0c:5b:f4:68)<br />
Destination: 68:bc:0c:5b:f4:68 (68:bc:0c:5b:f4:68)<br />
Address: 68:bc:0c:5b:f4:68 (68:bc:0c:5b:f4:68)<br />
…/…<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Wireshark on CA – Example Wireless Capture<br />
When using the Console, Be Smart<br />
3850-T#show monitor capture file flash:/mycap.pcap detailed | section Frame 17<br />
Frame 17: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)<br />
Arrival Time: Jun 13 2016 07:05:48.552965000 UTC<br />
Epoch Time: 1415862348.552965000 seconds<br />
[Time delta from previous captured frame: 1.55602<strong>3000</strong> seconds]<br />
[Time delta from previous displayed frame: 1.55602<strong>3000</strong> seconds]<br />
[Time since reference or first frame: 44.49898<strong>3000</strong> seconds]<br />
Frame Number: 17<br />
Frame Length: 122 bytes (976 bits)<br />
…/…<br />
3850-T#show monitor capture file flash:/mycap.pcap detailed | count Probe<br />
Number of lines which match regexp = 208<br />
3850-T#show monitor capture file flash:/mycap.pcap brief | exclude DTLS<br />
1 0.000000 00:00:00:00:00:00 -> 64:d9:89:46:ba:80 IEEE 802.11 Probe Request, SN=0,<br />
FN=0, Flags=........<br />
6 7.000000 00:00:00:00:00:00 -> 64:d9:89:46:ba:80 IEEE 802.11 Probe Request, SN=0,<br />
FN=0, Flags=........<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Wireshark on CA – Example Wireless Capture<br />
Using a PC is easier to decipher the capture<br />
3850-T#copy flash:mycap.pcap ?<br />
ftp:<br />
Copy to ftp: file system<br />
http:<br />
Copy to http: file system<br />
https:<br />
Copy to https: file system<br />
tftp:<br />
Copy to tftp: file system<br />
usbflash0: Copy to usbflash0: file system<br />
3850-T#copy flash:mycap.pcap usbflash0:mycap.pcap<br />
Destination filename [mycap.pcap]?<br />
Copy in progress...CC<br />
68174 bytes copied in 0.240 secs (284058 bytes/sec)....<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Wireshark on CA – Example Wireless Capture<br />
Using a PC is easier to decipher the capture<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Wireshark on CA – Targeting a Client<br />
What if you Want Traffic Only from one Client?<br />
• Capture client VLAN, and filter the client MAC or IP<br />
3850-T(config)#mac access-list extended myclient<br />
3850-T(config-ext-macl)#permit host 44d3.ca42.5961 any<br />
3850-T(config-ext-macl)#end<br />
3850-T#monitor capture mycap1 access-list myclient<br />
AP is in VL 21<br />
10.10.21.202<br />
10.10.23.21<br />
Client MAC is 44:d3:ca:42:59:61<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Packet Capture on AireOS<br />
You can Also Packet Dump on AireOS<br />
(Cisco Controller) >config ap packet-dump ?<br />
buffer-size<br />
capture-time<br />
classifier<br />
ftp<br />
start<br />
stop<br />
truncate<br />
Set Buffer Size for Packet Capture<br />
Set Time for Packet Capture<br />
Set Classifiers for Packet capture<br />
Set FTP parameters for Packet Capture<br />
Start Packet Capture at AP<br />
Stop Packet Capture<br />
Set Packet Length after Truncating<br />
• Oh BTW, this command is also available on IOS-XE…<br />
3850-T#ap name AP44d3.ca42.5961 packet-dump ?<br />
start Start packet capture at AP<br />
stop Stop packet capture at AP<br />
3850-T#ap name AP44d3.ca42.5961 packet-dump start ?<br />
H.H.H Set client MAC address for packet capture<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Packet Dump vs Wireshark Capture<br />
• Wireshark is a Sniffer mode<br />
• Captures everything about an AP or a client<br />
• Packet Dump is a targeted troubleshooting tool<br />
• You have to choose what type of traffic is faulty and needs capturing<br />
• Very useful if you want to focus on one specific type of issues<br />
• Less useful if you want a global view of the Air<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Packet Dump Notes and Gotchas<br />
• The AP still services clients normally (0 impact), but also dumps targeted traffic<br />
to a FTP server<br />
• Target can be ONLY ONE client at a time<br />
• Packets are captured and dumped in the order of arrival or transmit of packets<br />
except for beacons and probe responses.<br />
• If FTP transfer time is slower than the packet rate, some of the packets do not appear in the<br />
capture file.<br />
• If the buffer does not contain any packets, a known dummy packet is dumped to keep the<br />
connection alive.<br />
• A file is created on the FTP server for each AP based on unique AP and controller name and<br />
timestamp. Ensure that the FTP server is reachable by the AP.<br />
• If the FTP transfer fails or FTP connection is lost during packet capture, the AP stops<br />
capturing packets, notifies with an error message and SNMP trap, and a new FTP connection<br />
is established.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Using Packet Dump<br />
• Before starting the dump, you need to define dump parameters:<br />
(Cisco Controller) >config ap packet-dump ftp serverip 172.29.129.56 path / username<br />
cisco password cisco<br />
(Cisco Controller) >config ap packet-dump classifier ?<br />
arp<br />
broadcast<br />
control<br />
data<br />
dot1x<br />
iapp<br />
ip<br />
management<br />
multicast<br />
tcp<br />
udp<br />
Capture ARP Packets<br />
Capture Broadcast Packets<br />
Capture 802.11 Control Packets<br />
Capture 802.11 Data Packets<br />
Capture Dot1x Packets<br />
Capture IAPP Packets<br />
Capture IP Packets<br />
Capture 802.11 Management Packets<br />
Capture Multicast Packets<br />
Capture TCP packets<br />
Capture UDP packets<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Using Packet Dump<br />
• Before starting the dump, you need to define dump parameters:<br />
(Cisco Controller) >config ap packet-dump classifier management enable<br />
(Cisco Controller) >config ap packet-dump classifier broadcast enable<br />
(Cisco Controller) >config ap packet-dump buffer-size ?<br />
Size of Buffer (1024 - 4096)<br />
(Cisco Controller) >config ap packet-dump buffer-size 1024<br />
(Cisco Controller) >config ap packet-dump capture-time ?<br />
Time in for Packet Capture (1 - 60 Minutes)<br />
(Cisco Controller) >config ap packet-dump capture-time 3<br />
(Cisco Controller) >config ap packet-dump truncate ?<br />
Length of Packet after Truncation (20 - 1500)<br />
Useful to avoid clogging<br />
(but optional)<br />
To capture only headers<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Using Packet Dump<br />
• Check where you are, and get ready to start:<br />
(Cisco Controller) >show ap packet-dump status<br />
Packet Capture Status............................ Stopped<br />
FTP Server IP Address............................ 172.29.129.56<br />
FTP Server Path.................................. /<br />
FTP Server Username.............................. cisco<br />
FTP Server Password.............................. ********<br />
Buffer Size for Capture.......................... 1024 KB<br />
Packet Capture Time.............................. 3 Minutes<br />
Packet Truncate Length........................... Unspecified<br />
Packet Capture Classifier........................ 802.11 Management<br />
Packet Capture Classifier........................ Broadcast<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Using Packet Dump<br />
• Start the capture<br />
(Cisco Controller) >config ap packet-dump start ?<br />
Set Client Mac Address for Packet Capture<br />
(Cisco Controller) >config ap packet-dump start 78:7e:61:76:00:d3 ?<br />
Enter the name of the Cisco AP.<br />
(Cisco Controller) >config ap packet-dump start 78:7e:61:76:00:d3 APa80c.0dd2.218c<br />
Client Mac Address............................... 78:7e:61:76:00:d3<br />
FTP Server IP.................................... 172.29.129.56<br />
FTP Server Path.................................. /<br />
FTP Server Username.............................. cisco<br />
Buffer Size for Capture.......................... 1024 KB<br />
Packet Capture Time.............................. 3 Minutes<br />
Packet Truncate Length........................... Unspecified<br />
Packet Capture Classifier........................ 802.11 Management<br />
Packet Capture Classifier........................ 802.11 Broadcast<br />
Are you sure you want to start capture ? (y/N) y<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Using Packet Dump<br />
• You can also follow the capture from the WLC CLI:<br />
(Cisco Controller) >debug ap packet-dump enable<br />
Configures debug of AP Packet capture<br />
spamReceiveTask: Jan 01 16:01:51.606: Packet Capture - Intra Roam from AP<br />
a8:0c:0d:db:ce:f0 to Ap a8:0c:0d:db:ce:f0 numSlots 2<br />
*spamReceiveTask: Jan 01 16:01:51.606: Found prev_radId as 5<br />
*spamReceiveTask: Jan 01 16:01:51.606: Packet Dump, Roam to same AP<br />
*osapiBsnTimer: Jan 01 16:02:01.874: Encode AP Packet Dump payload in a buffer<br />
*osapiBsnTimer: Jan 01 16:02:01.875: Capwap message to AP a8:0c:0d:db:ce:f0 for Packet<br />
capture<br />
*osapiBsnTimer: Jan 01 16:02:01.875: Encode AP Packet Dump payload in a buffer<br />
*osapiBsnTimer: Jan 01 16:02:01.875: Capwap message to AP a8:0c:0d:db:ce:f0 for Packet<br />
capture<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Using Packet Dump<br />
• The captures are then pcap files in your FTP server:<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Client Troubleshooting – WLC Dashboard<br />
PING TEST<br />
CONNECTION<br />
TEST<br />
PACKET CAPTURE<br />
EVENT LOG<br />
<strong>BRKEWN</strong>-<strong>3000</strong><br />
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Client Troubleshooting – Packet Capture<br />
• 802.11 packet capture tool for<br />
administrators and TAC<br />
AP NAME<br />
the packet types you wish to capture.<br />
• Previously only available in the CLI<br />
• Enabled per client (1 session max)<br />
FTP SERVER<br />
• Capture times 1 – 60 minutes (default 10<br />
where the .pcap files are uploaded.<br />
minutes)<br />
• 802.11 and Protocol based capture filters<br />
• Packet captures are streamed to a FTP<br />
CAPTURE CONTROLS<br />
server in .pcap format for offline<br />
Stats and stops the packet capture.<br />
analysis<br />
• Capture files are automatically named<br />
using -<br />
_<br />
CAPTURE DURATION<br />
CAPTURE FILTERS<br />
The amount of time in minutes (1-60) the packet<br />
The name of the AP the client is currently connected to.<br />
capture is to run. 10 Minute default.<br />
Can select one or more capture filters depending on<br />
The FTP server IP address, credentials and path<br />
CAPTURE STATUS<br />
The current state of the packet capture session.<br />
<strong>BRKEWN</strong>-<strong>3000</strong><br />
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public<br />
34
AP in Sniffer Mode<br />
• You can also set the AP to sniffer mode:<br />
• Capture specific channel<br />
• And send (live) this traffic to an IP address, where you run Omnipeek or Wireshark<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
AP in Sniffer Mode Logic<br />
AP<br />
Sniffer Mode<br />
Channel 36<br />
AP<br />
Local Mode<br />
PC<br />
running WireShark or<br />
OmniPeek software<br />
Collected<br />
Data<br />
Collected<br />
Data<br />
Controller<br />
The remote analysis PC must be reachable<br />
via IP from the management interface of the<br />
controller.<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
AP Sniffer Mode Configuration<br />
• Once the AP is in Sniffer Mode, set the channel to capture, and the destination<br />
address:<br />
3850-T#ap name AP44d3.ca42.5961 sniff dot11a 48 172.29.129.56<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
AP in Sniffer Mode<br />
Meanwhile, in your remote PC:<br />
Select the interface packets will be coming through<br />
(can be wired or wireless)<br />
Apply this capture filter to only get traffic from the AP<br />
(Source port is UDP 5555, dest port UDP 5000)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
AP in Sniffer Mode<br />
Meanwhile, in your remote PC:<br />
Right click any packet<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
AP in Sniffer Mode<br />
You can now see the 802.11 part:<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Sniffer Mode vs Packet Dump vs CLI Wireshark<br />
Which one to Use<br />
• Use Packet dump to target a specific issue that you identified clearly<br />
• E.g. client does not get an IP<br />
• Do not use packet dump for “Wi-Fi does not work well” kind of issue<br />
• CLI Wireshark captures all traffic from the AP<br />
• Including CAPWAP traffic, on all radios<br />
• Nice to have a view “from the AP vantage point”<br />
• Both CLI Wireshark and Packet dump miss a critical element: the radiotap<br />
header<br />
• Sniffer mode has a form of radiotap information<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Radiotap Header<br />
All the RF side of you captured frame<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Where to Capture, What<br />
to Capture, if you Have a<br />
Choice
Where Should You Capture From Anyway?<br />
1. Sniffer AP:<br />
Pro: you can be remote!<br />
Cons: you may not hear client 3, and<br />
maybe not AP 4 very well…<br />
2. Packet dump/CA Wireshark:<br />
Pro: you can be remote!<br />
Cons: no radiotap, only partial view<br />
3. Next to client:<br />
Pro: you see what the client sees!<br />
Con: you may not see traffic from the<br />
other side of the cell<br />
4. Next to AP:<br />
Pro: you have a central view of the cell<br />
Con: you may not see the client RF<br />
environment details<br />
3<br />
2<br />
4<br />
AP<br />
Wireshark CLI<br />
Packet dump<br />
Sniffer AP<br />
AP<br />
Keep in mind that your wireshark laptop RF Rx<br />
are different from other clients’<br />
1<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Capture Point and Receive Range<br />
STA 1<br />
Coverage Threshold for chosen rate<br />
• Above coverage threshold for chosen rate<br />
• Station can read frames<br />
• Duration field reduces collisions<br />
with stations in the same area<br />
STA 2<br />
• Outside coverage area for that rate<br />
• Above Interference Threshold<br />
• Can see frames, but can’t read them<br />
• Increased possibility of data<br />
corruption and collisions<br />
Sender<br />
2<br />
1<br />
Interference Threshold<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Receiving L2 vs Receiving L1<br />
• To help “out of range” stations, the frame also has a physical header, always<br />
sent at lowest speed (6 Mbps in 5 GHz, 1 Mbps or 6 Mbps in 2.4 GHz)<br />
PMD<br />
Header<br />
Bytes: 2<br />
PLCP<br />
Header<br />
2<br />
6 6 6 2 6 2 variable 4<br />
Frame<br />
Duration RA TA DA<br />
Seq.<br />
SA QoS<br />
Control Control<br />
PayloadFCS<br />
Bits:<br />
4 1 12 1 6 16<br />
Preamble Rate Reserved Length Parity Tail<br />
Service<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Beyond Receiving Range<br />
STA 3<br />
• Below Interference Threshold<br />
• Above PCS Threshold<br />
• Can detect energy, but can’t read<br />
frames (physical or MAC header)<br />
• Potential for collisions with closeby stations<br />
in the cell<br />
STA 4<br />
• Outside coverage area for that rate<br />
• Above Interference Threshold<br />
• Can see frames, but can’t read them<br />
• Increased possibility of data<br />
corruption and collisions<br />
Coverage Threshold for chosen rate<br />
3<br />
Sender<br />
1<br />
2<br />
4<br />
Physical Carrier Sensing Threshold<br />
Interference Threshold<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
What to Verify<br />
• Connection: association / authentication<br />
• Communication: beyond L2 tests (e.g. DHCP, IP reachability, application<br />
reachability)<br />
• Throughput test (how much TCP / UDP bandwidth do you get upstream,<br />
downstream, to/from one station)<br />
• Load test (how many stations, max bandwidth with station overload)<br />
• Specific Application test<br />
• Roaming test<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Communication Test<br />
• Sometimes, a device reports “connected” but in fact fails to communicate:<br />
Authentication Request<br />
Authentication Response<br />
Association Request<br />
Association Response<br />
Client abc status:<br />
associated<br />
4-message Exchange<br />
FAILED<br />
• Test “past Layer 2” communication: DHCP or other upper Layer<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Individual Client Throughput Test<br />
• Test speed at various distance<br />
• Start with one typical client, target<br />
most demanding application<br />
• Use short distance to the AP<br />
as max speed reference<br />
• Check as you move away that:<br />
• Roaming path does not show<br />
unexpected losses<br />
• Cell edge offers the performances you anticipated<br />
• Roaming offers the performances you anticipated<br />
6 Mbps<br />
65 Mbps<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cell Load Test<br />
• Once you have tested one client at a given position, test may clients at the same<br />
distance<br />
• Make sure to position clients in various directions<br />
• (without obstacles)<br />
• Check how performance degrades<br />
as you add clients<br />
• Degradation should be linear<br />
if clients and applications<br />
are the same<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Load Test – Impact of Different Clients<br />
• Suppose client 1 is 40 MHz, 2SS, max rate 270 Mbps<br />
• Max expected throughput may be around 45 % -> 122 Mbps<br />
• Suppose client 2 is 20 MHz, 1 SS, max rate 65 Mbps<br />
• Max expected throughput may be around 45% -> 30 Mbps<br />
• What is the impact of adding client 2 to client 1 cell? Too complicated to assess<br />
easily!<br />
• If each client uses half of the cell time, throughput falls from 122 Mbps with client 1<br />
alone to 61 Mbps (122 / 2) and 15 Mbps (30 / 2) respectively, total 76 Mbps<br />
• But any variation in individual client cell time will rock this number widely!<br />
• Try to use consistent clients and applications for the load test<br />
Client 1<br />
Client 2<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Roaming Test<br />
• Try to roam: start from one AP, make sure you have target application<br />
upstream/downstream traffic, move at steady pace to next AP<br />
• Allows you to check initial association, handover and RF conditions on roaming<br />
path<br />
AP<br />
AP<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cell Shape and Roaming Path<br />
• Remember that cells are not circles<br />
• Test along the expected roaming paths<br />
• When testing individual cell<br />
performances, take the radiation pattern<br />
into account<br />
Cisco 3700i cell view in Ekahau<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Getting Comfortable with<br />
Wireshark
Wireshark Survival Guide<br />
Direct Capture<br />
• On Windows, deep interaction between<br />
application and card is usually impossible<br />
AirPcap Nx<br />
• You need a specific card (e.g. AirpCap Nx card)<br />
• On Linux, depends on the card chipset vendor<br />
• On most Macs, possible with the internal card<br />
• On Android, very limited solutions (need to root,<br />
hardware support limitations)<br />
• Let’s focus on Windows<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Wireshark Survival Guide<br />
Direct Capture<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Wireshark Survival Guide<br />
Frame Sections<br />
1<br />
3<br />
4<br />
2<br />
1. Frame details (size time arrival etc)<br />
2. Radiotap: radio characteristics of<br />
frame reception (RSSI, data rate etc.)<br />
3. 802.11 MAC details<br />
4. Upper Layers<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Wireshark Survival Guide<br />
Sorting Frames – Coloring<br />
• “Colorize Conversation”<br />
only works for upper Layers<br />
(3 and up), implies Open<br />
WLAN<br />
• Not applicable for pure L2<br />
802.11 frames (RTS/CTS,<br />
ACKs etc.)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Wireshark Survival Guide<br />
Sorting Frames – Coloring<br />
• Use Coloring<br />
Rules to easily<br />
spot frames of<br />
interest (e.g.<br />
probes)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Wireshark Survival Guide<br />
Sorting Frames – Columns<br />
• Add / Hide<br />
columns to only<br />
show what<br />
matters<br />
• Typically: add<br />
RSSI, SNR,<br />
channel,<br />
DSCP/UP<br />
Right click any field of interest<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Wireshark Survival Guide<br />
Sorting Frames – Move, Rename, Delete, Sort Columns<br />
Right click<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Wireshark Survival Guide<br />
Filtering -Capture Filter vs Display Filter<br />
• Capture filter limits the amount of frames you collect<br />
• Pro: limits capture file size<br />
• Cons: limited filtering possibilities, you can’t account for frames you did not capture<br />
• Display filters limits the frames you see and work from<br />
• Pro: large filtering capabilities<br />
• Con: capture frames can be large<br />
• E.g. 5 minute capture in a busy hotspot…<br />
> 1 million frames in 5 minutes<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Wireshark Survival Guide<br />
Filtering - Capture Filters<br />
• Some useful Capture filters:<br />
• Target MAC: host, wlan src, wlan dst<br />
• FC type: mgt, ctl, data<br />
• FC subtype: [assocreq, assocresp, reassocreq, reassocresp, probereq, probresp, beacon, atim, disassoc,<br />
auth, deauth], [ps-poll, rts, cts, ack, cf-end, cf-end-ack], [data, data-cf-ack, data-cf-poll, data-cf-ack-poll,<br />
null, cf-ack, cf-poll, cf-ack-poll, qos-data, qos-data-cf-ack, qos-data-cf-poll, qos-data-cf-ack-poll, qos, qoscf-poll,<br />
qos-cf-ack-poll]<br />
• Examples:<br />
• Capture only management frames<br />
• Capture everything except some control frames:<br />
• Probes to and from a target host:<br />
• Association requests/responses, reassociation requests/responses, disassociation and (de)authentication<br />
frames and all eapols:<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Wireshark Survival Guide<br />
Filtering - Display Filters<br />
Fills the filter field and applies<br />
• Easiest way is to use a frame:<br />
Fills the filter field, does not apply (so you can edit)<br />
Right click any field<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Wireshark Survival Guide<br />
Filtering - Display Filters<br />
• Create your own, or call back a previously used filter:<br />
For 802.11, you want to look at:<br />
• 802.11 Radiotap<br />
• 802.11 RSNA EAPOL (security exchanges)<br />
• CAPWAP (when on wire)<br />
• IEEE 802.11 (Aggregate, MGT)<br />
• WPS<br />
Wireshark will tell you if the filter is correct:<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Wireshark Survival Guide<br />
Filtering - Capture Filters – some common values<br />
Capture type<br />
Only beacons<br />
No beacons<br />
Only traffic to/from aa:bb:cc:dd:ee:ff<br />
Only traffic from aa:bb:cc:dd:ee:ff<br />
(traffic to aa:bb:cc:dd:ee:ff) [anything except]<br />
IP host 1.2.3.4 (to/from 1.2.3.4)<br />
IP network 1.2.3.0/24<br />
Filter<br />
wlan[0] == 0x80<br />
wlan[0] != 0x80<br />
wlan host aa:bb:cc:dd:ee:ff<br />
src host aa:bb:cc:dd:ee:ff<br />
(dst host aa:bb:cc:dd:ee:ff) [not wlan host]<br />
host 1.2.3.4 (src / dst host 1.2.3.4)<br />
net 1.2.3.0/24<br />
Frame types:<br />
Association request (0x00), association response (0x01), reassociation request (0x02), reassociation response (0x03),<br />
Authentication (0x11), Disassociation (0x10), deauthentication (0x12)<br />
Probe request (0x04), probe response (0x05)<br />
RTS (0x27), CTS (0x28), ACK (0x29), NULL frame (0x36), QoS Null (0x44), action (0x13)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Using Wireshark IO Graphs<br />
• You can use graphs to directly display stats in<br />
Wireshark<br />
• Example: you want to know how much 40<br />
MHz is in use<br />
• Color 40 MHz data rates!<br />
20 MHz rates<br />
• In this network, enabling 40 MHz is a waste,<br />
Clients do not use that width<br />
40 MHz rates<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Exporting Frames
What Frame to Select<br />
• You are capturing from the client side:<br />
• Beacons are a good reference (time, cell activity level, RSSI/SNR, cell<br />
parameters)<br />
• Retries for BER and rate shifting<br />
• Any data packet for specific application tshooting<br />
• Association / authentication phases<br />
• Probes<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
What Frame to Select<br />
• You are capturing from the AP side:<br />
• Any client packet for signal levels (RSSI / SNR), and specific application<br />
tshooting<br />
• ACKs from AP for data rate (AP data rate vs client data rate)<br />
• Retries should be low<br />
• Authentication exchanges<br />
• Client probes<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Exporting Frames<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Statistical Analysis In<br />
Excel
Excel vs Wireshark<br />
• Large amount of frames are difficult to analyze<br />
• Statistical analysis allow you to see patterns<br />
• Wireshark has statistical graphical tool, but:<br />
• Limited to combination lines<br />
• Creating filtering can be tedious<br />
• By using Excel (or equivalent) you can:<br />
• Export selected frames of interest (pre-filtering)<br />
• Display multiple types of graphs<br />
• Create new columns to perform deeper analysis<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Example 1 – One Way Audio<br />
• Issue: one way audio on Iphone 6 at a distance from the AP<br />
• 7925 shows no issue<br />
• Capture was taken on a target AP, both devices moving away<br />
- 70 dBm<br />
AP<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Example 1 – Select and Export 7925 Data<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Example 1 –7925 Data Rate<br />
At what rate<br />
was the frame<br />
sent<br />
Nice Tx at 54 Mbps, ACK at 24. Sometimes Tx at 24 Mbps.<br />
Capture time (seconds)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Example 1 – Same Operation on Iphone Data Rate<br />
At what rate<br />
was the frame<br />
sent<br />
Capture time (seconds)<br />
Mmm rate goes up and down, strange that rate keeps going up as distance increases<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Example 1 – At The End of the Cell Coverage Area<br />
7925 tries 54 Mbps, then fails, reverts to slower rate, gets ACK, then tries again 54 Mbps…<br />
Can you guess what a problem is here?<br />
The 7925 also maintains a failed counter, eventually the phone gives up on the connection<br />
because of the retry count… good phone!<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Example 1 – At The End of the Cell Coverage Area<br />
Iphone is in the same cell… but never tries lower than 24 Mbps… even tries higher rates sometimes<br />
Issue: behavior is RSSI-based, no retry count<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Example 1 – What Did We Learn?<br />
• AP power is too high – mismatch between AP Rx and client RX<br />
• 7925 partially adapts its transmission to Retries, then roams away if retries are too high<br />
• Iphone 6 bases its roaming behavior on the RSSI, regardless of the retries<br />
• The Iphone 6 will ALWAYS have issues at the edge of that cell, if AP power<br />
level stays the same<br />
‣ Lower AP power, re-work neighboring cell overlaps<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Example 1 – Iphone Is Not The Only One<br />
• Bad design example: HTC One @ 12 dBm, AP @20 dBm<br />
Based on Rx AP signal, BYOD thinks 54 Mbps rate is okay…<br />
But client message is too weak, and AP does not ACK until rate falls to 12 mbps<br />
Each message takes 8 times more to be transmitted<br />
(including EIFS and retries)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Example 2 – Use Probe as Happiness Index<br />
• BYODs tend to probe only when they get at the edge of a cell<br />
• They try to conserve battery by probing only when needed<br />
• They also probe when they are not associated<br />
• You can use the Probing behavior as an happiness index<br />
• If the associated BYOD probes, then it wants to leave your cell<br />
• You know that this is the cell edge from the BYOD perspective<br />
• Know your BYODs, know how they probe, you will know when they want to leave you<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Example 2 – Use Probe as Happiness Index<br />
• Samsung S6 when idle and not associated (baseline)<br />
Interval<br />
between<br />
probes<br />
Time<br />
131.3s cycle<br />
66.6s after 6th<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Example 2 – Use Probe as Happiness Index<br />
• Samsung S6 when idle and associated (baseline)<br />
Interval<br />
between<br />
probes<br />
Burst of 2, SSID unstable<br />
SSID count changes, or<br />
probe response not received<br />
Time<br />
285 s cycle can be seen<br />
App network activity interrupts the cycle<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Example 2 – Use Probe as Happiness Index<br />
• Now let’s walk back and forth<br />
AP good signal (no need to probe that much)<br />
Interval<br />
between<br />
probes<br />
Time<br />
AP poor signal (need to find a better AP!)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Example 2 – Use Probe as Happiness Index<br />
• AP signal and probes<br />
Probe frequency decreases after AP signal gets better<br />
• To know where the capture was taken from, compare AP and client RSSI<br />
• Taken from nearby the AP<br />
Probe<br />
interval<br />
Time<br />
RSSI<br />
Artifact (body position?)<br />
More frequent probe as AP signal gets lower<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Example 3 –Iphone 6 Performances<br />
• Context is phone moving in a corridor, loss of audio at each AP roam for a few<br />
seconds<br />
• The local admin “confirmed that cell overlap<br />
seemed okay” (when at AP 1 cell edge,<br />
at – 67 dBm, the SSID from AP 2 can be<br />
heard at -67 dBm)<br />
• AP power is 3 for both bands (A domain)<br />
• SSID is allowed on both bands<br />
• Default data rates are set, an attempt<br />
to disable low rate did not solve the issue<br />
A<br />
1<br />
2<br />
B<br />
C<br />
3<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Example 3 – One Way Audio with Iphone 6<br />
• Context is phone moving in a corridor, loss of audio at each AP roam for a few<br />
seconds<br />
• The local admin “confirmed that cell overlap<br />
seemed okay” (when at AP 1 cell edge,<br />
at – 67 dBm, the SSID from AP 2 can be<br />
heard at -67 dBm)<br />
• AP power is 3 for both bands (A domain)<br />
• SSID is allowed on both bands<br />
• Default data rates are set, an attempt<br />
to disable low rate did not solve the issue<br />
A<br />
1<br />
2<br />
B<br />
C<br />
3<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Example 3 – One Way Audio with Iphone 6<br />
• If the phone is “on call”, you should see a constant flow of packet<br />
• Capture was taken on ch 44 (AP 1) and ch 48 (AP 2)<br />
• Constant ping to the phone to add traffic on top of the call<br />
• Select frames sent by the phone, and export<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Example 3 – One Way Audio with Iphone 6<br />
• In Excel, check frame interval on 5 GHz…<br />
• Uh oh…<br />
How long between<br />
1 frame and next frame<br />
This is normal<br />
Why is the phone completely dropping for long intervals?<br />
(complains is just a few seconds call drop)<br />
Capture time (seconds)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Example 3 – One Way Audio with Iphone 6<br />
• As the SSID is present on both bands (but phone is supposed to prefer 5 GHz),<br />
let’s look at 2.4 GHz<br />
Episodes in 5 GHz or phone disconnected?<br />
Phone has episodes in 5 GHz, but spends most of the time in 2.4 GHz… why?<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Example 3 – One Way Audio with Iphone 6<br />
• Let’s have a closer look at these packets on 5 GHz, especially the ones where<br />
RA=Iphone, and check the RSSI<br />
Capture time (seconds)<br />
What is the RSSI<br />
of the frame<br />
• Did we hear that overlap was okay?<br />
• Maybe on 2.4 GHz, but certainly not on 5 GHz<br />
• Phone is on 5 GHz when AP RSSI is above -70 dBm<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Example 3 – One Way Audio with Iphone 6<br />
• We know what happens…<br />
• Phone starts on 5 GHz, then “roams” to 2.4 GHz, then back to 5 GHz<br />
• Let’s try to understand why:<br />
• Iphone tries to roam when<br />
reaching the -70 dBm boundary<br />
• Tries to find next AP if signal<br />
is at least 8 dB better<br />
(http://support.apple.com/en-us/HT6463)<br />
• In A domain, power 3 is 11 dBm<br />
in 24 GHz and 9 dBm in 5 GHz<br />
• But 2.4 GHz antenna typically<br />
allows 7 dB more than 5 GHz<br />
• So... At 5 GHz boundary, 2.4 GHz is<br />
9 dB better than 5 GHz (+- 4 dB margin)<br />
5 GHz -70 dBm<br />
AP<br />
2.4 GHz -70 dBm<br />
5 GHz received at -70 dBm<br />
2.4 GHz received at -61 dBm<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Example 3 – One Way Audio with Iphone 6<br />
• Solution:<br />
• Move APs where possible (all APs could not be moved)<br />
• Set SSID to 5 GHz only (if possible)<br />
• Enable 802.11k/v (on by default in AireOS 8.3) Retries<br />
1<br />
2<br />
3<br />
Some retries, but almost no episode below -70 dBm, no long audio drops<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
802.11v: Send your BYOD to the Next (Better) Cell<br />
802.11k vs 802.11v BSS Transition Management<br />
What could<br />
my next AP be?<br />
Here are the<br />
best 6 for you<br />
Need to roam, what AP do<br />
you recommend?<br />
Try this one<br />
802.11v Solicited request<br />
Your RSSI / rates are too<br />
low, roam to there instead<br />
802.11k neighbor list<br />
Want to join your cell<br />
Nah, load too high, go there<br />
instead<br />
802.11v Unsolicited<br />
Optimized Roaming request<br />
802.11v Unsolicited request<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Adding Adaptive 802.11r to the Mix<br />
iOS 10 Iphone 6 S<br />
Interval between last packet on previous AP,<br />
and first packet on next AP<br />
QoS, 802.11r/k/v<br />
No QoS, No 802.11r/k/v<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Evaluating Fast Lane Performances: Upstream Frame Interval, Against<br />
Competing Traffic<br />
• We are sending voice traffic in a congested environment, one voice packet every 20 ms<br />
• We measure the actual interval between voice packets, upstream<br />
nterval (seconds)<br />
Packet average interval is 20 ms (good)<br />
Packet average interval is 40 ms (not so good)<br />
Very few silences, of up to 0.1 second<br />
(fair audio experience)<br />
Many silences, of up to 0.6 second<br />
(poor audio experience)<br />
Capture time (seconds)<br />
FastLane QoS<br />
No QoS<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Rate Shifting Performance Evaluation<br />
Recovery time (rate shifting up)<br />
Downhill<br />
Even worse<br />
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public<br />
99
Example 4 – IOS 8 Random MAC address<br />
• Seeing duplicate MAC addresses in your network, and wondering how much of<br />
them come from IOS 8 devices?<br />
• Put a phone on a table and check its probes!<br />
Start by filtering probes only, then export.<br />
You can’t filter on MAC address, as it is going to change!<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Random MAC = Locally Administered Address<br />
• MAC address contains an OUI part<br />
and a host part<br />
• OUI B2 bit always 0 for real OUIs<br />
• B2 can be set to 1 to express “locally<br />
administered address”<br />
• When B2 is “1”, rest of OUI does not<br />
matter (does not reflect any specific<br />
OUI)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Random MAC Behavior<br />
• Apple introduces random MAC address in IOS 8 “cautiously”<br />
• Random MAC Only works on iPad Air, iPad Mini Retina Display, iPhone 5S, iPhone<br />
5c, Iphone6, Iphone 6+<br />
• Random MAC not used when “the network” can identify the device user<br />
• Because otherwise your fake MAC can easily be mapped to you anyway!<br />
• No random MAC when you are associated<br />
• No random MAC if you can be identified: data cellular is On, or Location Services are On<br />
Internet<br />
Jerome is here<br />
Jerome’s fitness data<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Example 4 – IOS 8 Random MAC address<br />
• Use the RSSI to filter signals coming from the target phone<br />
• Sort by RSSI, identify the real MAC, and take out everything that has too high or too low<br />
RSSI<br />
• Take a 5 dB margin, look at the capture if needed to assess the margin needs<br />
You can also do it in Wireshark directly!<br />
(wlan.fc.type_subtype==4) && ((radiotap.dbm_antsignal = -30)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Example 4 – IOS 8 Random MAC address<br />
• You should see series of real MACs, then series of locally administered MACs<br />
• You can the analyze the pattern<br />
Probe 1 to 3 times (+20 ms burst each) with real MAC, 4.37 (x 1 to 3) interval between probes<br />
How many<br />
secs since<br />
last probe<br />
When using fake MAC, between<br />
2 and 6 probes, at 135/270 interval<br />
“first fake after real” is at 317 or 602 +-40s<br />
Time<br />
then<br />
When using real MAC,<br />
Always probe burst (20 ms interval)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Real Time Signal: what are we trying to solve?<br />
Survey tool:<br />
This is how I see the AP signal:<br />
AP RSSI here = AA dBm<br />
AP SNR here = BB dB<br />
I have no idea on how the AP sees my client signal.<br />
Let’s guess and assume that it is the same as how I see the AP<br />
<strong>BRKEWN</strong>-<strong>3000</strong><br />
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public<br />
105
Real Time Signal: how does it work?<br />
1. telnet/ssh to AP, run radio debug<br />
-> record real time client upstream signal<br />
2. Filter to keep only data or interest<br />
(e.g. RSSI /SNR), store in logstash<br />
3. Display RSSI / SNR in real time through Kibana<br />
0. Associate your client (duh)<br />
4. Http to the kibana URL to see RSSI/SNR in near realtime<br />
<strong>BRKEWN</strong>-<strong>3000</strong><br />
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public<br />
106
Example – Now It Is Your Turn<br />
• Does the RSSI relate to retries in capture X taken from client vantage point?<br />
More retries at low RSSI (normal), but also abnormal zones…<br />
There is a transmitter on the other side of the cell you do not see<br />
Retried frames<br />
AP RSSI<br />
In Wireshark, count frames sent by client that are retries:<br />
In Excel, add 1 if previous line is the same (increases count with retries):<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Example – Now It Is Your Turn<br />
• Follow the dialog between 2 stations<br />
• Filter in Wireshark source /dest<br />
• In Excel, one column for each source and matching packet size<br />
• Did you notice that I use “Scatter” graph often?<br />
• Using other types<br />
Columns<br />
Scatter edited marker<br />
Scatter with lines<br />
Time is missing<br />
I can see blue sends larger frames, red is responding<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Example – Now It Is Your Turn<br />
• Captured from client? How to see “invisible traffic” from the other side of the<br />
cell?<br />
• Count the beacon intervals!<br />
TBTT<br />
delay<br />
Beacon<br />
Beacon<br />
Time<br />
(wlan.fc.type_subtype==8) && (frame[62:15] == 00:0d:43:69:73:63:6f:4c:69:76:65:32:30:31:34)<br />
SSID (in hex) filter<br />
Interferers here<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Example – Now It Is Your Turn<br />
• Who sent what? When? How large was the packet? Who talks most?<br />
One column for each MAC, time and packet combined<br />
New columns that sum traffic from target “Source” values<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Conclusion<br />
• Any field in Wireshark can be a column.<br />
• Any column can be a graph in Excel…<br />
• But in the end, your understanding of 802.11 and RF will make the difference.<br />
Excel and Wireshark are just there to help you understand, then display as a<br />
graph what you understood.<br />
• Our industry is in needs of better tools to understand clients wi-fi experience,<br />
this could be one of them, and we could share ideas and experiments here:<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Demo files are at:<br />
https://www.dropbox.com/s/ajfc0pqvkf8c819/<strong>BRKEWN</strong><strong>3000</strong>-videos.zip?dl=0<br />
• Other session of interest: <strong>BRKEWN</strong>-3011,<br />
• Reference material: CiscoPress, Wi-Fi Configuration, Deployment and<br />
Troubleshooting LiveLessons (http://www.ciscopress.com/store/wi-fi-configuration-deployment-andtroubleshooting-9781587205651)<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Call to Action<br />
• Visit the World of Solutions for<br />
• Cisco Campus –<br />
• Walk in Labs –<br />
• Technical Solution Clinics<br />
• Meet the Engineer (check with the MTE team for remaining meeting slots!)<br />
• Lunch and Learn Topics<br />
• DevNet zone related sessions<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Complete Your Online Session Evaluation<br />
• Give us your feedback to be<br />
entered into a Daily Survey<br />
Drawing. A daily winner<br />
will receive a $750 Amazon<br />
gift card.<br />
• Complete your session surveys<br />
though the Cisco Live mobile<br />
app or your computer on<br />
Cisco Live Connect.<br />
Don’t forget: Cisco Live sessions will be available<br />
for viewing on-demand after the event at<br />
CiscoLive.com/Online<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Continue Your Education<br />
• Demos in the Cisco campus<br />
• Walk-in Self-Paced Labs<br />
• Lunch & Learn<br />
• Meet the Engineer 1:1 meetings<br />
• Related sessions<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Thank you
Wireless Cisco Education Offerings<br />
Course Description Cisco Certification<br />
• Designing Cisco Wireless Enterprise Networks<br />
• Deploying Cisco Wireless Enterprise Networks<br />
• Troubleshooting Cisco Wireless Enterprise<br />
Networks<br />
• Securing Cisco Wireless Enterprise Networks<br />
Implementing Cisco Unified Wireless Network<br />
Essential<br />
Professional level instructor led trainings to prepare candidates to conduct<br />
site surveys, implement, configure and support APs and controllers in<br />
converged Enterprise networks. Focused on 802.11 and related<br />
technologies to design, deploy, troubleshoot as well as secure Wireless<br />
infrastructure. Course also provide details around Cisco mobility services<br />
Engine, Prime Infrastructure and wireless security.<br />
Prepares candidates to design, install, configure, monitor and conduct<br />
basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.<br />
CCNP ® Wireless Version 3.0<br />
(Available March 22 nd , 2016)<br />
CCNA ® Wireless<br />
(Available Now)<br />
Deploying Basic Cisco Wireless LANs (WDBWL)<br />
Deploying Advanced Cisco Wireless LANs<br />
(WDAWL)<br />
Deploying Cisco Connected Mobile Experiences<br />
(WCMX)<br />
Understanding of the Cisco Unified Wireless Networking for enterprise<br />
deployment scenarios. In this course, you will learn the basics of how to<br />
install, configure, operate, and maintain a wireless network, both as an<br />
add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified<br />
Wireless Networking solution.<br />
The WDAWL advanced course is designed with the goal of providing<br />
learners with the knowledge and skills to successfully plan, install,<br />
configure, troubleshoot, monitor, and maintain advanced Cisco wireless<br />
LAN solutions such as QoS, “salt and pepper” mobility, high density<br />
deployments, and outdoor mesh deployments in an enterprise customer<br />
environment.<br />
WCMX will prepare professionals to use the Cisco Unified Wireless<br />
Network to configure, administer, manage, troubleshoot, and optimize<br />
utilization of mobile content while gaining meaningful client analytics.<br />
1.2<br />
1.2<br />
2.0<br />
For more details, please visit: http://learningnetwork.cisco.com<br />
Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com<br />
<strong>BRKEWN</strong>-<strong>3000</strong> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 118