Wireless LAN Troubleshooting

Version 3.0 - October 2019

Copyright © 2019 Wireless LAN Professionals, Inc. All Rights Reserved.
Logistics

• Taking Breaks
• Restrooms
• Telephones
• Lunch
• Questions?
Instructor
Ferney Munoz Vergara
Wireless LAN Professionals, Inc.
MCP, A+, Network+
CWNE #187
@Ferney_Munoz on Twitter
ferney@wlanpros.com
http://WLANPros.com
3
Director
Keith R. Parsons
Wireless LAN Professionals, Inc.
80+ Network Certifications
CWNE #3 – CWNP and CWNE Boards
19 years Design, Troubleshoot & Train on WLANs
@keithrparsons on Twitter
http://WLANPros.com
Wired Network Before
Wired Network After
Wired Network Before
Wired Network After
Wireless Network Before
Wireless Network After
Wireless Network Before
Wireless Network After
12
 Course Outline

13
 “Theman who asks a question is a
fool for a minute, the man who
does not ask is a fool for life.”
- Confucius

14
Prerequisites

• CWNA Training Strongly Recommended

• - www.cwnp.com

• Confidence in TCP/IP and 802.11/RF Fundamentals

• Before taking this course, participants should have a

general understanding of LAN technologies and
topologies, the OSI Reference Model, and function
of network devices.
 Student Kit

• USB Drive (return to instructor after copying)

• Course Manual

• Items for use by students

• Temporary Student License

• Lab Exercises

• Additional Useful Wi-Fi Resources: https://wlanpros.com/ecse

• Ekahau Links, Tools, Blogs, Podcasts, Books, Videos…

• ECSE-Troubleshooting Certificate & Pin

16
 Course Objectives

• Learn how to properly Troubleshoot Wireless LAN’s using Ekahau Pro software,
WLAN Pi device, and other software tools

• This course enables you to take the ECSE-Troubleshooting exam the afternoon
of the fourth day.

17
 Troubleshooting Process Steps 18

Identify Locate Solve Document

Determine problem exists Tied to physical space Formulate & Implement plans Document initial issues,
Ask Questions & Collect Tied to specific devices May include changes to drivers, processes, diagnostics &
Info Use OSI model to define configurations or designs resolutions
Correctly Identify Issue layer Follow up with those involved

Re-Create Isolate Verify

If you can’t recreate the Identify OSI Layer, Specific Extensive testing to confirm
issue, return to step one and devices, Specific locations, and verify the solution did
ask more questions Driver versions indeed solve the issue at
hand

Copyright © 2019 - Wireless LAN Professionals, Inc. - All Rights Reserved

19
“Too Much Plane for One Man to Fly!”

Copyright © 2019 - Wireless LAN Professionals, Inc. - All Rights Reserved

“Surgeries are becoming too complex…”

Copyright © 2019 - Wireless LAN Professionals, Inc. - All Rights Reserved

 Lee Badman’s
The Soon To Be Famous
Cocktail Napkin
Wi-Fi Big Picture

March 19, 2016

22
25
Tools Used in ECSE-Troubleshooting Course

Free
Wireshark, Kismet, Bettercap, HORST, Client Profiler, iPerf, HTML Tests

Low Cost
Wi-Fi Analyzer Pro, WLAN Pi, Netool.IO, Apps

Professional
Ekahau Pro v.10, Ekahau Sidekick,

Copyright © 2019 - Wireless LAN Professionals, Inc. - All Rights Reserved

Wireless LAN Troubleshooting Process
 How NICs Receive Information

• Need to convert electromagnetic

energy into bits (ones and zeros)

• Modulation Schemes

28
 How a Wired NIC Works

• Converts electromagnetic energy via

modulation scheme to Bits
• Preamble, Header, Frame Body, FCS
• Check Destination MAC Address
• Check for CRC Error
• Forward to OS Protocol Stack

29
 How a WLAN NIC Works

• Antenna – blocks all RF but 2.4GHz

• Modulation Filter – blocks all but 802.11
• Preamble, Header, Frame Body, FCS
• Adds new information
• Time Stamp, Channel Stamp, RSSI, Noise

• Check Destination MAC Address

• Check for CRC Error
• Forward on to OS Protocol Stack

30
 How Custom NICs Work

• Same as WLAN…
• Changes slightly with driver ‘shim’
• Promiscuous Mode (RF Monitor)
• Keeps CRC errors for Stats
• Sends data to
• “Data Ball”

• Slices & Dices Data

• All Data comes from Frames

31
End User

• Expectations
• Device on/off
• Knowledge
• Perceptions
• Skills
• Understanding of Device
• Wi-Fi vs Cellular
Wi-Fi Client Device
• Applications
• Authentication Profiles
• Auto-Negotiated MCS
• Chipset Behavior
• Drivers
• Mobile Device Management
• Movement Direction
• Multipath TCP
• Physical Location
• Power Save
• Protection Modes
• QoS/WMM
• Radio Capabilities
• Roaming Algorithms
• Supported PHY
• Vendor IE Support
Mike Albano’s Client Website
• 5GHz Supported Channels clients.MikeAlbano.com
• Spatial Streams Supported From ‘Association Request Frame’
• 802.11 Mode Community Contributions
• MU-MIMO Support
• 802.11v Support
• Region
• Max Tx Power
• 802.11w Support
• Version
RSSI Compared
RSSIcompared.com
Break
36
Radio Frequency Medium
• Adjacent Channel Interference
• Automated Channel Planning
• Average Data Rates
• Average MCS
• Channel Occupancy
• Co-Channel Contention/CCI
• Consistency
• Jitter
• Latency
• Multipath
• Non-Wi-Fi Interference
• Regulatory Domains
• Retry Rates
• Spatial Streams
• Spectrum Analysis
Sine Waves
Wavelength & Frequency
Multipath
AM Radio Signal
 Wavelength Calculation

2.4 GHz

Wavelength Calculator

5 GHz 2.4 GHz = 12.5 cm (4.92 inches)

5 GHz = 6 cm (2.36 inches)

Formulas to calculate wavelength:

λ (in.) = 11.811/Frequency (GHz)
λ (cm) = 30/Frequency (GHz)

42
Comparison Between Radio Waves
 Spread Spectrum

Direct Sequence Frequency Hopping Spread

Spread Spectrum (DSSS) Spectrum (FHSS)

Narrowband

AMPLITUDE
AMPLITUDE

Spread Spectrum

FREQUENCY FREQUENCY

• Spreads an RF signal across more bandwidth than is necessary for the size of
the data
• Common Types: Direct Sequence, Frequency Hopping, OFDM
• Resists narrowband interference
44
 Basic Types of Modulation
Baseband Signal
Original data bits in the radio’s 1 0 1 1 0 1 0 0
baseband
Baseband Signal
TIME

Amplitude Modulation
Varies the amplitude of the carrier
signal to encode data
Amplitude Shift Keying (ASK)

Frequency Modulation
Varies the frequency of the carrier
signal to encode data
Frequency Shift Keying (FSK)

Phase Modulation
Varies the phase of the carrier wave
to encode data
45
Phase Shift Keying (PSK)
Sine Wave (Front & Side View)
Sine Wave (Orthogonal View)
 EVM
MODULATION •
(Error Vector Magnitude)
CONSTELLATIONS
BINARY PSK (BPSK)
• •
• 1 bit at a time
• Large EVM (Error Vector Magnitude)
•
0 1
•
• Very SIMPLE 270º 90º
• Very ROBUST
• Very SLOW (~6 Mbps)
• Around ~ 2-4dB SNR
• Very easy to achieve •
• •
MODULATION
CONSTELLATIONS •
01 11
QUADRATURE PSK (QPSK) (45º)

• 2 bits at a time
• 2X more throughput •
• 1/2 less EVM/Robustness 270º 90º
• EVM gets smaller
• A bit more complex
• Still ROBUST
• Still SLOW (~12 - 20 Mbps)

•X
• Around ~5-10 SNR 00 10
• Still easy to achieve
MODULATION
0010 0110 1100 1010
CONSTELLATIONS
16-QAM
•
1111
•1011
X

0011 0111
• 4 bits at a time
• EVM gets even tighter
• • •. • X

• 2X more throughput 270º 90º

• 1/4 less EVM/Robustness
• Getting more COMPLEX 0001 0101 1101 1001
• But, still pretty EASY to achieve
• Getting FASTER (~24 - 48 Mbps)
• Around ~ 10-15dB SNR
• Pretty easy to achieve
0000 0100 1100 1000
MODULATION • • • • • • • •
CONSTELLATIONS • • • • • • • •
64-QAM
• • • • •• •
X • •
• • •. •
• • • • ••. •• • • •
• Introduced with 802.11n 110 110 111
X 110 101 110
X
X 100 110

• 6 bits at a time X X
• 1.5 X more throughput

• • • • • • • •
270º 90º
• 1/4 less EVM/Robustness
• EVM is very small.

• • • • • • • •
• Very COMPLEX
• Very FAST (150, 300, 450+ Mbps)
• REQUIRES -65 to -67dBm
• SNR of ~18-25dB, or better
• Achievable with proper design • • • • • • • •
• • • • • • • •
• Difficult to SCALE
MODULATION • • • • • • • • • • • • • • • •
• • • • • • • • • • • • • • • •
CONSTELLATIONS • • • • • • • • • • • • • • • •
• • • • • • • • • • • • • • • •
256-QAM • • • • • • • • • • • • • • • •
• • • • • • • • • •X • • • • • •
• Introduced with 802.11ac • • • • • • • • •X• ••X ••X • • ••X • •
• 8 bits at a time
• • • • • • • • •• X.• •X ••X • • • •
10001000 11001000 11101000 10101000 10111000 11111000 11011000 10011000

• 1.3 X more throughput

• 1/4 less EVM/Robustness • • • •
270º
• • • • • • • • •
90º
• • •
• EVM is even SMALLER! • • • • • • • • • • • • • • • •
• Extremely COMPLEX • • • • • • • • • • • • • • • •
• Extremely FAST (Up to 1.3 Gbps) • • • • • • • • • • • • • • • •
• REQUIRES -56, -53, -50dBm
• • • • • • • • • • • • • • • •
• SNR of 30dB, or better
• •
• NOT practical for most environments • • • • • • • • • • • • • •
• Homes, Small isolated locations, • • • • • • • • • • • • • • • •
spot coverage • • • • • • • • • • • • • • • •
RSSI, SNR, Noise, Modulation
RSSI, SNR, Noise, Modulation, Air Time
How to Package Frame for Transmission

Transmitter Decides per Frame

Modulation Technique
Coding Scheme
Channel Width
Guard Interval
Spatial Streams
Tx Power
56
Physical Carrier Sense
Threshold
-85dBm

CCA Preamble Detect (PD) -85dBm

“Is there another Wi-Fi device transmitting on the channel?”

Threshold
-62dBm

CCA Energy Detect (ED) -62dBm

“Is there a non-Wi-Fi device transmitting on the frequency?”

57
Virtual Carrier Sense

1. Device hears a transmission

2. Client reads the Duration ID
3. Clients sets their NAV timer = to the Duration ID
NAV = Network Allocation Vector
58
Contention Process
•How to Access RF Medium
•AKA - “The Game”
• Preamble Detect
•Energy Detect
•Transmit Opportunity TxOp
•Wait Time
•Random Slots (CW)
•QoS
•Duration ID
Contention Windows & Slot Times
Random Back-off and Slot Time
Quality of Service
• DSCP
• WMM Categories
• End to End QoS
Radio Resource Management - Cycle
• Channel Choices • DFS
• Tx Power • User Traffic
• CCI/CCC • Reg Domain
• ACI
• KPI’s
• Noise
• Thresholds
• Duty Cycle
• Neighbor Discovery
• Retry Rates
• Interference
• CRC’s
• Timing
• Load
• Channel Width
DFS Channels
802.11 is NOT Primary User

• AP Scans for 60-Seconds

• AP Enabled on Channel
• Continuous Scanning
• If Radar Detected
• Send Channel Switch Announcement
• Change to New Channel
• After 30-Min Can Return
• After 60-Second Scan
• Repeat
Sample Single Frame Transmission
• AIFS - Arbitration Inter-frame Space
• Contention Window (CW)
• Preamble - BPSK
• RTS - MBR
• SIFS - Fixed Tme
• Preamble - BPSK
• CTS - MBR
• SIFS - Fixed Tme
• Preamble - BPSK
• Preamble - VHT
• Header - MBR
• Payload - PHY Rate
• CRC
• SIFS - Fixed Tme
• Preamble - BPSK
• ACK - MBR
Decibel Math
Conversion Chart dBm/mW
0 dBm 1 mW 11 dBm 12.5 mW 22 dBm 160 mW
1 dBm 1.25 mW 12 dBm 16 mW 23 dBm 200 mW

2 dBm 1.56 mW 13 dBm 20 mW 24 dBm 256 mW

3 dBm 2 mW 14 dBm 25 mW 25 dBm 320 mW

4 dBm 2.5 mW 15 dBm 32 mW 26 dBm 400 mW

5 dBm 3.12 mW 16 dBm 40 mW 27 dBm 512 mW

6 dBm 4 mW 17 dBm 50 mW 28 dBm 640 mW

7 dBm 5 mW 18 dBm 64 mW 29 dBm 800 mW

8 dBm 6.25 mW 19 dBm 80 mW 30 dBm 1000 mW

9 dBm 8 mW 20 dBm 100 mW 40 dBm 10000 mW

10 dBm 10 mW 21 dBm 128 mW 43 dBm 20000 mW

Inverse Square Law
I/16

Intensity at
Source = I I/4

2D
Distance from
Source = D
4D

Inverse Square Law (geometric expansion)

Physical quantity or intensity is inversely proportional to the square of the distance
from the source of that physical quantity.
Power density decreases as the wavefront propagates away from the point source
-40dB in the first meter at 2.4GHz and -47dB in the first meter for 5GHz
Free Space Path Loss
What happens when a wall is introduced?
Lunch
71
72
802.11 Association Process
•Wi-Fi Client Device Chooses!
•AKA - “Green Diamond”
•Decision on Triggers or Timer
•Very Proprietary Algorithm
•Algorithm Designed to Meet Goals
•Influenced by Access Points
•Support for 802.11 k, v, r
•Dis-Association - De-Authentication
•802.11 State Machine
Association Process
• Beacons - Broadcast
10x per second per radio per SSID
• Probe Requests - Broadcast
• Probe Responses - Unicast

Decision - "Green Diamond”

• Authentication Request
• Authentication Response
• Association Request
• Association Response
Association Identifier AID
“Green Diamond” Association/Roaming Algorithms
• SSID
• RSSI
• SNR
• Authentication Method
• Channel Switch Announcements
• De-Authentication Frame
• Dis-Association Frame
• Encryption Methods
• Error Ratios
• Heuristics
• Internal Lists - White/Grey/Black
• MCS/Data Rate
• Minimum Basic Rate
• Supported Data Rates
• 802.11k, 802.11r, 802.11v
 Association is to Wireless
what a Link Light is to Wired

76
Authentication & Encryption
Open No Encryption
- None and None

Pre-Shared Key (PSK) TKIP (Old & Deprecated)

- Device Authentication

802.1X (RADIUS) AES/CCMP (Current Encryption)

- User Authentication
78
Pre-Shared Key

‣ Device Authentication
‣ SSID
‣ Pre-Shared Key
‣ 4-Way Handshake
802.1X - RADIUS
• Various EAP Types
• Controlled Port
• Supplicant
• Authenticator
• RADIUS Server
• Authentication Database
• EAP Flows
• 4-Way Handshake
• Fast Roaming Methods
802.1X/EAP Framework
Calculating
my key… Authentication
Supplicant Authenticator
Server
802.11 association Access
Need
access! blocked
Calculating
EAPoL-start this guy’s
key…
EAP-request/identity

EAP-response/identity (credentials) RADIUS-access-request

EAP-request (challenge) RADIUS-access-challenge

EAP-response (hashed resp.) RADIUS-access-request

EAP-success RADIUS-access-accept (PMK)

Start 4-Way Handshake

 Upper Layers
• VLAN Assignment
• DHCP (Request/Response)
• Subnet Mask
• Default Gateway
• DNS
• Captive Portal ?

82
Protocols
Captive Portal
‣ Location
‣ Certificate Issues
‣ Client Issues
‣ Control
‣ Encrypted DNS
‣ Friction
‣ Legal Issues
‣ Mi-Fi Issues
‣ Monetization
‣ Privacy Issues
‣ Triggers
 85

Wi-Fi Client Joining WLAN

Authentication
Open
PSK
802.1X

Port Control LAN Access Full Network Access

Can Pass Traffic Through Can Pass Traffic on Can Pass Traffic on
Access Point Local Network Local Network

802.11 Association Encryption Upper Layers Captive Portal

None
Probe Request/Probe Response DHCP
TKIP After everything is
Client Decides on AP VLANs
AES/CCMP completed for 802.11
Authentication Request/Response Default Gateway Association, Authentication
Association Request/Response DNS and Encryption, as well as
all Upper Layers… then
Captive Portal
802.11 k - Radio Resource Measurement
• Neighbor Report
AP/Channel/Beacon Offset

• Beacon Report
Client Reports how sees other APs

• Channel Report
AP informs client of channels used

• BSS Transition Management

AP tells client to move to other AP
802.11 r - Fast Transition
Replaces 4-Way Handshake with updated
Fast Transition Authentication Request &
Response followed by Re-Association
Request and Re-Association Response

Over-the-Air
Client talks directly to target AP
Over-the-DS
Client talk through current AP to target AP
802.11 v - BSS Transition Management

• L2 Management of Associated Stations

• Monitoring of Associated Stations
• Configuring Associated Stations
• Load Balancing
• Influence Client Behavior
2.4GHz Channels
5GHz Channels
Channel Widths

Double the channel width =

• +3dB noise floor
• Wider channels make it more difficult to
obtain the necessary SNR for higher order
modulations

91
Break
92
93
Review of Network Devices
• REPEATER
Regenerate Signal What is an Access Point?
• HUB
Multi-Port Repeater Repeater?
• BRIDGE Hub?
MAC based forwarding Bridge?
• SWITCH Switch?
Multi-port Bridge Router?
• ROUTER
Regenerate new Frame w/New MAC
Access Point
NOT a WAP!
Bridges Wireless to Wired
Fixed Location
Makes DFS Decisions
Radio Resource Management
Autonomous vs Controller
 What is an Access Point?

96
Potential Troubleshooting Issues with Access Points
• 1GB Backhaul Limit
• Antenna Mounting
• Antenna Pattern
• AP Locations
• Band Steerings
• Channel Choice
• Client Controls
• Configurations
• Custom Configurations
• DFS Channel Choices & Issues
• Firmware Revisions
• Hidden SSIDs
• Minimum Basic Rates
• PoE Requirements
• Proprietary Features
• QoS Tagging
• Radio Capabilities
• Roaming Behavior Influence
• RRM/ARM
• SSIDs
• Supported PHY Rates
• Tx Power Setting
Basic Service Set

BSSID
•A Basic Service Set is
identified by a BSSID

• Area containing the

members of a BSS is called
Basic Service Area (BSA)
BSA
Basic Service Set - Dual Band AP

• 1 BSS per Radio

• BSSID #1 - 2.4GHz
• MAC address of the 2.4GHz radio

• BSSID #2 - 5GHz
• MAC address of the 5GHz radio
Extended Service Set

BSS BSS BSS

ESS
Wired Medium Issues

• EIA/TIA 568A/B
• Cable Lengths
• Category Mismatch
• Grounding Issues
• Validation Testing
• Out of Spec Cabling
• Patch Cables
 Evolution in Cabling

102
 Wireless LAN Design Requirements

• RSSI Primary (Coverage) • Jitter, Latency, Packet Loss, MOS Scores

• RSSI Secondary (Overlap) • Beacon Interval, DTIM Interval

• Frequency Allocations • End to End QoS

• Co-Channel Interference • WMM Access Categories

• Device to Radio Ratios • Codec Choices

• Special High Density Areas • Distributed Forwarding

• Protection Modes

103
Edge Switch
•ACL(s) •PoE Settings
•Configurations •Port Speed/Duplex
•QoS (CoS vs DSCP) •How/Where to Packet Capture
•Distributed vs Centralized •Tagged vs Untagged Port
•NetFlow •VLANs
DHCP
•Address Pool Scopes
•APIPA Addressing
•Auto Renewal
•Broadcast Storms
•IPv4 vs IPv6
•DHCP Scope Options
•Latency
•Lease Durations
•Performance
•Scalability
DNS
• Location
• Accuracy
• Configuration
• Control/Blacklist
• Customization
• Latency
• Scalability
• Security

What is your favorite non-DNS IP Address to test?

802.1X - RADIUS Server

• Authentication Database
• Certificate Issues
• Configuration
• Custom VSA
• EAP Types
• Fast/Secure Roaming Types
• Licensing Issues
• Ports
• Ranges
• Resources
• Scalability
Authentication Database
• Accounts
• Certificates
• Infrastructure Credentials
• Custom RADIUS Attributes
• EAP Compatibility
• Login Credentials
• Ports
• Security
Application Services

Additional Security
MTU
Processing Time
Round Trip Time
TCP Retransmission
TCP Window
Tuned for Wired
Firewall Services
• Application Control
• Application Visibility
• Bandwidth Shaping
• Capacity
• Firewall Rules
• Rate Limiting
• Certificates
WAN Router
• Availability
• Bandwidth Throttling
• Consistency
• Costs
• Internet Connection Size
• Internet Destination Issues
• Jitter
• Latency
Wireless LAN Controller
• Bugs
• Code Versions
• Configurations
• Distributed vs Centralized
• Licensing Issues
• Local vs Cloud
• VLAN Choices
Homework
113
Homework Review
114
Doctor’s Visit / Triage
Blood Pressure - Channel Utilization

Pulse - Retry Rates

Temperature - MCS Rates

Requirements

LCMI

Least
Capable
Most
Important
 Survey Says: Top Wireless Issues
End User Issues
Connect to Wrong SSID
Incorrect PSK
Incorrect 802.1X Credentials
Wireless Not Turned On
Network Issues
Incorrect VLANs, No IP Address or APIPA
DNS Issues, DHCP Issues, NAT Errors
Network Issues
Firewall or Bandwidth Shaping Issues
WLAN Infrastructure Issues
End User Issues
Wi-Fi Client Device Issues
Sticky Client Issues
Client Driver Issues
Wi-Fi Client Device Issues Roaming Issues
MDM Issues
WLAN Infrastructure Issues
Low Coverage, No Secondary Coverage
Band Steering Not Working
High Retry Rates, Low Average MCS
MBR too High/Low, AP Tx Power Issues
AP Code Issues, WMM Not Configured
 Troubleshooting Process Steps 119

Identify Locate Solve Document

Determine problem exists Tied to physical space Formulate & Implement plans Document initial issues, processes,
Ask Questions & Collect Info Tied to specific devices May include changes to drivers, diagnostics & resolutions
Correctly Identify Issue Use OSI model to define layer configurations or designs Follow up with those involved

Re-Create Isolate Verify

If you can’t recreate the issue, Identify OSI Layer, Specific Extensive testing to confirm
return to step one and ask devices, Specific locations, and verify the solution did
more questions Driver versions indeed solve the issue at hand
 Potential Wireless LAN Troubleshooting Causes
Wired/Wireless Location Potential Issues

1 Wireless End User Skills, Knowledge Perceptions, Device on/off, Understanding of Concepts & Device capabilities, Wi-Fi vs Cellular
|
Drivers, Radio Capabilities, Authentication Profiles, Supported PHY, QoS, Power Save, Applications, Location, MPTCP, Vendor IE Support, Chipset Behavior, Roaming
2 Mobile Wi-Fi Client Device
Algorithms, Auto-Negotiated MCS, MDM, Protection
|
|
RSSI, SNR, SNiR, Primary & Secondary Coverage, CCI/ACI, Retry Rates, Average MCS, Jitter, Latency, Consistency, Regulatory Domains, Non-Wi-Fi Interference,
3 RF Media
Spectrum Analysis
|
4 Per Frame Tx Contention Process Preamble Detect, Energy Detect, Triggers, NAV Timers, TxOP, AIFS, Random Slots, QoS, WMM, Duration ID, Ch Capacity, Non-Wi-Fi Inteference
|
5 Per Frame Tx MCS Process Per Frame Decisions - Modulation Technique, Coding Technique, Ch Width, Guard Interval, Spatial Streams, Tx Power, ACK vs No ACK, TX decides
|
802.11 is NOT primary User - AP Scans for 60-Seconds, AP Enabled, Continuos Scanning, If RADAR detected, send CSA, Change to new CH, After 30-min can return,
6 Per Time DFS Process
after 60-second scan
|
|
Overhead to delivery IP Payload - AIFS, CW, BPSK Preamble, RTS, SIFS, Preamble BPSK, CTS, SIFS, Preamble, Preamble VHT, Header MBR, Payload PHY rate, CRC,
7 Per Frame Tx Single Frame on RF
SIFS, Preamble, ACK
|
|
Beacon, Probe Request, Probe Reponse, Authentication Request, Authentication Response, Association Request, Association Response, Decide on which AP by:
8 Per Timers Association Process RSSI, SNR, Auth Method, Encrypt Method, Channel Switch Announcement, Error Ratios, MCS/Data Rates Supported, Heuristics, Internal Lists, De-Authentication, Dis-
Associate, 802.11 k, v, r, MBR, Proprietary Methods!
9 802.11 k, v, r AP's try to influence the roaming decisions via 'standard' modes
|
10 Per Changes Authentication Process Open, Pre-Shared Key, 802.1X RADIUS, PSK includes Exchange of 4-Way Handshake to trigger Encryption Keys, 802.1X EAP Exchange, ending in 4-Way Handshake
|
11 Encrytion Process None, TKIP, AES/CCMP, Punishment for using TKIP, Confusion with Wi-Fi Alliance naming - WPA2 PSK… is PSK-WPA2
|
12 From LAN Upper Layers DHCP, IP , DNS, VLAN, Subnet Mask, Default Gateway, Captive Portal
13 Controlled Port AP Controls which 802.11 Frames can cross Wireless to Wired Boundary
|
14 Fixed Access Configurations, SSIDs, Minimum Basic Rates, Supported PHY Rates, Band Steering, Client Control, Radio Capabilities, Tx Rates, Client Isolation, Roaming, QOS
Wired Point PoE, Antenna Pattern, Mounting, 1GB backhaul limit, AP Locations, Physcial Layer Issues, Firmware Revisions, Custom Configurations, RRM/ARM, Proprietary
|
15 Local Cable Media EIA/TIA 568A/B, Category Mismatch, Validation Tests, Grounding, other issues
16 Network Edge Switch VLANs, Port Speeds, PoE, Configurations, QoS, End-to-End?, COS vs DSCP
17 Local Network Distributed vs Centralized Forwarding, ACLs, VLANs, QoS, Tunnels, Layers, NAT
18 TCP/UDP Following all TCP issues as well as UDP reasons for using each
19 Quality of Service Access Port vs Trunk Port, DSCP, WMM Categories, End-to-End QoS
20 Applicatons MTU, TCP Window, Round Trip Time, Processing Time, TCP Retransmission times
21 DHCP Server Lease Durations, Configurations, Broadcast Storms, Latency, Performance, Address Pool Scopes, Scalability, DHCP Options, Auto Renew
22 DNS Configuration, Scalability, Security, Accuracy, Customization, Control, Blacklists
23 802.1X/RADIUS Configuration, Ports, Ranges, Licensing Issues, EAP types, Custom VSA, Scalability, Resouces, Certificate Issues, Fast/Secure Roaming types
24 Active Directory Accounts, Credentials, EAP Compatibility, Custom RADIUS Attributes
25 Controller Functions Code Versions, Bugs, Configurations, Local vs Cloud, Licensing Issues, Distributed vs Centralized Forwarding, VLAN choices
26 Firewall Firewall Rules, Capacity, Compatibility, Rate Limiting, Bandwidth Shaping
27 WAN Router Size of Internet Pipe, Inernet Destination Issues, Costs, Availability, Consistency
Internet Internet Connection Bandwidth Throttling, Jitter, Latency
28 Captive Portal Security, Client Issues, Privacy, Friction, Triggers, Certificates, DNS, Captive Portal Location, Control, Monetization, Legal, MiFi
 122

Troubleshooting WLANs from Wireless Side

Wi-Fi Client Devices
Drivers, Radio Capabilities, Authentication, Supported PHY,
Power Save, Location, Applications, Roaming, Auto-Negotiated
MCS, MDM, Protection, Chipset Behavior

RF Media
Controller & Management
RSSI, SNR, SNIR, Primary Coverage,
Code Versions, Bugs, Configurations,
Secondary Coverage, CCI/ACI, Retry Rates,
Local vs Cloud, Licensing, Scale,
Average MCS, Jitter, Latency, Consistency,
VLANs, Centralized vs Distributed,
Regulatory Domains, Non-Wi-Fi Interference,
Control Plane, Mgmt Plane, Data Plane
Spectrum Analysis, RF Bands

Access Points
Wired Interfaces Configurations, SSIDs, MBR, PHY Rates, Band
EIA/TIA 568A/B, Cable Mismatch, Validation Testing, Steering, Client Control, Radio Capabilities, Tx
Grounding, VLANs, Port Speeds, Configurations, Power, Client Isolation, Roaming, RRM/ARM, QoS
QoS, COS vs DSCP, Distributed Forwarding vs Tagging, PoE Requirements, Antenna Patterns,
Centralized Forwarding, Access vs Trunk Ports Mounting, 1GB backhaul, AP Locations, PHY Layer
Issues, Firmware, Bugs, Custom Configs
Local Network Services
 Troubleshooting Network Services 124

DHCP
All things IP Address Related,
Applications
VLANs, Default Gateway, Subnet
TCP Windowing, MTU,
Mask, Lease Duration, DHCP
RTT, Processing Time,
DHCP Options, Latency, Auto-Renew
TCP Retransmissions

Applications DNS
Configurations, Scalability,
DNS
Captive Portal Accuracy, Security,
Client Issues, Friction, Triggers, Controls, Blacklists,
Certificates, Encrypted DNS, Management
Control, Legal, MiFi Issues,
Where CP Resides, Privacy Issues Captive
Portal
RADIUS RADIUS/802.1X
Internet/Cloud Configuration, Ports, Ranges,
Size of Internet Pipe, Costs, Internet Licensing, EAP types,
Availability, Bandwidth Scalability, Certificates, Fast/
Shaping, Jitter, Latency, Secure Roaming,
Consistency, Firewall Issues Authentication Database Issues
Wireless LAN Troubleshooting Process
Break
126
How to NOT have WLAN issues
Before Installing AP…

• Try using a netool.io device

• Worst case, a laptop with CMD window…
 129

Before Installing AP - Test Wired Connection

Step 8
Confirm all VLANs available for this port Step 1
Trunk or Access as designed Check cabling meets Cat5e or
Centralized Forwarding or Distributed better & distance less than 100m

Step 7 Step 2
Confirm you can connect to Confirm Power over Ethernet
Controller, WNMS, etc. meets AP’s requirements

Step 6 Step 3
Confirm DHCP, DNS Address,
Ping Default Gateway from DHCP Process
Default Gateway, IP Subnet Mask,
Ping server on far side of Default Gateway
& VLANs as designed

Step 5 Step 4
Document Switch Access
Test DNS for targets resolving correctly
Port, VLANs, Jack, Management VLAN
 After Installing Access Point
Document AP as Installed
AP’s MAC Address, Assigned Name,
Location, Switch & Port Used, IP Address,
Ethernet Jack, Photo of Installation
Validation of Wi-Fi
Using a Wi-Fi Client Device:
Check all SSID’s are being broadcast
Connect to each SSID
Test DHCP & VLANs per SSID
130
Design Confirmation
Confirm Access Point is installed as designed
Proper Location, Proper Orientation
AP Configuration
Wait for AP to receive configuration from
Controller/WNMS - might take two reboots
depending on vendor implemented
It’s a Wireless Problem!

Really?

Most Wireless
Problems Aren’t…
 132

Wi-Fi Client Joining WLAN

Authentication
Open
PSK
802.1X

Port Control LAN Access Full Network Access

Can Pass Traffic Can Pass Traffic on Can Pass Traffic on
Through Access Point Local Network Local Network

802.11 Association Encryption Upper Layers Captive Portal

Probe Request/Probe Response None DHCP
After everything is completed for
Client Decides on AP TKIP VLANs
802.11 Association, Authentication
Authentication Request/Response AES/CCMP Default Gateway
and Encryption, as well as all Upper
Association Request/Response DNS
Layers… then Captive Portal
133
 Wired vs Wireless 134

Wired Issues
Use appropriate tools to check
Network connectivity in Upper Layers

Wireless Issues
Use appropriate tools to check Layer1
RF and Layer 2 MAC issues
 Wired or Wireless Problem? 135

IP Address Compare Throughputs

Does target Wi-Fi Client Compare Wi-Fi connection data
Devices have an IP Address? rate to Internet Speed Test

Ping Wi-Fi Client Check RSSI & SNR

Can you Ping your Wi-Fi Client Both from the Client’s point of view
Device from the Wired Network? as well as from the Access Points’

MCS of Wi-Fi Client Isolated?

Is the MCS of Wi-Fi client showing Is the issues isolated to only Wi-Fi
stress devices or across network
MCS 5-9 means 64-QAM or Better Especially check network services
MCS of <5 means difficulty over RF
 Wired Network Testing 136

DHCP
All things IP Address Related, VLANs, Default
Applications Gateway, Subnet Mask, Lease Duration, DHCP
TCP Windowing, MTU, RTT,
Options, Latency, Auto-Renew
Processing Time, TCP
Retransmissions
DHCP

Applications DNS
Configurations, Scalability, Accuracy,
DNS Security, Controls, Blacklists, Management

Captive Portal
Client Issues, Friction, Triggers,
Certificates, Encrypted DNS, Control,
Legal, MiFi Issues, Where CP Resides,
Privacy Issues
Captive Portal
RADIUS RADIUS/802.1X
Configuration, Ports, Ranges, Licensing, EAP
Internet/Cloud types, Scalability, Certificates, Fast/Secure
Size of Internet Pipe, Costs, Availability, Internet Roaming, Authentication Database Issues
Bandwidth Shaping, Jitter, Latency,
Consistency, Firewall Issues
 WiFi Signal Demo Lab

137
 Netool.io Lab Exercise
Before installing an Access Point confirm
the Wireless LAN is providing all that is required.

1. Check Cabling for Category & Distance

2. Confirm PoE meets AP requirements
3. Confirm DHCP, DNS, Default Gateway, IP Subnet Mask, & VLANs
4. Ping Default Gateway
5. Test DNS to quickly resolve targets
6. Test Access to Internet resources as needed
7. Test access to Controller, WMNS, etc.
8. Confirm VLANs as designed

138
Netool.io Labs
139
Lab 1 - netool.io Lab

140
141
Lunch
142
Wireless LAN Troubleshooting Process
WLAN Pi
Features:

•Quad Core ARM CPU

•1GB RAM
•Small!
•Runs Linux
•Gigabit Ethernet with 900Mbps throughput
•Low power
•Custom software build just for Wi-Fi
Recommended WLAN USB Adapters

Tested adapters include:

Comfast CF-912AC, Odroid Module 5, and Ekahau SA-1
Any adapter with the RTL8812au or RTL8814au Wi-Fi chipsets should work

Other adapters (work well, but are limited to 802.11n)

Panda N600 Dual-Band Wireless-N USB Adapter
146
Kismet

Features:

•802.11 sniffing
•Standard PCAP logging (compatible with Wireshark, TCPDump, etc)
•Client/Server modular architecture
•Plug-in architecture to expand core features
•Multiple capture source support
•Live export of packets to other tools via tun/tap virtual interfaces
•Distributed remote sniffing via light-weight remote capture

More Info: https://www.kismetwireless.net/

Developer: Mike Kershaw - @KismetWireless
WLAN PI Labs
149
Lab 2 - Connecting to your WLAN Pi

1. Connect via Web Browser

2. Connect via SSH

150
Lab 3 - Introduction to Kismet

1. Setup Kismet via HTTP Interface

2. Change Kismet Password
3. Change Kismet Data Source
4. Enable Kismet Data Source
5. Explore Kismet Interface

151
Lab 4 - Network Discovery with Kismet

1. Collect Station Details

2. Calculating Retry Rates
3. Checking Channel Usage
4. Searching Kismet Dataset
5. Observing Vendor BSSID Behavior

152
Lab 5 - Linux Navigation

1. sudo & sudo bash

2. Change Directories
3. cat & more
4. Checking log files
5. ifconfig & iwconfig

153
 Network Troubleshooting CLI Commands
Windows macOS/*nix Description & Options
ping ping Test the network connection with a remote IP address 
ping-t [IP or host] ping-l 1024 [IP or host]

tracert traceroute Displays all intermediate IP addresses through which a packet passes through,
between the local machine and the specified IP address. 
tracert [@IP or host] tracert -d [@IP or host]

dig dig Get DNS information

dig domain

ipconfig ifconfig Displays or refresh the TCP/IP configuration 

ipconfig /all [/release [adapter]] [/renew [adapter]]
/flushdns /displaydns /registerdns [-a] [-a] [-a]

telnet telnet TELNET 

telnet <IP or host> telnet <IP or host> <port TCP>

netstat netstat Displays the status of the TCP/IP stack on the local machine 
netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

Arp Arp ARP: Resolving IP addresses to MAC addresses. Displays and modifies the
translation tables of IP addresses to physical addresses used by the ARP address
resolution protocol.
ARP -s adr_inet adr_eth [adr_if] ARP -d adr_inet [adr_if] ARP -
a [adr_inet] [-N adr_if]

hostname Displays the name of the machine 

nslookup nslookup nslookup sends DNS requests to a DNS server 

nslookup [domain] [dns server]

netsh netsh: command-line scripting utility

netsh [-a AliasFile] [-c Context] [-r RemoteComputer]
[{NetshCommand -f Scriptile}]
154
155
 Linux Command Line Cheat Sheet - WLAN Pros 2/14/19 9:13

File Operations SSH Nano Shortcuts

cp file1 file2 Copy file1 to file2 ssh user @host connect to host as user Ctrl-R Read file
file file1 Get type of file1 ssh -p port user @host connect to host on port port as user Ctrl-O Save file
head file1 Show first 10 lines of file1 ssh-copy-id user @host add your key to host for user to enable passwordless login Ctrl-X Close file
less file1 View and paginate file1 Alt-A Start marking text
more file1 Output contents of file1 Bash Commands Ctrl-K Cut marked text or line
mv file1 file2 Move file1 to file2 clear Clear current screen Ctrl-U Paste text
rm file1 Delete file1 date Show system date Alt-/ End of file
scp file1 user@host:/directory Files to be copied between hosts w/SSH df Show disk usage Ctrl-A Beginning of line
tail file1 Show last 10 lines of file1 du Show directory space usage Ctrl-E End of line
tail -f file1 Output last lines of file1 as it changes head -n1 /etc/issue Show distribution Ctrl-W Find
touch file1 Create file1 man command Show manual for command Alt-W Find Next
mount Show mounted filesystems Ctrl-\ Search and replace
Directory Operations passwd change password for current user *highly recommended*
cd .. Go up a directory sudo run programs w/security privileges of another I/O Redirection
cd ~ Go to the home directory uname -a Show system and kernel command < file Read input of command from file
cd dir Change directory to dir uptime Show uptime command > file Write output of command to file
mkdir dir Make directory dir w Show who is online command > Discard output of command /dev/null
pwd Show current directory whereis app Show possible lcoations of app command >> file Append output to file
ls List files whoami Show your username command1 | command2 Pipe output of command1 to command2
ls Options
-a Show all (including hidden) Bash Variables Installing & Upgrading Packages
-R Recursive list $HOME Home directory apt-cache pkgnames List all available packages
-r Reverse order $PATH Executable search path apt search name search for a package and its description
-t Sort by last modified $SHELL Current shell apt show name check detailed description of package
-S Sort by file size echo $NAME Output value of $NAME variable apt-get install name Install a package
-l Long listing format env Show environment variables apt-get install name name Install multiple packages
-1 One file per line apt-get update Update list of available packages
-m Comma-separated output Bash Shortcuts apt-get upgrade Install newest version of available packages
-Q Quoted output !! Repeat last command apt-get dist-upgrade Force upgrade packages
<tab> Autocompletion of file or command apt-get autoremove Remove installed packages
Compression clear Clear the terminal apt-get clean Remove archived packages
gzip file compresses file and renames it to file.gz Ctrl-c Stop current command apt-get remove Unistall a package
gzip -d file.gz decompresses file.gz back to file Ctrl-l Clear the terminal apt-get remove --purge Unistall a package and remove its files
tar cf file.tar files create a tar named file.tar containing files Ctrl-r Search history
tar xf file.tar extract the files from file.tar Ctrl-z stops current command (resume with fg) Network Shortcuts
tar xzf file.tar.gz extract a tar using Gzip dig -x host reverse lookup host
Screen Shortcuts dig domain get DNS information for domain
Search Files screen Start a screen session Ping host ping host and output results
find /dir/ - name Find files starting with name in dir name screen -r Resume a screen session traceroute host traceroute host and output results
find /dir/ -user Find files owned by name in dir name screen - Show your current screen sessions wget file download file
grep -i Case insensitive search Ctrl-A Activate commands for screen wget -c file continue a stopped download
grep -r Recursive search Ctrl-A c Create a new instance of terminal whois domain get whois information for domain
grep -v Inverted search Ctrl-A n Go to the next instance of terminal
grep pattern Search for pattern in files files Ctrl-A p Go to the previous instance of terminal Network Commands
locate file Find file (quick search of system index) Ctrl-A " Show current instances of terminals ifconfig Equivalent of ipconfig /all in Windows
whereis command Find binary / source / manual for command Ctrl-A A Rename the current instance of terminal ifconfig wlan0 List information about WLAN0 interface
command | grep pattern search for pattern in the ouput of command iwconfig Wireless informaiton all wireless interfaces
Process Management iwconfig wlan0 Wireless informaiton on interface wlan0
File Permssions ps Show snapshot of processes iwlist wlan0 channel What channel is wlan0
chmod 775 file Change mode of file to 775 top Show real time processes ifconfig wlan0 up Turn on wlan0 interface
chmod -R 600 Folder Recursively chmod folder to 600 folder bg list stopped or background jobs ifconfig wlan0 down Turn off wlan0 interface
chown user :group file Change file owner to user and group to group fg brings most recent job o foreground iwconfig wlan0 essid test Change SSID on wlan0 to test
4 read (r) The first digit is the owner permission, kill pid Kill process with id pid iwconfig wlan0 channel 6 Set wlan0 channel to 6
2 write (w) the second the group and the third for everyone pkill Kill process with name name name dhcpcd wlan0 DHCP address to be assigned to wlan0
156 1 execute (x) Calculate 3 permission digits by adding values listed killall name Kill all processes with names beginning name airmon-ng start wlan0 put wlan0 into monitor mode
Break
157
 Lab 6 - WLAN Client Capabilities

1. SSH to WLAN Pi
2. Run Profiler Script
3. Test your client device
4. Review Results
5. Rinse & Repeat with other Devices

158
 Lab 7 - Testing Wi-Fi Performance

1. Role of WLAN Pi - Test Endpoint

2. HTML 5 Speed Test

159
 Lab 8 - Advanced Performance

iPerf Testing

160
 Lab 9 - Is it Wi-Fi or Not Wi-Fi

1. Wired Connections to MikroTik

2. Run SpeedTest.net
3. Find your client device’s MCS
4. Wi-Fi Connection to MikroTik
5. Compare & Contrast

161
Ethernet over
USB connection
Homework
163
Homework Review
164
165
Wireless LAN Troubleshooting Process
 Validating RF

167
 Wireless LAN Design Requirements

• RSSI Primary (Coverage) • Jitter, Latency, Packet Loss, MOS Scores

• RSSI Secondary (Overlap) • Beacon Interval, DTIM Interval

• Frequency Allocations • End to End QoS

• Co-Channel Interference • WMM Access Categories

• Device to Radio Ratios • Codec Choices

• Special High Density Areas • Distributed Forwarding

• Protection Modes

168
 Lab Exercise
Ekahau Validation Survey
169
Break
170
 Spectrum Analysis using
Ekahau Sidekick

171
Tuning Fork Example
Additive Waves
Time –vs- Frequency
Time –vs- Frequency Views
Protocol –vs- RF
Types of RF Interferers
Ekahau Pro
RTFM
Spectrum Analysis Lab
179
Lunch
180
 WIRELESS PACKET ANALYSIS

181
 What Is a Wireless Packet Capture (PCAP)?

• Viewing & storing frames in the AIR (802.11), NOT the Wire (802.3)

• Requires NIC to be in “ RF Monitor” mode.

• Focused on Layer1 (Physical) & Layer2 (Data/MAC) (See OSI model)

• Upper layer data is not for troubleshooting “Wi-Fi Issues”

• Necessary to see/understand the relation ship between a client & the WLAN

182
 The Wireless Medium

• Unbound Medium

• There is no way to contain RF signals

• Anyone can see (hear) the transmissions

• Only Data is encrypted

• Header information is cleartext

183
RF Monitor Mode 802.11 Frames
on Channel 36
Promiscuous-mode

regardless of destination on
NIC looks at all data that is being transmitted
the channel it’s monitoring. (But, no L1/2) )
o d e” ing)
l-m itor
“N orma m on
. k.a. ann el it’s
( a c h ,
de on th
e tors
uou s Mo lf ( o n i
i sc f o r itse l(s)
it m
n - Prom t ende
d
nne
No mes in cha
for f ra the
oks ar on
only lo nh )
e
NIC c a
h a t it i n fo!
es t L1/L2
o de fra m (
11
nit or-m L 802.
M o A L
RF s ees
NIC

Monitor Mode

“Hears all the things.”

 What Can You See?

185
 Why PCAP?

• Troubleshoot wireless issues

• Validate & confirm network/device/application/security configuration(s)

• Understand device behaviors

• Industry standard for sharing packet level information

• Gain greater understanding of 802.11

186
 Where to PCAP?
AP
a r
Ne

?
i ent
Cl
ear
N

187
 Where to PCAP?

Most issues are best viewed from the client’s perspective

Near Client

?
188
First Thing’s First: Requirements

• Windows 10 machine • Apple MacBook

• Wireshark 3.0 or newer • Wireshark
• WLAN Pi, Netgear A6210 USB • Airtool
NIC, or Ekahau Sidekick w/ • Internal NIC, WLAN Pi, or Ekahau
Connect license Sidekick w/ Ekahau Connect license

Multi-channel pcap? Multi-channel pcap?

With Sidekick (2ch max) With Sidekick only (2ch max)
 Lab Exercise
Setting Up for Wireless PCAP
190
 Customizing Wireshark for Wi-Fi

• Creating custom profiles • Colorization Rules

• Columns • Custom name resolution

• Using search • Commenting

• Filters • Graphing

191
CUSTOM PROFILES
• Preset profiles with your favorite settings

• Have Wireshark ready to go for the specific task at

hand

• See only what you want to see

 Things Unique To Each Custom Profile

• Application Layout Preferences

• Columns

• Display Filters & Filter Buttons

• Colorization Rules

• I/O Graphs

👉 You can also import profiles from others.

¡ After you’ve customized the profile to your liking BACK IT UP!

193
 Backing Up Profiles (Windows)

Go to “Help > About”

194
 Backing Up Profiles (Mac)

Go to “Wireshark > About”

195
 Lab 11
Custom Profiles
196
CUSTOM COLUMNS

• Know what your looking at

• Choose the columns you want to see

• Create your own columns

 Creating a Column
1.Locate the field you want in the Display Details Pane
2. Right-click to “Apply as Column”
Using Search to Find Strings

• Wireshark can find pretty much anything

• ⌘/CTRL + F
• Choose where to search
 Lab 12
Custom Columns
200
Filters

• CAPTURE Filters

Stop frames from getting INTO my database

• DISPLAY Filters

Control the data LEAVING the database

 Display Filters

• Clients

• Frame types

• Group filters together

Wireshark · Display Filter Reference: IEEE 802.11 wireless LAN: https://www.wireshark.org/docs/dfref/w/wlan.h

 Display Filter Reference

203
204
 802.11 Wireshark Filters
Management Frames wlan.fc.type == 0 Addresses
Association Request wlan.fc.type_subtype == 0 MAC address wlan.addr == MAC_address
Association Response wlan.fc.type_subtype == 1 Transmitter Address (TA) wlan.ta == MAC_address
Reassociation Request wlan.fc.type_subtype == 2 Receiver Address (RA) wlan.ra == MAC_address
Reassociation Response wlan.fc.type_subtype == 3 Source Address (SA) wlan.sa == MAC_address
Probe Request wlan.fc.type_subtype == 4 Destination Address (DA) wlan.da == MAC_address
Probe Response wlan.fc.type_subtype == 5
Beacon wlan.fc.type_subtype == 8 Access Points and SSIDs
Disassociation wlan.fc.type_subtype == 10 BSSID wlan.bssid == AP_radio_MAC_address
Authentication wlan.fc.type_subtype == 11 SSID wlan_mgt.ssid == SSID
Deauthentication wlan.fc.type_subtype == 12
Action wlan.fc.type_subtype == 13 Radio Tap Header
Specific Channel radiotap.channel.freq == frequency
Control Frames wlan.fc.type == 1 Specific Data Rate radiotap.datarate == rate_in_Mbps
Block ACK Request wlan.fc.type_subtype == 24 RSSI radiotap.dbm_antsignal == rate_in_dBm
Block ACK wlan.fc.type_subtype == 25
PS-Poll wlan.fc.type_subtype == 26 802.11k,v,r
Ready To Send (RTS) wlan.fc.type_subtype == 27 802.11v DMS request wlan.fixed.action_code == 23
Clear to Send (CTS) wlan.fc.type_subtype == 28 802.11v DMS response wlan.fixed.action_code == 24
ACK wlan.fc.type_subtype == 29 802.11k Neighbor request wlan.rm.action_code == 4
802.11k Neighbor response wlan.rm.action_code == 5
Data Frames wlan.fc.type == 2 802.11r FT auth req (wlan.fc.type_subtype==0) && (wlan.rsn.akms.type == 3)
Data wlan.fc.type_subtype == 32 802.11r FT auth res (wlan.fc.type_subtype==1) && (wlan.tag.number == 55)
Null wlan.fc.type_subtype == 36 802.11r FT reassoc req (wlan.fc.type_subtype==2) && (wlan.tag.number == 55)
QoS Data wlan.fc.type_subtype == 40 802.11r FT reassoc res (wlan.fc.type_subtype==3) && (wlan.tag.number == 55)
QoS Null wlan.fc.type_subtype == 44
Retries
Display Filter Operators Retry wlan.fc.retry==1
Equal == eq
Not Equal != ne Weak Signal and Probes
And && and Weak Signal wlan_radio.signal_dbm < -dB
Or || or Weak Probe responses wlan.fc.type_subtype == 5 && wlan_radio.signal_dbm < -dB
Xor ^^ xor Weak Probe requests wlan.fc.type_subtype == 4 && wlan_radio.signal_dbm < -dB
Not ! not
205 Contains wlan.xxx contains "xx:xx" 4-Way Handshake Filter wlan.addr == MAC && eapol
 Lab 13
Display Filters
206
Color Rules

• Know what your looking at

• Based on Metageek Eye P.A. color

scheme

• Customize your own color palette

• Import pre-configured color palettes

Download over there 👉 https://support.metageek.com/hc/en-us/articles/115013527388
208
 Lab 14
Color Rules
209
Break
210
Custom Name Resolution

• Name your clients for easy viewing

• Name your APs so you know it’s the right one

• It’s just plain convenient

Ethers File
• Not associated with a profile

• ONE ethers file for Wireshark

• Can add/change/delete entries whenever you want

• Helpful for viewing specific device within a capture

 Lab 15
Custom Name Resolution
213
Commenting, Marking Specific Frames
• Save only the frames you want

• Comment of specific frames (only supported in .pcapng

format)

• Save for studying, later review, teaching, walking customer

through flow, etc.

3
 Lab 16
Comments & Marking
215
Importing/Exporting Custom Profiles

• Profiles can be saved for backed up, or to be shared with others

• Pre-existing profiles can be imported from others

• No built-in Import/Export functionality

• Manual process
 Exporting/Saving Custom Profiles
Go to your Personal Configuration folder

1. Save everything in the folder for sharing, or backup

2. OR, open the “Profiles” folder and save only the Profile you want to share.
 Importing Custom Profiles
Go to your Personal Configuration folder

1. Copy pre-existing files into your configuration folder (ethers, preferences, etc.)

2. Copy a Specific pre-existing profile into your “Profiles” folder.

New profile!
Importing Custom Profiles

Click on the Profile selector in the bottom left and you will see the newly imported profile.
 LAB 8: Importing Profiles

1. Copy the 802.11 profile folder into your Profiles folder

2. Open Wireshark and click the Profiles selector on bottom left

3. You will see a new profile called 802.11

220
 Lab 17
Import/Export Profiles
221
I/O Graphs

• Get a quick overview

• Filter for only frames that matter

• Compare frame types

• Look for deviations

 Lab 18
I/O Graphs
223
 Helpful Links

Airtool by @AdrianGranados
CWAP Certified Wireless Analysis Professional Official Study Guide (PW0-270)
Options for Wireless Packet Capture in Windows
Wireshark · Display Filter Reference: IEEE 802.11 wireless LAN
Wireshark -  Most Common 802.11 Display Filters by @VergesFrancois
Wireshark Color Profile – MetaGeek Support
Wireshark for Wireless LANs LiveLessons by Jerome Henry (@WirelessCCIE) & James Garringer (@JamesGarringer)

224
Homework
225
Homework Review
226
How many questions to find a
number between 1 and 100?

Why?
 Questions to Ask 228

IP Address Compare Throughputs

Does target Wi-Fi Client Compare Wi-Fi connection data
Devices have an IP Address? rate to Internet Speed Test

Ping Wi-Fi Client Check RSSI & SNR

Can you Ping your Wi-Fi Client Both from the Client’s point of view
Device from the Wired Network? as well as from the Access Points’

MCS of Wi-Fi Client Isolated?

Is the MCS of Wi-Fi client showing Is the issues isolated to only Wi-Fi
stress devices or across network
MCS 5-9 means 64-QAM or Better Especially check network services
MCS of <5 means difficulty over RF
Soft Skills Lab Exercise
Troubleshooting Tools by OS
Linux Command Line Cheat Sheet - WLAN Pros 2/14/19 9:13

File Operations SSH Nano Shortcuts

cp file1 file2 Copy file1 to file2 ssh user @host connect to host as user Ctrl-R Read file
file file1 Get type of file1 ssh -p port user @host connect to host on port port as user Ctrl-O Save file
head file1 Show first 10 lines of file1 ssh-copy-id user @host add your key to host for user to enable passwordless login Ctrl-X Close file
less file1 View and paginate file1 Alt-A Start marking text
more file1 Output contents of file1 Bash Commands Ctrl-K Cut marked text or line
mv file1 file2 Move file1 to file2 clear Clear current screen Ctrl-U Paste text
rm file1 Delete file1 date Show system date Alt-/ End of file
scp file1 user@host:/directory Files to be copied between hosts w/SSH df Show disk usage Ctrl-A Beginning of line
tail file1 Show last 10 lines of file1 du Show directory space usage Ctrl-E End of line
tail -f file1 Output last lines of file1 as it changes head -n1 /etc/issue Show distribution Ctrl-W Find
touch file1 Create file1 man command Show manual for command Alt-W Find Next
mount Show mounted filesystems Ctrl-\ Search and replace
Directory Operations passwd change password for current user *highly recommended*
cd .. Go up a directory sudo run programs w/security privileges of another I/O Redirection
cd ~ Go to the home directory uname -a Show system and kernel command < file Read input of command from file
cd dir Change directory to dir uptime Show uptime command > file Write output of command to file
mkdir dir Make directory dir w Show who is online command > Discard output of command /dev/null
pwd Show current directory whereis app Show possible lcoations of app command >> file Append output to file
ls List files whoami Show your username command1 | command2 Pipe output of command1 to command2
ls Options
-a Show all (including hidden) Bash Variables Installing & Upgrading Packages
-R Recursive list $HOME Home directory apt-cache pkgnames List all available packages
-r Reverse order $PATH Executable search path apt search name search for a package and its description
-t Sort by last modified $SHELL Current shell apt show name check detailed description of package
-S Sort by file size echo $NAME Output value of $NAME variable apt-get install name Install a package
-l Long listing format env Show environment variables apt-get install name name Install multiple packages
-1 One file per line apt-get update Update list of available packages
-m Comma-separated output Bash Shortcuts apt-get upgrade Install newest version of available packages
-Q Quoted output !! Repeat last command apt-get dist-upgrade Force upgrade packages
<tab> Autocompletion of file or command apt-get autoremove Remove installed packages
Compression clear Clear the terminal apt-get clean Remove archived packages
gzip file compresses file and renames it to file.gz Ctrl-c Stop current command apt-get remove Unistall a package
gzip -d file.gz decompresses file.gz back to file Ctrl-l Clear the terminal apt-get remove --purge Unistall a package and remove its files
tar cf file.tar files create a tar named file.tar containing files Ctrl-r Search history
tar xf file.tar extract the files from file.tar Ctrl-z stops current command (resume with fg) Network Shortcuts
tar xzf file.tar.gz extract a tar using Gzip dig -x host reverse lookup host
Screen Shortcuts dig domain get DNS information for domain
Search Files screen Start a screen session Ping host ping host and output results
find /dir/ - name Find files starting with name in dir name screen -r Resume a screen session traceroute host traceroute host and output results
find /dir/ -user Find files owned by name in dir name screen - Show your current screen sessions wget file download file
grep -i Case insensitive search Ctrl-A Activate commands for screen wget -c file continue a stopped download
grep -r Recursive search Ctrl-A c Create a new instance of terminal whois domain get whois information for domain
grep -v Inverted search Ctrl-A n Go to the next instance of terminal
grep pattern Search for pattern in files files Ctrl-A p Go to the previous instance of terminal Network Commands
locate file Find file (quick search of system index) Ctrl-A " Show current instances of terminals ifconfig Equivalent of ipconfig /all in Windows
whereis command Find binary / source / manual for command Ctrl-A A Rename the current instance of terminal ifconfig wlan0 List information about WLAN0 interface
command | grep pattern search for pattern in the ouput of command iwconfig Wireless informaiton all wireless interfaces
Process Management iwconfig wlan0 Wireless informaiton on interface wlan0
File Permssions ps Show snapshot of processes iwlist wlan0 channel What channel is wlan0
chmod 775 file Change mode of file to 775 top Show real time processes ifconfig wlan0 up Turn on wlan0 interface
chmod -R 600 Folder Recursively chmod folder to 600 folder bg list stopped or background jobs ifconfig wlan0 down Turn off wlan0 interface
chown user :group file Change file owner to user and group to group fg brings most recent job o foreground iwconfig wlan0 essid test Change SSID on wlan0 to test
4 read (r) The first digit is the owner permission, kill pid Kill process with id pid iwconfig wlan0 channel 6 Set wlan0 channel to 6
2 write (w) the second the group and the third for everyone pkill Kill process with name name name dhcpcd wlan0 DHCP address to be assigned to wlan0
1 execute (x) Calculate 3 permission digits by adding values listed killall name Kill all processes with names beginning name airmon-ng start wlan0 put wlan0 into monitor mode
Network Troubleshooting CLI Commands
Windows macOS/*nix Description & Options
ping ping Test the network connection with a remote IP address 
ping-t [IP or host] ping-l 1024 [IP or host]

tracert traceroute Displays all intermediate IP addresses through which a packet passes through,
between the local machine and the specified IP address. 
tracert [@IP or host] tracert -d [@IP or host]

dig dig Get DNS information

dig domain

ipconfig ifconfig Displays or refresh the TCP/IP configuration 

ipconfig /all [/release [adapter]] [/renew [adapter]]
/flushdns /displaydns /registerdns [-a] [-a] [-a]

telnet telnet TELNET 

telnet <IP or host> telnet <IP or host> <port TCP>

netstat netstat Displays the status of the TCP/IP stack on the local machine 
netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

Arp Arp ARP: Resolving IP addresses to MAC addresses. Displays and modifies the
translation tables of IP addresses to physical addresses used by the ARP address
resolution protocol.
ARP -s adr_inet adr_eth [adr_if] ARP -d adr_inet [adr_if] ARP -
a [adr_inet] [-N adr_if]

hostname Displays the name of the machine 

nslookup nslookup nslookup sends DNS requests to a DNS server 

nslookup [domain] [dns server]
Break
234
Using Management Tools
MikroTik Management Lab Exercise
WinBox App - Windows Only - Or WebFig via HTML
WinBox Application
Lunch
242
243
 ECSE-Troubleshooting Exam

244
ECSE Student Resources

https://www.wlanpros.com/master-ecse-student-info-
page/
 ECSE-Troubleshooting Exam

246
Exam
247