Should I capture network traffic in the air or on the wire?

The answer to the question: “Should I capture network traffic in the air or on the wire?” typically depends on the issue that has been reported or is being investigated. In this post, we specifically address the issue of wireless connectivity problems. Bottom line, dealing with specifics in WLAN analysis doesn’t have to be complicated, you just need to know where to look.

Let’s start where a user typically starts, connecting to the WLAN. Not only is this a great starting place, it’s also one of the most commonly reported problems. Connectivity issues should first be investigated by looking at the wireless traffic. Can you even see any packets coming from the wireless client? At a minimum, the client should be generating probe requests, packets sent by the client as it searches for an AP. If no probe requests are seen from the wireless client, it is clear the issue is with the client itself, most likely a configuration issueadult water slides for sale. An investigation of the user’s computer is now required.

Assuming the user is “on the air,” i.e. sending probe requests, more analysis of wireless traffic is required. The next things to look for are 802.11 management packets related to establishing a connection between the client and an AP. These include Association Request frames and Authentication frames. The user should be generating Association Request frames if it is trying to connect to an AP. If this association is failing, you will see either repeated association requests from the client without corresponding Association Response frames from the AP, or you will see sets of Association Request frames, Association Response frames and Disassociation frames. In either case, a detailed review of the configuration parameters on both the client and the AP is required as a configuration mismatch is the most likely the cause of the problem.

Once the association is successful, authentication must then be verified. The number of packets involved in authentication depends on the type of authentication being used, from “open” to “WPA2″. In any case, analysis on the wireless side of the network is the place to start. If authentication is failing, analysis of an Authentication frame should reveal if the authentication request is being denied, and why. It is at this point in the analysis that wired-side analysis becomes critical, as most authentication schemes involve wired communication between the AP and an authentication server. If the wireless analysis performed so far indicates the proper exchange of packets, the cause is most likely on the wired side of the network. Typical issues include a hardware or routing issue between the AP and the authentication server, a configuration mismatch, incomplete authentication data, or no response from the authentication server.

Though quite common, connectivity issues are only one of the common problems that exist in WLANs. In future posts we will discuss some of the other common problems, with the focus of how to best capture data to solve the problem, over the air or on the wire.

One thought on “Should I capture network traffic in the air or on the wire?

Leave a Reply