Best Practices for Capturing 802.11ac Traffic for Analysis

The traditional method used when capturing wireless data for analysis has been based on consumer-grade WLAN USB devices. In most enterprise networks, network engineers use USB 2.0-based WLAN adapters since this is what is typically available. However, with the increased speed of 802.11ac, this method becomes troublesome.


802.11ac introduces data rates that exceed 6Gbps – faster than most wired speeds. Even the most sophisticated USB devices based on USB 3.0 (the latest standard) have a theoretical bus speed of 5Gbps, with an effective rate of about 3.2Gbps. So even USB 3.0 does not provide sufficient performance for capturing peak 802.11ac data rates, and every packet counts when it comes to wireless analysis.

In order to effectively and efficiently capture and analyze your WLAN traffic for analysis, you’ll need to look to another device to help you – access points (APs). Using APs as packet capture devices is hugely beneficial because the APs in your network are typically specified to handle the most capable clients that will connect to your WLAN – guaranteeing that you’ll have the capacity to capture whatever traffic is on your WLAN.

Wireless packet capture from APs can be accomplished using two different, but similar, approaches. The first is using remote PCAP (RPCAP) and the second is using custom remote adapters.

Capturing Packets with Remote PCAP (RPCAP)
PCAP is the de facto standard for capturing packet data on a network (wired or wireless) and allows interaction with remote devices to capture packets. In order to capture data for analysis on a remote device, it must be running the RPCAP daemon (rpcapd).

There are two modes that can be implemented when using RPCAP – a passive and an active mode. Active mode will try to establish a connection to the analyzer; the analyzer then sends the appropriate commands to the daemon and starts the capture. This method requires the WLAN itself to have knowledge of when it wants to start an analysis session, and this is beyond the capability of most WLANs today, leaving the active mode as an interesting but mostly untapped capability of RPCAP, especially for wireless analysis.

For this blog, we’ll focus on the passive mode, which is the most common and the simplest. In passive mode, the analyst directs the analyzer to the devices to be used for packet capture by providing the IP addresses of the device(s). The analyzer then connects to the remote daemon and is provided a list of available interfaces that can be used for packet capture. The analyst then selects the interfaces of interest and starts a capture just as if that adapter was connected locally. All channel and band choices are made directly on the AP, or through the AP controller software.

Now, if you are interested in this type of capture method, your next step is to find access points that support RPCAP. This feature is not easy to find, as it is not necessarily a “marketed feature” by manufacturers. That said, we have already tested RPCAP for wireless analysis using several devices, including:

  • Aerohive: Model HiveAP 120
  • Ruckus: ZoneFlex 7363 (requires ZoneDirector Controller)

Many other AP manufacturers have told us that they also support RPCAP across most if not all of their AP offerings. If you know of other specific products with this capability, we’d love to hear about them.

Capturing Packets using Custom Remote Adapters
With custom remote adapters, the APs directly deliver data to the WLAN analysis software. This feature has been a part of WildPackets technology for a while and we have custom adapters to collect from Cisco, Aruba, and Meru APs. The process for developing a custom remote adapter is very similar to that of RPCAP but it requires a little more interaction between network analysis software vendors and hardware equipment manufacturers since the tunnel used to send the packets between the AP and the analysis software is proprietary to each equipment vendor and therefore requires a “custom” adapter.

Now, in order to get this system set up, go into your controller software on your AP and pick either an AP or a radio and put these into promiscuous mode. If an access point has multiple radios, you can put some in promiscuous mode and leave some in network mode so user connectivity is not affected. Most enterprise installations have sufficient wireless coverage so even if you take a few APs and put them in promiscuous mode, network performance will not be degraded. Once this configuration is done, you provide the controller with the IP address where your WLAN analysis software is running, and the AP immediately begins streaming packets to the analyzer. Now simply start your capture on the specific custom remote adapter and begin analyzing.

Remote adapters in general provide another benefit besides being capable of performing packet capture for the most demanding networks. They also allow analysts to capture packets for analysis anywhere in the network – worldwide – without leaving their desks. WLAN analysis requires that packets be captured within a few hundred feet of the area where the problem is being reported. There’s no way around this. Now that 802.11 technology has become so popular, problems can be happening anywhere, and it is not feasible to have an analyst close enough to every installation to be able to just walk over with the network analyzer and collect data. Remote adapters provide the flexibility to capture WLAN data anytime and anywhere.

Leave a Reply