Assessing the Completeness of Wireless-side Tracing Mechanisms

Aniket Mahanti, Martin Arlitt, Carey Williamson

Department of Computer Science University of Calgary, Canada

Introduction

Global usage of WiFi has increased significantly over the years. The surge in popularity of WLANs motivates the study of how such networks are used. Wireless measurement can help in:

Network planning Improving QoS Addressing RF DoS attacks, hidden node problems etc.
Slide 2 of 22

Wireless Trace Collection

WLAN Wireless PDAs AP Wireless Router
DATA FRAMES

WLAN AP Wireless PDAs AP

AP Wireless Laptops

Ethernet Sensor

Wireless Sensor Wireless Laptops

Wired-side Measurement

Wireless-side Measurement

Slide 3 of 22

Pros and Cons

Wired-side Measurement

Wireless-side Measurement

Does not capture Management and Control frames. Replaces the MAC header. Supplementary information required for complete WLAN analysis (e.g., SNMP polls, syslog). Relatively easy to deploy. Incurs low measurement loss.

Captures all wireless frame types. Captures the complete wireless MAC header. No supplementary information required. Relatively complicated to deploy; requires use of multiple distributed sensors. Could incur high measurement loss, if the deployment is not correct.

Slide 4 of 22

Objectives
1) Examine three different methods for

estimating the completeness of wireless traces. (Passive Measurement)

2) Examine the effect of placement of wireless

sensors on the completeness of wireless traces. (Active Measurement)

Slide 5 of 22

Objectives
1) Examine three different methods for

estimating the completeness of wireless traces. (Passive Measurement)

2) Examine the effect of placement of wireless

sensors on the completeness of wireless traces. (Active Measurement)

Slide 6 of 22

Passive Measurement Methodology

We collected WLAN traces using a specialized trace capture program called Airopeek. Airopeek works in conjunction with a network adapter to capture wireless frames. We used an off-the-shelf adapter called 802.11 Remote Distributed Sensor that can capture all 802.11 a/b/g frames at a remote location. The sensor plugs into an Ethernet LAN and sends copies of UDP encapsulated captured frames back to Airopeek running on any network accessible computer.
Slide 7 of 22

Qualitative Assessment of Captured Traces

Accurate determination of frames missed by the sensor is a non-trivial task. We have to rely on the existing data set to infer the number of missed frames. We examine three methods for estimating number of missed frames:

Beacon method MAC sequence number method ACK method

Slide 8 of 22

Beacon Method

Most APs transmit beacons at fixed intervals. By taking the difference between the theoretical total count and captured count of beacon frames over a time period, we can estimate the beacon miss ratio. It is a simple method to calculate, and can quickly indicate if there is a serious problem with the completeness of the trace.

Slide 9 of 22

Sequence Number Method

All data and management frames have a sequence number in the MAC header. Sequence numbers vary from 1 to 4095, after which the counter wraps. By counting the gaps in the sequence numbers of frames captured by a sensor, we can estimate the frame miss ratio.

Slide 10 of 22

ACK Method

All data frames and certain management frames are acknowledged at the data link layer. ACK frames have the address of the sender in the MAC header. By counting the number of ACK frames for which there were no corresponding data frames, we can estimate the frame miss ratio.

Slide 11 of 22

Test Environment

Test trace was collected from the computer science department WLAN (single channel 802.11/b/g) distributed across three floors (5th,6th, and 7th floors). A single stationary sensor was placed on the topmost floor to potentially capture frames from all 7 APs. We consider an AP-centric deployment where the sensor is placed close to an AP. This allows the sensor to have a perspective of the WLAN similar to the viewpoint of the AP. We apply all three methods to the same trace to gauge their accuracy.

Slide 12 of 22

Beacon Miss Ratio

100 100

Percentage of Missed Beacons

80 60 40 20 0 30/4 1/5 2/5 3/5 Time 4/5 5/5

Percentage of Missed Beacons

80 60 40 20 0 30/4 1/5 2/5 3/5 Time 4/5 5/5

Good Case (AP1)

Bad Case (AP2)

Results highlight influence of traffic intensity and time of day in the frame capture process. It helps us understand the wall penetration of monitored APs.
Slide 13 of 22

Frame Miss Ratio (Sequence Number Method)

100

100

Percentage of Missed Frames

2/5 3/5 Time 4/5 5/5

Percentage of Missed Frames

80 60 40 20 0 30/4

To-AP From-AP

80 60 40 20 0

1/5

30/4

1/5

2/5 3/5 Time

4/5

5/5

Good Case (AP1)

Frame miss ratio = 4%

Bad Case (AP2)

Frame miss ratio = 58%

Slide 14 of 22

Frame Miss Ratio (ACK Method)

100 80 60 40 20 0 30/4 1/5 2/5 3/5 Time 4/5 5/5 To-AP From-AP

100

Percentage of Missed Frames

Percentage of Missed Frames

80 60 40 20 0 30/4 1/5 2/5 3/5 Time 4/5 5/5

Good Case (AP1) Frame miss ratio = 2%

Bad Case (AP2) Frame miss ratio = 1%

ACK method does not correctly identify the bad case. If both DATA and ACK frames are missing in the trace, the ACK method fails.
Slide 15 of 22

Sequence Number Method Complications

General Issues

Sequence numbers are not reset when a client switches from one AP to another. We observed a high number of frame retransmissions in the To-AP direction.

Vendor-specific implementation issues

D-Link APs used separate sequence numbers per associated station. For several Intel NICs the sequence numbers of consecutive frames sent were not sequential.

Slide 16 of 22

Objectives
1) Examine three different methods for

estimating the completeness of wireless traces. (Passive Measurement)

2) Examine the effect of placement of wireless

sensors on the completeness of wireless traces. (Active Measurement)

Slide 17 of 22

Determining Sensor Placement

We were interested in determining at what distance the capture capability of the sensor reduces to zero. We conducted a UDP Ping experiment, where a mobile wireless client sends ping packets to a stationary server on the wired-side of the network. The ping packet, if received, is returned by the server to the client. A stationary sensor is allowed to capture the packets exchanged between the client and server, via an AP. By varying the position of the client with respect to the sensor we can quantify the operating range of the sensor. Several trials of the experiments were conducted at different points of interests (called loci) on the 7th and 6th floors of the department.
Slide 18 of 22

Loci
7th FLOOR
6th FLOOR

9 AP

AP

AP

AP 7

1
Sensor 2

Locus

North

Slide 19 of 22

Metrics

Signal Strength - the RF energy of a signal as experienced by the sensor. We calculate this from the wireless packet trace captured by the sensor/Airopeek. Miss Probability - the average miss ratio for n trials. We calculate this from the UDP Ping logs from the server and client (Each ping packet has a distinct sequence number embedded in its payload). CRC Error Probability the probability that a frame captured by the sensor is corrupt. We calculate this from the wireless packet traces captured by the sensor/Airopeek.
Slide 20 of 22

Active Measurement Results

100 80 60 40 20 0 1 2 3 4 5 6 Locus 7 8 9 To-AP From-AP

1.0 0.8

Signal Strength (%)

Signal Strength

Miss Probability

0.6 0.4 0.2 0.0 1 2 3 4 5 6 Locus 7 8 9

1.0 0.8 0.6 0.4 0.2 0.0 1 2 3 4 5 6 Locus 7 8 9

Miss Probability CRC Error Probability

CRC Error Probability

Loci 1-5, 9: Horizontal Plane Loci 6-8: Vertical Plane

Slide 21 of 22

Summary and Conclusions

We examined three different methods (beacon, ACK, and sequence number) for estimating the completeness of wireless traces.

The methods differ in the features they examine, their simplicity, and their accuracy. We found the sequence number method to be the most accurate, although its implementation is complicated by the idiosyncrasies of different wireless devices.

We also examined the placement of sensors within WLAN environments, with the goal of improving the completeness of the collected traces, while minimizing the number of sensors needed.

We found that placing sensors in locations where the signal strength of client-AP communication is at least 40% results in relatively complete traces with a few sensors.

Slide 22 of 22

Sequence Number Vs. ACK Example

Fr a me Type From

To

Seq # Fr a me Type From

To

Seq #

1 3 5 7 9 11 13 15 17 19

DAT A DAT A DAT A DAT A DAT A DAT A DAT A DAT A DAT A DAT A

S1 S2 S1 AP AP S2 AP AP AP S1

AP AP AP S1 S1 AP S2 S1 S1 AP

100
500 101 1000 1001 501 1002 1003 1004 102

2
4 6

ACK
ACK ACK

AP
AP AP

S1
S2 S1

8 10 12
14

ACK ACK ACK

ACK

S1 S1 AP
S2

AP AP S2
AP

Using sequence number method we find there are three missed data frames.

16 18 20

ACK ACK ACK

S1 S1 AP

AP AP S1

Grey: Captured White: Missed

Using ACK method we find no missing data frames as their corresponding ACK frames are also missing.
Slide 23 of 22