This blog post started out as a question to Jim Vajda on Twitter, but I quickly realised there were too many facets to the question for 240 characters. So I thought I’d lay my thoughts out in a blog post instead.
While listening to Jim on the The Wireless Pubcast (ep 16) the topic of capturing frames in an 802.11ax world was brought up. Several distinguished people in the Wi-Fi community have suggested that we won’t be able to capture frames using anything but the associated AP. Jim talked this through with the strange gentlemen from the Pubcast and this is my counter opinion/confusion on the topic.
I should start out by stating I have not done much research into this new amendment yet and could be missing something very obvious. I do know a thing or two about 802.11 protocol analysis but without any conference drinks to chat this over I decided this post was a good outlet for my thoughts and a place for people to edcuate me if they disagree.
The general consensus around 802.11ax capturing is that, as the AP performs all scheduling of OFDMA transmissions in both upstream and downstream directions, it is the only device with all pieces of the puzzle required to dissect the multiple signals that will be transmitted simultaneously.
I think this concept relies on an incorrect core assumption – that we want to see all of the frames from every client.
Stepping back from 11ax for a second, good 802.11 troubleshooting using protocol analysis requires you to capture the frames as close to the client as possible. You might also twin this with a capture from the AP at the same time but in my many years of 802.11 protocol analysis I’ve rarely found the infrastructure side necessary until data goes missing.
When you’re capturing close to a client a) you only typically care about the frames between that one client and the AP, and b) you’re going to miss frames from other clients regardless of the 802.11 amendment you’re using, because of each clients varying position in the coverage cell.
So now lets change that core assumption to – we want to see frames between the client and the AP.
Does this change the feasability of 802.11ax captures? This is my question to Jim, Peter, Gjermund and others far more informed than I am on this new amendment.
Just to bore you further and because I like the sound of my own voice writing typing, here are further thoughts from me on the discussion.
The client will receive everything it needs to from the AP in order to decode/encode its portion of an OFDMA tranmission. If my capture device is close to the client (inches) would it not also receive this information in order to decode those transmissions in both directions?
Maybe on the upstream transmissions the client that we are close to will be transmitting the data in a way that would converge into a decodable signal at the AP’s location but be unreadable at the source. This is something I am unsure about given the various information I’ve seen on how OFDMA and multiple radio’s works. But given most clients only have 1-2 radio’s in them I don’t think this will be true. And the closer to the AP the client is the less impact this would have, so for troubleshooting anything other than signal strength (which doens’t need troubleshooting) and roaming, just take the troubleshooting closer to the AP.
Of course to make this possible the capture drivers are going to need to understand that we want to see information that isn’t for the capture device. But that is the case now and the purpose of Passive/Monitor mode drivers. Perhaps a capture driver could use the scheduling information in the Trigger frame and speculatively attempt to decode as many Resource Units (RU’s) as possible. For the ones it can’t decode it could give us an empty frame to demonstrate this. After all it should know from the scheduling the Tx address, Rx address, and the length of the frame.
Or maybe we have to tell the capture driver the MAC of the client we want to mimic so that it just calibrates itself to those RU’s, just as the client has to to receieve the data. Something that could hinder this is WPA3’s requirement to use 802.11w (Management Frame Protection), but I’ve not seen that mentioned as a factor in these conversations, and it will take a long time for WPA3 to be the most common security method on WLAN’s.
I think it is too early to give up on 802.11ax capturing. And if we give up, why would our suppliers go to the effort of developing these tools?
There are two more important considerations that give me hope for 802.11.ax capturing.
Firstly, 802.11 is a Layer 1 & 2 protocol. And even then it doesn’t fully satisfy Layer 2 functionality either. Most (if not all) the information we need about the data’s journey to and from the Distribution System (DS) is in Management and Control frames, or a header attached to the Data itself. We don’t need to decode the data to troubleshoot an 802.11 connection. If there is a problem with the data itself then a) you can capture that at the controller and b) it is not an 802.11 issue.
Secondly, OFDMA is not 802.11ax. It is a single function of that amendment. 802.11ax still supports OFDM (not A) and our 11ax stations will continue to use it as and when appropriate. So there will still be a lot of the communication we can capture. Yes, this will probably reduce as the proportion of 11ax clients in a cell increases, but I think the consensus is that OFDM will still be used most of the time until cells gets congested enough that the efficiency gains of simultaneous transmissions outweighs the overhead brought by this complicated scheduling.
I am looking for peoples opinions on the above and whether they’ve considered the factors I’ve raised, so please do comment below or reach out to me with your thoughts.
Hi Andrew, I share some of these questions myself. I think we should distinguish between single-user 11ax and multi-user 11ax. The large majority of the time, 11ax uses the SU Tx mode that any 11ax adapter with monitor mode capability is able to capture today. This is no different from capturing previous PHY’s, just higher data rates and a new preamble. When MU operation occurs (OFDMA), we can still capture trigger frames and BlockACK’s to let us know it happened.
OFDMA is the challenge. We have seen techniques that work today to capture the DL RU’s from a single target MAC using the Intel AX200. UL OFDMA is still a problem, but given that the AP’s trigger frame describes how the client’s UL transmission will occur, a capturing device that is configured to “follow” that client should be able to tune its radio to receive it.
Capturing everything inside a OFDMA transmission might require specialized hardware positioned near the AP. It will need to tune its radio identically to the AP during DL and UL OFDMA transmissions, based on what it hears in the preceding trigger frames and the HE preamble. It may not be possible for typical client adapters in monitor mode to do that, but I hold out hope that it is possible.
Also note that protected management frames are only encrypted if they are unicast, and this is done using the existing PTK. They can be decrypted after capture. Unicast frames that precede the 4-way handshake, and broadcast frames are not encrypted by 11w.
So I agree. I still believe over-the-air 802.11ax packet capturing has a future.
We’ve made a lot of progress, more than some would have thought possible. We can do some capturing at least of OFDMA right now but it’s super hack-ish and not very easy. And then there’s the fact that even finding some OFDMA to capture can be hard.
It’ll be interesting to see where it ends up for sure.
Good post Andrew. I am having a simlar side conversation with our developers here @ Fortinet. If i find out anything of interest i’ll be sure to contribute. I think Jim hit the nail on the head with differentiating SU ax and MU ax the former being a lot simpler to capture. Early days but it is right to be discussing this now.
I made my own blog article for OFDMA capturing
https://gjermundraaen.com/2020/09/23/my-thoughts-on-802-11ax-ofdma-capturing-in-the-future/