RF Monitor and its Uses Pradipta De prade@cs.sunysb.edu
Outline RF Monitoring Basics RF Monitoring Installation Using RF Monitoring RF Monitoring on WRT54GS Extending RF Monitoring UDP Lite Comments on HW2
What is RF Monitoring? Wireless NICs ability to sniff the 2.4 GHz spectrum (or a portion of it). Similar to tcpdump for wired network. Purpose of Traffic Analyzers/Sniffers Snoop on clear-text traffic on network Observe network dynamics/traffic pattern Determine problems/bottlenecks Intrusion detection Find out more at: http://www.faqs.org/faqs/computer-security/sniffers/
RF Monitoring Requirements Access to the Shared Physical Media NICs that can go into promiscuous mode. All wireless NICs at encapsulated Ethernet level a select few at 802.11 frame level OS that can accept and transfer sniffed data to higher protocol layers. Tools that can interpret the sniffed data.
RF Monitoring Requirements Wireless Media is a shared media a node can hear all transmissions if within communication range. Wireless NIC support: 802.11b cards (Mostly Prism-2/2.5 chipset) Orinoco, D-Link DWL-650, SMC 2632W, Linksys WPC11(v2), Cisco Aironet 350 802.11 a/b/g combo cards (Almost all are Atheros / Broadcom chipset)
RF Monitoring Requirements (2) Linux (> 2.4.7) with NIC drivers: 802.11b (pcmcia-cs or pci drivers in kernel) 802.11a (madwifi driver for Atheros) http://sourceforge.net/projects/madwifi/ Prism cards have additional support for ARPHDR_IEEE80211_PRISM : More on this later
RF Monitoring Requirements (3) Several tools for interpreting sniffed data: Ethereal : offline analysis. Kismet : analysis of packets in realtime. Tcpdump, airsnort, etc. All of them use libpcap library (latest libpcap versions are patched for 802.11 specific changes.
Quick Installation Guide Setup the Linux kernel tree (2.4.19) turn wireless device support ON [enables wireless extensions support : standard API for configuring any wireless device on Linux] Get the correct driver for your card: Latest pcmcia-cs package for pcmcia based cards. Get driver patches for monitoring mode, (some drivers support monitor mode by default) http://airsnort.shmoo.com/orinocoinfo.html
Quick Installation Guide (2) Choose your traffic analyzer: Ethereal : http://www.ethereal.com Kismet : http://www.kismetwireless.net Compile, install and configure You are ready to snoop on others traffic
Using RF Monitoring wireless API to put card in monitor mode iwpriv <device> monitor [1/2] <channel> Use Ethereal to start packet capture for offline detailed analysis. Use Kismet, for real-time analysis, less detailed. Use Kismet-hopper, for scanning through all channels.
Packet Types in Ethereal Management Association, re-association, probe (requestresponse) Authentication, de-authentication & disassociation Beacon ATIM Control RTS, CTS, ACK, CF DATA
More Information: Prism Monitoring Header ARPHDR_IEEE80211_PRISM Prism cards/drivers add their own header in monitoring mode with extra information Host Time timestamp when the packet was retrieved from card buffer MAC Time timestamp when the packet was received by the card Rate Rate at which this packet was received Signal Quality, Noise, Channel Time etc.
Information: Analysis Everything is there in clear-text format Correlate the available information. Information: The encapsulated payload starts from the network protocol field. It is possible to read the MAC addresses also.
Analysis Limitations It is static and offline Still good if the time-stamp fields are what we interpret them as Real-time analysis will require faster CPU and accurate time-stamping.
Testbed Node: WRT54GS Wireless-G Broadband Router Uses MIPS processor. 1 Wireless interface, uses Broadcom chipset. Runs on Linux but wireless driver is not open source.
RF Monitoring on WRT54GS Utility called wl to configure wireless card parameters, eg. wl monitor 1 puts card in monitor mode. Use Kismet to sniff traffic. Run kismet_drone ( captures packets and sends it to a kismet server running on a different host through wired interface) Analyze the kismet dump file using Ethereal.
RF Monitoring on WRT54GS A B RF Monitor WRT54GS kismet_drone Desktop Kismet
Extending RF Monitoring Standard RF monitoring only captures/shows good packets. How to capture corrupted packets? Corrupted packets are discarded when frame checksumming fails. A field is set denoting FCS failure driver checks it to update Rx error stats before discarding pkt. Modify the driver to accept packets with FCS error.
Are corrupted packets useful? Usual Typically networks do not support error resilient codecs packets with any level of corruption is discarded. Desirable Error resilient protocols can withstand partial corruption of packets accept packets with a threshold on corruption level. Use in Realtime streaming applications over noisy channels change link/transport layer to bypass checksumming.
UDP Lite Protocol (Larzon, Degemark and Pink) Flexible checksumming scheme allows corrupted data to be transmitted to the application length field in UDP header replaced by coverage field specifies how many bytes of payload to checksum 0 7 8 15 Source port # Length/Coverage Dest port # checksum
UDP Lite on GSM Network (Konrad, Singh, Joseph) GSM Network PSTN Mobile Host Unix BSDi 3.0 GSM Base Station Fixed Host Unix BSDi 3.0 3% Mean & Std Dev Packet Loss (%) 2% 1% 2.09% 1.05% 0% 0.00% UDP, non-transparent UDP, transparent UDP Lite, transparent
UDP Lite on GSM Network Video Screenshot from experiemnt UDP UDP Lite
UDP Lite on multihop 802.11b network Different error characteristics on 802.11b networks. Over multihop errors tend to accumulate. Useful scenario for UDP Lite.
RF Monitor for UDP Lite Implementation Link layer checksumming is bypassed by modifying driver to allow packets with FCS error. UDP protocol fields are checked for correctness using BPF use raw socket to give the packet to application. Our coverage length is only the UDP header.
UDP Lite Performance
Comments on HW2 Broadcom wireless card driver in WRT54GS is NOT open source cannot capture corrupted packets in RF monitor mode.
Modified Problem 2 RF Monitor Chan 1 A Chan 1 Reliable UDP B Set retx count = 0 wl srl 1 C Chan 4 D i. ii. time Change transmit power from 1mW to 30mW wl txpwr 1