Wireless Assessments

The wireless network can be challenging to assess and troubleshoot. There are many variables in the wireless network that are completely outside of the control of the organization – client device types, neighboring wireless systems, and more – and the environment can change rapidly. Interested in finding a good way to do a health-check of your (or your customer’s) environment? Here’s how I go about it.

This walkthrough is not intended to give you everything you need to know to properly assess and fine-tune a wireless network. If you’re interested in learning how RF ticks, I can’t recommend the CWNA course material highly enough. It’s awesome stuff. Check it out here.

Step One – Set the Stage:

First and foremost, when doing a health check on an existing wireless network, you need to be asking questions. Don’t lecture, just listen. If you don’t know what the network is intended to do you will be flying blind and making poorly thought out suggestions at the end of the engagement. I always ask the following at a minimum:

  • What is the purpose of this wireless network?
  • What applications need to function on this network? (look for voice/video applications in particular, those have stringent requirements)
  • What types of clients need to use this network? Is this under control of the IT department, or do they support BYOD?
    • If IT has full jurisdiction, get the FCC ID and start looking for performance information on the client at www.fcc.io.
    • If you’re dealing with a BYOD network, assume that you have to support the lowest common denominator.

This will help set the stage. Listen closely for pain points. There’s probably a good reason why you’ve been engaged to assess their RF – find out the underlying pain so you can try to address it.

Step Two – Gather your Tools:

This is where things can get expensive. Enterprise level wireless software is not cheap! I’ll list out the tools that I personally use as well as some alternatives if you are self-funding this project.

  • SSID mapping and discovery tool. I personally use Metageek’s Chanalyzer for this. You can also use Metageek’s InSSIDer or Acrylic’s Wifi Analyzer software. This will let you see the channel plan and get an idea of what you’re working with.
  • Wireless frame capture software. If you’re using a Mac, you’re in good shape. I use the free program Airtool with great success. If you’re using a Windows, you’re going to have some difficulty because you need specialized software to listen to wireless traffic in monitor mode, meaning that you can capture management and control frames, promiscuously, not just frames sent to your PC. Professional systems like Omnipeek are ideal, but if you are on a budget you can use Acrylic’s NDIS drivers to convert a supported adapter into a monitor mode capable device. Try to find a way to capture as many spatial streams as possible.
  • Heatmapping software. This will let you build a comprehensive map of wireless coverage AND correlate a lot of other data onto a floorplan, like dropped packets, associated APs, spectrum health, and more. I use Ekahau’s product personally and love it… but it can be tough to self-fund. You can also consider Tamograph or Acrylic’s suite if you’re on a budget.
  • Spectrum analysis software. Sometimes it’s not enough to just see 802.11 traffic – you will need to see non 802.11 activity as well, like interference from point to point links, microwaves, wireless security cameras, A/V equipment, and more. These sources of outside interference can cause a lot of pain on a wireless network. I use Metageek’s Chanalyzer tool for this. 
  • Gear. You will be walking for quite some time during a larger survey and you probably don’t want to be cradling that hot and heavy laptop in your arms the whole way.
    • Laptop trays may not be the “coolest” gear, but they are invaluable. Buying the WLAN Pros laptop tray has made a huge difference for me.
    • Battery packs. Your laptop battery is going to drain quickly with all the attached peripherals. Using a battery that can keep your laptop charging will let you keep moving and not waste time stuck to a power outlet.
    • Wireless adapters. This is critical. Ekahau ships with some very powerful NICs, but those NICs don’t give you a realistic view of the wireless network performance… not everyone has $300 wireless cards strapped to their devices! Get a low end wireless adapter to simulate actual client performance. For example, something like this can be used to track 5GHz roaming behavior.

Step Three – Getting Started:

So you’ve prepared your gear, talked with the customer, and determined what the problem is – let’s get a sneak peek of what we’re dealing with. Pull up your SSID mapping software and take a look. If you know what you’re looking at, this can give you a lot of information about the health of the network.

For example, THIS looks pretty standard:

Okay 2.4GHz

And THIS means that you’re in for a world of hurt:

Dicey 2.4GHz

Here you can quickly see the channel plan, rogue access points, hotspots, neighboring systems, and more. You can see if they pulled the gear out of the box and left it to factory defaults (usually identified by 80MHz channels in the 5GHz band which is not necessarily a bad thing, but often can be) or if there has been tinkering with the setup. This sets the stage for the rest of the assessment.

Step Four – Start Walking:

Next, get your survey gear up and running and start walking the floor. You will absolutely 100% need some kind of accurate floor plan for best results here. Push hard on the customer for those plans… I don’t do full assessments unless floor plans are provided in advance, as you don’t want to waste several hours onsite waiting for someone to dig up the documents.

I recommend hooking up several adapters and at least one spectrum analyzer while walking the floor. All the information that each adapter catches will be fed into the wireless map and it will give you a lot of information to dig through after the assessment.

I have two Ekahau NIC-300-USB that I set to passively scan all channels – one set to 2.4GHz and one set to 5.0GHz. You have the option to remove channels from the scan and only scan selected channels more rapidly, but I prefer to leave all channels selected so I can pick up on neighbors and rogues that are outside of the standard channel plan. Now, the NIC-300-USB is a very expensive and high end wireless NIC so it can paint a rosier picture of the wireless environment than you might like… so don’t take the bright green raw data and think “everything is fine!” You can get around this by asking Ekahau to simulate the measurements with various weaker clients when reviewing the data. To do this, go to the “Options” drop down menu and select the Adapter type from list at the bottom of the menu.

Adapter Simulation

In addition to the two NIC-300-USBs, I always set up a third NIC to act as an associated active client and have it constantly ping the default gateway (or, in some cases, perform a throughput test). Having an active client is critical in my opinion. If you only measure passively you won’t have any idea where roaming breaks down, areas of packet loss, how long your client sticks to an AP, and so on. Having at least one active client is a must.

Finally, set up a spectrum analyzer and have it capture the RF health from the 2.4GHz band. If you have two, that’s great – you can capture dual band information. But if you only have one, prioritize scanning the 2.4GHz band as it is more prone to disruption.

Be sure to load up your entire rig and test it for AT LEAST 15 minutes before doing this “live” with a client. Nothing is worse than getting onsite and having the NICs constantly fail due to driver or power issues.

Also, remember to disable all unnecessary wireless activity on your laptop or tablet before starting the survey. If you’re downloading system updates while walking the floor you’re going to get some weird measurements. In addition, avoid using USB 3.0 devices as they can cause interference in the 2.4GHz band.

Try to get an escort for the walk around if you can. For one, walking around an office with a bunch of antennas and battery packs unaccompanied can raise eyebrows. I’ve been accused of trying to “hack the network” several times now. Two, having an employee with you gives you a chance to ask more questions and get their personal take on the system as you walk. The more info the better! Three, it’s much better to have a company escort when walking into various offices to take measurements, especially when you wander into executive offices. Yes, you will have to interact with a great deal of people and walk into every room if possible. A survey that only has hallway information is not worth much.

When walking, you have two options to capture the data within Ekahau… “Continuous,” where data is constantly being fed into the system as you move through the environment in a steady and controlled manner, and “Stop-and-Go,” where you take spot measurements one location at a time. I personally prefer to use “Stop-and-Go,” as it is less prone to human error and allows you to engage with users as needed.

Step Five – Spot Check:

Your work isn’t finished yet! Hopefully during your assessment you were able to identify specific problem areas, either from your escort or from the curious users. Go back to each of these locations and take some frame captures and some spectrum analysis measurements. Be sure to let each capture run for at least five minutes at each location. The more data, the better.

When reviewing the spectrum analysis measurements, I always look at the utilization information to see if the RF is being maxed out:

2.4GHz Utilization

And I also do a quick sweep to see if I find any interference from non 802.11 sources:

Non 802.11 Interference

The frame capture will give you a lot of information on their configuration… beacon frames in particular are very useful.To filter by beacon frames in Wireshark, type in wlan.fc.type_subtype == 0x8. From the beacon frames you can check the data rates, HT and VHT capabilities, security framework, and more. For example, to check the data rates present on the SSID:

IEEE 802.11 wireless LAN > Tagged parameters -> Tag: Supported Rates:

Beacon Data Rates

You can also check for retry rates using wlan.fc.retry == 1, check for authentication frames using wlan.fc.type_subtype == 0xb, and more. Frames don’t lie.

Wireshark is a very powerful and complex tool… and it’s free! If you want to become an expert with Wireshark, this book has been a great resource for me. But if you can swing it, Metageek’s Eye P.A. software is a great tool to give you a visual analysis of airtime and L2 wireless health that make for a great presentation.

Step Six – Making the Report:

Now for the fun part. Spend a few days reviewing your data and going through the heatmap and the measurements with a fine-tooth comb, looking for any oddities. When building the report, less is more. Make it easy to read and only include relevant information that addresses the pain points that you discovered. I personally like to put a summary of any issues found and potential first steps to resolve them on the cover page for easy digestion. I also like to set up a webinar to discuss the findings and answer all questions before handing off the document to be sure that everything is understood and wrapped up nicely.

Common issues that I immediately look for in my data include:

  • Presence of low data rates
  • Areas with poor coverage
  • Non 802.11 interference
  • Inefficient channel useage
  • Issues with roaming and/or dropped packets
  • 802.11b networks
  • Rogue or unauthorized APs

There are two things to keep in mind when giving the presentation:

First, unless you are dealing with a high density installation, RF optimization is not always the magic cure-all for network problems. It’s easy to point the finger at the 1Mbps data rate and the 80MHz channel as being the culprit, but if you only have 10 stationary clients associated on average and they are constantly disconnecting from the AP… it’s unlikely that the RF is the root cause. Optimize the wireless as much as you like, but be prepared to start diving into the wired side of the network as you look for problem resolution. It’s critical to know both the wired and the wireless sides of things to be an effective resource.

Second, don’t make ultimatums. If you are a hired gun, you’ve only spent the last several days battling what the customer’s IT department has been battling for some time now. Don’t speak in absolutes or immediately assume design flaws. Instead, diplomatically make recommendations and try to understand why things are configured the way they are.

That covers the highlights. If you’re interested in getting started and have questions, feel free to send me a message – I’d be happy to help.

Content in the Works

I apologize for being so absent for so long. More technological ruminations are coming in the next week or two.

Not only did I uproot my family and move to Georgia, but I also have a new job. I have a new architecture gig with a well established integrator in the Atlanta market. This role has been very fulfilling, but extremely demanding at the same time. The bright side is that I find myself learning a LOT. The downside is that I don’t have as much time to share it with others. I’m starting to get my feet back under me and will resume updates on this blog soon.

Packet Wrangling Podcast – Episode 2

So, remember when I said that I would be doing these once a week?

Yeah, that was before life came along and decided that it had a different plan in mind!!

Apologies for the long silence. I actually started this recording well over a month ago, but tonight is the first night in a very long time that I’ve had time to actually sit down and put the finishing touches on the recording. We won a large services contract for a very large company (Fortune 10) to roll out new network segments at their datacenters across the US. So I’ve been on the road constantly, dealing with 11 PM to 6 AM change windows, change management meetings, status reports, project managers, and all kinds of “fun” stuff on top of actual network engineering… and then on top of that we’re buying a house and moving to a different state. A huge shout out to my wife for being a rockstar during this trying time.

Without further ado and rambling from me, here’s Episode 2 of the Packet Wrangling podcast. This one covers common wireless architectures and the pros and cons of each. Enjoy!



Make OFDM Great Again

So 802.11ax promises to “reinvent” our dear OFDM technology and bring us to a new promised land of OFDMA. Fly your wireless networking expert flag with pride with this t-shirt!



No, that ain’t me wearing the shirt sadly.

Building your own Battery Pack


So, you’ve built your predictive design and now it’s time for the rubber to meet the road – the infamous AP-on-a-Stick survey. To perform this piece of your wireless design you’ll need a lot of “unique” gear… tripods, laptop shelves, tons of wireless adapters, APs, and enough battery power to get you through the day.

When I was building out my survey kit, I noticed one flaw with the “professional” battery packs built for wireless surveys. Beyond being very bulky and expensive, the majority of them only support 802.3af. The newer and larger APs often prefer 802.3at (also called PoE+) these days. In some cases, they can use 802.3af, but they turn off several spatial streams in the 2.4GHz radio to adjust for the lack of power.

That’s less than ideal, isn’t it?

Thanks for the Internet, I was able to cobble together a pretty affordable battery pack that supports both 802.3af and 802.3at and lasts an incredibly long time. Here’s the pieces and parts that have worked for me:

Intocircuit 26000mAh High Capacity Battery Pack

Tycon Systems TP-DCDC-2448GD-HP DC Converter

Power Jack Adapter Plug

The total will run you about ~$140.00 and it lasts for an extremely long time. Just power up the Intocircuit, hook it up to the Tycon converter using the adapter, and connect your AP. I’ve used it for several gigs now and despite looking a little “homemade,” it does the trick.

Taking a look at VMtracer with Arista

I’ve had the privilege of spending some time with the Arista product this week. For those of you who don’t follow HPE obsessively, some backstory – in the past, HPE led with the Comware product line in the datacenter, which was part of their 3COM acquisition. Comware was solid product and many of our clients had a good experience with the platform… even though the CLI was … “unique” compared to some. Really, it just took some getting used to.

However, last year HPE announced that they were opening a shared partner program of sorts with the Arista product. Arista had been making a lot of positive waves in the datacenter networking environment, so I was happy to add another tool to my arsenal. But then several months things became more serious as HPE announced that all new datacenter opportunities should be designed using the Arista lineup… and that the Comware gear wasn’t going to be their main focus moving forward.

Well, guess I better learn Arista then!

Arista uses Fedora Linux at the core, which allows a lot of cool tricks. Tools like grep, cat, zcat, tcpdump, awk and more are ready to go from boot. Administrators can choose to work in the bash shell or work in the Arista CLI, which will be very familiar to Cisco shops. Because of the Linux architecture, common networking protocols like STP, OSPF, BGP all run as individual processes and can be isolated if problems pop up. VXLAN, MLAG and other datacenter goodies are supported as well.

One tool that stood out to me during the boot camp was the VMtracer. VMtracer allows the Arista switch to keep an eye on the virtual environment by collaborating with the vCenter server. A few weeks ago I published a post around NSX and how it marries the physical network infrastructure with the virtual, solving a lot of problems for the large datacenter and the inherent scaling issues present there. Arista fully supports the VXLAN tunnel overlay I described (in fact Arista was one of the co-authors of the VXLAN standard), but the Arista gear presents a new convenient solution and QoL enhancement for smaller datacenters that still utilize a L2 topology with VMtracer.

It’s always better to show than tell, so here’s a quick walkthrough:

So first, within the CLI we configure VMtracer to communicate with vCenter – see below.

1 - Configure and Verify VM Tracer

Once this is up and running the Arista switch and the VMware environment can exchange info. Running show vmtracer sess brings up the session and gives confirmation that we’re all set.

2 - sho vmtracer sess

After a few minutes the VM database will populate. You can check this with show vmtracer vm, which lists out the VMs, their host, and what interface on the Arista switch they are connected to. In this case everything is connecting via the trunk port Ethernet1.

3 - sho vmtracer vm

We can pull more information with the “detail” flag, showing more information on each VM.

4 - sho vmtracer vm det

Someone who is good with Linux will be able to use pipes and grep-esque commands to quickly filter through info, but frankly I am very rusty with Linux. Keep in mind that Arista does support XMMP for multi switch CLI, so you can pull info from multiple sources simultaneously through pre-defined XMMP groups. Here’s my attempt to pull up info on a specific VM – note that you can quickly determine where a VM is connected using this tool.

5 - sho vmtracer vm name

Now, VMtracer includes a very cool function called “autovlan” that is enabled by default. You can verify its function by pulling up the VMtracer session as shown below. If vmotion moves a VM from one host to another, the physical network infrastructure tied to the new host must support the same VLANs. This can lead to administrators enabling every VLAN for every host to avoid orphaning an unlucky VM that vmotioned to the wrong host. By using VMtracer, the Arista switch can dynamically add VLANs to switches to support VMs as they move around the datacenter.

6 - sho vmtracer sess autovlan

Here I run a sho VLAN command to see what is active on my switch. Notice that VLANs tagged with an asterisk have been added to the switch dynamically with autovlan.

7 - sho vlan dynamic

Cool, huh?

Never fear, you can reign this in as needed. Let’s say I want to ensure that VLAN 1001 does not automatically populate on my switch for some security reason. I can go back into the Lab VMtracer session and remove 1001 from the allowed-vlan pool:

8 - trimming VLANs

To confirm that the change took, run sho vmtracer sess.

9 - sho vmtracer sess with trim

Now I can pull up the list of VLANs again and confirm that VLAN 1001 is no more.

10 - sho vlan with trim

Pretty cool, right?

There’s a bunch of stuff like this that you can do with the Arista lineup. Time to brush up on Linux!




Aruba UAP Boot Process


There’s been many exciting announcements at the Atmosphere 2017 conference and it’s been really great to meet a bunch of the fellow wireless twittersphere. All in all, definitely worth the time to attend.

Many other wireless minds have been covering a lot of the “cool” stuff – new ArubaOS8, new machine learning analytics with RASA and Niara, new monitoring tech with Airwave Glass and Clarity Synthetic, crazy new ways of wireless with 802.11ax, and more.

But one thing that really stood out to me personally is the new Univeral AP code that’s being rolled out to their new APs. Those of you familiar with Aruba know that there used to be two primary “versions” of hardware – Instant and Campus. Campus APs were meant to be used with a controller and they were sold without region locks, assuming that the controller would handle the regulatory compliance. The advantage was that they locked in real quick to a controller with auto discovery. The disadvantage was that there wasn’t a supported way to flash them into an Instant system, so hope you like those controllers you got there. The Instant APs had more intelligence at the edge and had region locks baked in at order, and they could move back and forth between Instant and Controller architectures – but to have them discover a controller required manual intervention, meaning that converting a large scale Instant roll-out into Campus methodology was a pain in the ass. Both were sold at the exact same price point.

The new “Universal” code means that an AP can become either a Campus or Instant AP from birth without any funky conversions. The self discovery process has become much longer though, so to spare you from any hand wringing as the APs slowly toddle towards configuration, here’s the new boot process that was shared at Atmosphere 2017:

  • Static master assignment preconfigured
  • DHCP based discovery using DHCP options assigned by DHCP server
    • NOTE – This uses option 43 to give the controller IP address to the AP
    • NOTE – make sure that option 60 on the server is set to listen for the string “ArubaAP” – without option 60 configured, the option 43 response won’t fire.
    • NOTE – The AP has to have basic DHCP and DNS discovery for any automated discovery to tick. If it doesn’t, it will reboot constantly. Yes, you will need to edit the CLI config to allow APoaS site surveys
  • Aruba Discovery Protocol based discovery
    • NOTE – this only works if either the controller is in the same broadcast domain as the AP or if multicast forwarding is configured (multicast address used is
  • DNS based discovery (this is what Aruba recommends as best practice)
    • NOTE – the AP will look for aruba-master
  • Instant Virtual Controller Discovery
    • NOTE – this means that the AP will reach out in its own broadcast domain with the PAPI protocol to find a local Instant AP that is elected as VC
  • Airwave Discovery
  • Activate Match Airwave
    • NOTE – Activate is Aruba’s cloud based provisioning service. The AP must be able to communicate on the Internet for this step or the following two to work.
  • Activate Match Central
  • Activate Match CAP/RAP
  • Broadcast Instant Provisioning SSID
    • NOTE – And here’s where you are off to the races with the Instant platform!

Quite a journey, isn’t it? Nice that we’ll be able to purchase as single SKU now though.