Wireless Assessments

The wireless network can be challenging to assess and troubleshoot. There are many variables in the wireless network that are completely outside of the control of the organization – client device types, neighboring wireless systems, and more – and the environment can change rapidly. Interested in finding a good way to do a health-check of your (or your customer’s) environment? Here’s how I go about it.

This walkthrough is not intended to give you everything you need to know to properly assess and fine-tune a wireless network. If you’re interested in learning how RF ticks, I can’t recommend the CWNA course material highly enough. It’s awesome stuff. Check it out here.

Step One – Set the Stage:

First and foremost, when doing a health check on an existing wireless network, you need to be asking questions. Don’t lecture, just listen. If you don’t know what the network is intended to do you will be flying blind and making poorly thought out suggestions at the end of the engagement. I always ask the following at a minimum:

  • What is the purpose of this wireless network?
  • What applications need to function on this network? (look for voice/video applications in particular, those have stringent requirements)
  • What types of clients need to use this network? Is this under control of the IT department, or do they support BYOD?
    • If IT has full jurisdiction, get the FCC ID and start looking for performance information on the client at www.fcc.io.
    • If you’re dealing with a BYOD network, assume that you have to support the lowest common denominator.

This will help set the stage. Listen closely for pain points. There’s probably a good reason why you’ve been engaged to assess their RF – find out the underlying pain so you can try to address it.

Step Two – Gather your Tools:

This is where things can get expensive. Enterprise level wireless software is not cheap! I’ll list out the tools that I personally use as well as some alternatives if you are self-funding this project.

  • SSID mapping and discovery tool. I personally use Metageek’s Chanalyzer for this. You can also use Metageek’s InSSIDer or Acrylic’s Wifi Analyzer software. This will let you see the channel plan and get an idea of what you’re working with.
  • Wireless frame capture software. If you’re using a Mac, you’re in good shape. I use the free program Airtool with great success. If you’re using a Windows, you’re going to have some difficulty because you need specialized software to listen to wireless traffic in monitor mode, meaning that you can capture management and control frames, promiscuously, not just frames sent to your PC. Professional systems like Omnipeek are ideal, but if you are on a budget you can use Acrylic’s NDIS drivers to convert a supported adapter into a monitor mode capable device. Try to find a way to capture as many spatial streams as possible.
  • Heatmapping software. This will let you build a comprehensive map of wireless coverage AND correlate a lot of other data onto a floorplan, like dropped packets, associated APs, spectrum health, and more. I use Ekahau’s product personally and love it… but it can be tough to self-fund. You can also consider Tamograph or Acrylic’s suite if you’re on a budget.
  • Spectrum analysis software. Sometimes it’s not enough to just see 802.11 traffic – you will need to see non 802.11 activity as well, like interference from point to point links, microwaves, wireless security cameras, A/V equipment, and more. These sources of outside interference can cause a lot of pain on a wireless network. I use Metageek’s Chanalyzer tool for this. 
  • Gear. You will be walking for quite some time during a larger survey and you probably don’t want to be cradling that hot and heavy laptop in your arms the whole way.
    • Laptop trays may not be the “coolest” gear, but they are invaluable. Buying the WLAN Pros laptop tray has made a huge difference for me.
    • Battery packs. Your laptop battery is going to drain quickly with all the attached peripherals. Using a battery that can keep your laptop charging will let you keep moving and not waste time stuck to a power outlet.
    • Wireless adapters. This is critical. Ekahau ships with some very powerful NICs, but those NICs don’t give you a realistic view of the wireless network performance… not everyone has $300 wireless cards strapped to their devices! Get a low end wireless adapter to simulate actual client performance. For example, something like this can be used to track 5GHz roaming behavior.

Step Three – Getting Started:

So you’ve prepared your gear, talked with the customer, and determined what the problem is – let’s get a sneak peek of what we’re dealing with. Pull up your SSID mapping software and take a look. If you know what you’re looking at, this can give you a lot of information about the health of the network.

For example, THIS looks pretty standard:

Okay 2.4GHz

And THIS means that you’re in for a world of hurt:

Dicey 2.4GHz

Here you can quickly see the channel plan, rogue access points, hotspots, neighboring systems, and more. You can see if they pulled the gear out of the box and left it to factory defaults (usually identified by 80MHz channels in the 5GHz band which is not necessarily a bad thing, but often can be) or if there has been tinkering with the setup. This sets the stage for the rest of the assessment.

Step Four – Start Walking:

Next, get your survey gear up and running and start walking the floor. You will absolutely 100% need some kind of accurate floor plan for best results here. Push hard on the customer for those plans… I don’t do full assessments unless floor plans are provided in advance, as you don’t want to waste several hours onsite waiting for someone to dig up the documents.

I recommend hooking up several adapters and at least one spectrum analyzer while walking the floor. All the information that each adapter catches will be fed into the wireless map and it will give you a lot of information to dig through after the assessment.

I have two Ekahau NIC-300-USB that I set to passively scan all channels – one set to 2.4GHz and one set to 5.0GHz. You have the option to remove channels from the scan and only scan selected channels more rapidly, but I prefer to leave all channels selected so I can pick up on neighbors and rogues that are outside of the standard channel plan. Now, the NIC-300-USB is a very expensive and high end wireless NIC so it can paint a rosier picture of the wireless environment than you might like… so don’t take the bright green raw data and think “everything is fine!” You can get around this by asking Ekahau to simulate the measurements with various weaker clients when reviewing the data. To do this, go to the “Options” drop down menu and select the Adapter type from list at the bottom of the menu.

Adapter Simulation

In addition to the two NIC-300-USBs, I always set up a third NIC to act as an associated active client and have it constantly ping the default gateway (or, in some cases, perform a throughput test). Having an active client is critical in my opinion. If you only measure passively you won’t have any idea where roaming breaks down, areas of packet loss, how long your client sticks to an AP, and so on. Having at least one active client is a must.

Finally, set up a spectrum analyzer and have it capture the RF health from the 2.4GHz band. If you have two, that’s great – you can capture dual band information. But if you only have one, prioritize scanning the 2.4GHz band as it is more prone to disruption.

Be sure to load up your entire rig and test it for AT LEAST 15 minutes before doing this “live” with a client. Nothing is worse than getting onsite and having the NICs constantly fail due to driver or power issues.

Also, remember to disable all unnecessary wireless activity on your laptop or tablet before starting the survey. If you’re downloading system updates while walking the floor you’re going to get some weird measurements. In addition, avoid using USB 3.0 devices as they can cause interference in the 2.4GHz band.

Try to get an escort for the walk around if you can. For one, walking around an office with a bunch of antennas and battery packs unaccompanied can raise eyebrows. I’ve been accused of trying to “hack the network” several times now. Two, having an employee with you gives you a chance to ask more questions and get their personal take on the system as you walk. The more info the better! Three, it’s much better to have a company escort when walking into various offices to take measurements, especially when you wander into executive offices. Yes, you will have to interact with a great deal of people and walk into every room if possible. A survey that only has hallway information is not worth much.

When walking, you have two options to capture the data within Ekahau… “Continuous,” where data is constantly being fed into the system as you move through the environment in a steady and controlled manner, and “Stop-and-Go,” where you take spot measurements one location at a time. I personally prefer to use “Stop-and-Go,” as it is less prone to human error and allows you to engage with users as needed.

Step Five – Spot Check:

Your work isn’t finished yet! Hopefully during your assessment you were able to identify specific problem areas, either from your escort or from the curious users. Go back to each of these locations and take some frame captures and some spectrum analysis measurements. Be sure to let each capture run for at least five minutes at each location. The more data, the better.

When reviewing the spectrum analysis measurements, I always look at the utilization information to see if the RF is being maxed out:

2.4GHz Utilization

And I also do a quick sweep to see if I find any interference from non 802.11 sources:

Non 802.11 Interference

The frame capture will give you a lot of information on their configuration… beacon frames in particular are very useful.To filter by beacon frames in Wireshark, type in wlan.fc.type_subtype == 0x8. From the beacon frames you can check the data rates, HT and VHT capabilities, security framework, and more. For example, to check the data rates present on the SSID:

IEEE 802.11 wireless LAN > Tagged parameters -> Tag: Supported Rates:

Beacon Data Rates

You can also check for retry rates using wlan.fc.retry == 1, check for authentication frames using wlan.fc.type_subtype == 0xb, and more. Frames don’t lie.

Wireshark is a very powerful and complex tool… and it’s free! If you want to become an expert with Wireshark, this book has been a great resource for me. But if you can swing it, Metageek’s Eye P.A. software is a great tool to give you a visual analysis of airtime and L2 wireless health that make for a great presentation.

Step Six – Making the Report:

Now for the fun part. Spend a few days reviewing your data and going through the heatmap and the measurements with a fine-tooth comb, looking for any oddities. When building the report, less is more. Make it easy to read and only include relevant information that addresses the pain points that you discovered. I personally like to put a summary of any issues found and potential first steps to resolve them on the cover page for easy digestion. I also like to set up a webinar to discuss the findings and answer all questions before handing off the document to be sure that everything is understood and wrapped up nicely.

Common issues that I immediately look for in my data include:

  • Presence of low data rates
  • Areas with poor coverage
  • Non 802.11 interference
  • Inefficient channel useage
  • Issues with roaming and/or dropped packets
  • 802.11b networks
  • Rogue or unauthorized APs

There are two things to keep in mind when giving the presentation:

First, unless you are dealing with a high density installation, RF optimization is not always the magic cure-all for network problems. It’s easy to point the finger at the 1Mbps data rate and the 80MHz channel as being the culprit, but if you only have 10 stationary clients associated on average and they are constantly disconnecting from the AP… it’s unlikely that the RF is the root cause. Optimize the wireless as much as you like, but be prepared to start diving into the wired side of the network as you look for problem resolution. It’s critical to know both the wired and the wireless sides of things to be an effective resource.

Second, don’t make ultimatums. If you are a hired gun, you’ve only spent the last several days battling what the customer’s IT department has been battling for some time now. Don’t speak in absolutes or immediately assume design flaws. Instead, diplomatically make recommendations and try to understand why things are configured the way they are.

That covers the highlights. If you’re interested in getting started and have questions, feel free to send me a message – I’d be happy to help.

Thoughts on the CWSP…

So, today I passed the Certified Wireless Security Professional (CWSP) exam. For those of you not familiar with the CWNP program, it’s an intensive vendor-neutral certification path that delves deeply into 802.11 tech… VERY deeply. It’s been very beneficial for my career, and it’s one of the few educational courses that I truly enjoy. Anyone interested in learning more about how wireless ticks should take a look at the CWNA at least.

The CWNP program begins with the CWNA as the foundational wireless cert, then it branches into three separate specializations – Security, Analysis, and Design. Once all four exams are completed and a lengthy application submitted (essay questions and all), you can become a candidate for the Certified Wireless Network Expert designation. It’s pretty elite, with only ~150 or so CWNE’s in the USA. I’m gunning to complete the CWNE application by the end of 2017.

For the CWSP course, I used the following resources:

  • CWSP Official Study Guide PW0-204
  • CWSP Official Study Guide CWSP-205
  • Extensive use of the Sybex online companion included with the CWSP-205 book
  • Sample tests available directly from CWNP

I did NOT use the Certitrek guide published in 2015. There may have been some things I missed from that book, but I was very impressed with the most recent version and feel that it covered sufficient enough territory.

The CWSP course covers wireless encryption methods, EAP, fast roaming mechanisms, the different handshakes and key hierarchy, RADIUS, LDAP, MDM, and much more. The book was great. And HARD. Lots of detail to sink your teeth into. I had some issues with incorrect questions on the Sybex portal, so just remember that you can’t 100% trust what their exams tell you when you do your review.


To those of you looking to take the exam, keep hammering through the practice exams from the CWSP-205 book. Once you can pass them reliably, I think you’ll be ready for the real thing.

What’s next for me? I had planned on taking the Wireshark course next to get more familiar with packet analysis, but my work is requesting that I chew through the VCP-NV next, so packet analysis will have to wait a month or two.

On to VCP-NV, WCNA, CWAP, then CWDP!

Merry Christmas to all.

One man’s rambling journey to CCNA…

As of Monday, I am finally a CCNA. It’s been a long and strange journey and I wanted to share my steps with you in the hopes that it helps those also going for the cert (without breaking the NDA of course!).


I’ve been in the networking industry for a few years. Four years ago I got my Net+ and then began working towards my CCNA… but then I got a job that only dealt with HPN, so I put away the Cisco books. I worked my way all the way through HPE’s master certifications for networking (ATP, ASE, MASE) and several wireless certs (CWNA, ACMP) and had to digest a lot of Cisco on the way… Cisco’s textbooks are better reference materials than most and networking is networking, so it’s transferable knowledge!

But I decided that I wanted to prove myself with Cisco, as I still run into it in my day-to-day and I had heard that their tests were more difficult.


I passed the composite exam (v2) with a middling score of 863. I didn’t attempt the step by step method. I studied seriously for about a month.

Resources Used

I have a pretty sizeable IT library that I have at my disposal, but for the CCNA specifically I used:

  • Todd Lammle’s CCNA textbook
  • Chris Bryant’s CCNA Udemy Course
  • Boson’s NetSim
  • CBT Nuggets
  • Packet Tracer and GNS3

I started with Lammle’s book and read it cover to cover, doing all the hands-on labs and review questions multiple times. The book was easy to read and well presented.

I then ran through the Boson netsim using the intelligent learning mode until I had successfully answered every question in their 400 question database three times. I HIGHLY recommend this product – it has simulation labs baked in that give you a decent idea of what to expect. It was a good ego check for me.

I then purchased the Chris Bryant CCNA video series and cherry picked areas that I felt I was weak on. This helped solidify things for me.

These resources gave me the info that I needed and I recommend all of them, especially Boson.

My Two Cents

My takeaway is that the CCNA has gotten a lot harder than it was when I first looked at it and it’s a solid foundational curriculum. I’ve taken exams dealing with high level datacenter topics like MPLS, VPLS, SPBB, TRILL, SDN, etc and I did better on those than I did with Cisco’s introductory exam! Kudos to those of you who are working towards the CCNA. It really makes sure you know how to build a network, not just be familiar with general concepts. Some network vendors just ask you to know what VRRP does, Cisco asks that you know the hello timers and virtual MAC addresses!

Advice on the exam

Be sure to nail down port numbers, subnetting, and above all troubleshooting. Some exams may test you on your knowledge of subnets, but Cisco “bakes it in” to the questions and expects you to know it off the top of your head while figuring out the other issues.

Advice to Cisco

Kudos for making a great learning path, but you seriously should use Boson’s lab engine instead of whatever that “thing” was that I saw today. Eesh!

Next up… CCNP, CCDA, CCDP, CWAP, CWSP, CWDP, CWNE! Books are on the way…