Wireless Assessments

The wireless network can be challenging to assess and troubleshoot. There are many variables in the wireless network that are completely outside of the control of the organization – client device types, neighboring wireless systems, and more – and the environment can change rapidly. Interested in finding a good way to do a health-check of your (or your customer’s) environment? Here’s how I go about it.

This walkthrough is not intended to give you everything you need to know to properly assess and fine-tune a wireless network. If you’re interested in learning how RF ticks, I can’t recommend the CWNA course material highly enough. It’s awesome stuff. Check it out here.

Step One – Set the Stage:

First and foremost, when doing a health check on an existing wireless network, you need to be asking questions. Don’t lecture, just listen. If you don’t know what the network is intended to do you will be flying blind and making poorly thought out suggestions at the end of the engagement. I always ask the following at a minimum:

  • What is the purpose of this wireless network?
  • What applications need to function on this network? (look for voice/video applications in particular, those have stringent requirements)
  • What types of clients need to use this network? Is this under control of the IT department, or do they support BYOD?
    • If IT has full jurisdiction, get the FCC ID and start looking for performance information on the client at www.fcc.io.
    • If you’re dealing with a BYOD network, assume that you have to support the lowest common denominator.

This will help set the stage. Listen closely for pain points. There’s probably a good reason why you’ve been engaged to assess their RF – find out the underlying pain so you can try to address it.

Step Two – Gather your Tools:

This is where things can get expensive. Enterprise level wireless software is not cheap! I’ll list out the tools that I personally use as well as some alternatives if you are self-funding this project.

  • SSID mapping and discovery tool. I personally use Metageek’s Chanalyzer for this. You can also use Metageek’s InSSIDer or Acrylic’s Wifi Analyzer software. This will let you see the channel plan and get an idea of what you’re working with.
  • Wireless frame capture software. If you’re using a Mac, you’re in good shape. I use the free program Airtool with great success. If you’re using a Windows, you’re going to have some difficulty because you need specialized software to listen to wireless traffic in monitor mode, meaning that you can capture management and control frames, promiscuously, not just frames sent to your PC. Professional systems like Omnipeek are ideal, but if you are on a budget you can use Acrylic’s NDIS drivers to convert a supported adapter into a monitor mode capable device. Try to find a way to capture as many spatial streams as possible.
  • Heatmapping software. This will let you build a comprehensive map of wireless coverage AND correlate a lot of other data onto a floorplan, like dropped packets, associated APs, spectrum health, and more. I use Ekahau’s product personally and love it… but it can be tough to self-fund. You can also consider Tamograph or Acrylic’s suite if you’re on a budget.
  • Spectrum analysis software. Sometimes it’s not enough to just see 802.11 traffic – you will need to see non 802.11 activity as well, like interference from point to point links, microwaves, wireless security cameras, A/V equipment, and more. These sources of outside interference can cause a lot of pain on a wireless network. I use Metageek’s Chanalyzer tool for this. 
  • Gear. You will be walking for quite some time during a larger survey and you probably don’t want to be cradling that hot and heavy laptop in your arms the whole way.
    • Laptop trays may not be the “coolest” gear, but they are invaluable. Buying the WLAN Pros laptop tray has made a huge difference for me.
    • Battery packs. Your laptop battery is going to drain quickly with all the attached peripherals. Using a battery that can keep your laptop charging will let you keep moving and not waste time stuck to a power outlet.
    • Wireless adapters. This is critical. Ekahau ships with some very powerful NICs, but those NICs don’t give you a realistic view of the wireless network performance… not everyone has $300 wireless cards strapped to their devices! Get a low end wireless adapter to simulate actual client performance. For example, something like this can be used to track 5GHz roaming behavior.

Step Three – Getting Started:

So you’ve prepared your gear, talked with the customer, and determined what the problem is – let’s get a sneak peek of what we’re dealing with. Pull up your SSID mapping software and take a look. If you know what you’re looking at, this can give you a lot of information about the health of the network.

For example, THIS looks pretty standard:

Okay 2.4GHz

And THIS means that you’re in for a world of hurt:

Dicey 2.4GHz

Here you can quickly see the channel plan, rogue access points, hotspots, neighboring systems, and more. You can see if they pulled the gear out of the box and left it to factory defaults (usually identified by 80MHz channels in the 5GHz band which is not necessarily a bad thing, but often can be) or if there has been tinkering with the setup. This sets the stage for the rest of the assessment.

Step Four – Start Walking:

Next, get your survey gear up and running and start walking the floor. You will absolutely 100% need some kind of accurate floor plan for best results here. Push hard on the customer for those plans… I don’t do full assessments unless floor plans are provided in advance, as you don’t want to waste several hours onsite waiting for someone to dig up the documents.

I recommend hooking up several adapters and at least one spectrum analyzer while walking the floor. All the information that each adapter catches will be fed into the wireless map and it will give you a lot of information to dig through after the assessment.

I have two Ekahau NIC-300-USB that I set to passively scan all channels – one set to 2.4GHz and one set to 5.0GHz. You have the option to remove channels from the scan and only scan selected channels more rapidly, but I prefer to leave all channels selected so I can pick up on neighbors and rogues that are outside of the standard channel plan. Now, the NIC-300-USB is a very expensive and high end wireless NIC so it can paint a rosier picture of the wireless environment than you might like… so don’t take the bright green raw data and think “everything is fine!” You can get around this by asking Ekahau to simulate the measurements with various weaker clients when reviewing the data. To do this, go to the “Options” drop down menu and select the Adapter type from list at the bottom of the menu.

Adapter Simulation

In addition to the two NIC-300-USBs, I always set up a third NIC to act as an associated active client and have it constantly ping the default gateway (or, in some cases, perform a throughput test). Having an active client is critical in my opinion. If you only measure passively you won’t have any idea where roaming breaks down, areas of packet loss, how long your client sticks to an AP, and so on. Having at least one active client is a must.

Finally, set up a spectrum analyzer and have it capture the RF health from the 2.4GHz band. If you have two, that’s great – you can capture dual band information. But if you only have one, prioritize scanning the 2.4GHz band as it is more prone to disruption.

Be sure to load up your entire rig and test it for AT LEAST 15 minutes before doing this “live” with a client. Nothing is worse than getting onsite and having the NICs constantly fail due to driver or power issues.

Also, remember to disable all unnecessary wireless activity on your laptop or tablet before starting the survey. If you’re downloading system updates while walking the floor you’re going to get some weird measurements. In addition, avoid using USB 3.0 devices as they can cause interference in the 2.4GHz band.

Try to get an escort for the walk around if you can. For one, walking around an office with a bunch of antennas and battery packs unaccompanied can raise eyebrows. I’ve been accused of trying to “hack the network” several times now. Two, having an employee with you gives you a chance to ask more questions and get their personal take on the system as you walk. The more info the better! Three, it’s much better to have a company escort when walking into various offices to take measurements, especially when you wander into executive offices. Yes, you will have to interact with a great deal of people and walk into every room if possible. A survey that only has hallway information is not worth much.

When walking, you have two options to capture the data within Ekahau… “Continuous,” where data is constantly being fed into the system as you move through the environment in a steady and controlled manner, and “Stop-and-Go,” where you take spot measurements one location at a time. I personally prefer to use “Stop-and-Go,” as it is less prone to human error and allows you to engage with users as needed.

Step Five – Spot Check:

Your work isn’t finished yet! Hopefully during your assessment you were able to identify specific problem areas, either from your escort or from the curious users. Go back to each of these locations and take some frame captures and some spectrum analysis measurements. Be sure to let each capture run for at least five minutes at each location. The more data, the better.

When reviewing the spectrum analysis measurements, I always look at the utilization information to see if the RF is being maxed out:

2.4GHz Utilization

And I also do a quick sweep to see if I find any interference from non 802.11 sources:

Non 802.11 Interference

The frame capture will give you a lot of information on their configuration… beacon frames in particular are very useful.To filter by beacon frames in Wireshark, type in wlan.fc.type_subtype == 0x8. From the beacon frames you can check the data rates, HT and VHT capabilities, security framework, and more. For example, to check the data rates present on the SSID:

IEEE 802.11 wireless LAN > Tagged parameters -> Tag: Supported Rates:

Beacon Data Rates

You can also check for retry rates using wlan.fc.retry == 1, check for authentication frames using wlan.fc.type_subtype == 0xb, and more. Frames don’t lie.

Wireshark is a very powerful and complex tool… and it’s free! If you want to become an expert with Wireshark, this book has been a great resource for me. But if you can swing it, Metageek’s Eye P.A. software is a great tool to give you a visual analysis of airtime and L2 wireless health that make for a great presentation.

Step Six – Making the Report:

Now for the fun part. Spend a few days reviewing your data and going through the heatmap and the measurements with a fine-tooth comb, looking for any oddities. When building the report, less is more. Make it easy to read and only include relevant information that addresses the pain points that you discovered. I personally like to put a summary of any issues found and potential first steps to resolve them on the cover page for easy digestion. I also like to set up a webinar to discuss the findings and answer all questions before handing off the document to be sure that everything is understood and wrapped up nicely.

Common issues that I immediately look for in my data include:

  • Presence of low data rates
  • Areas with poor coverage
  • Non 802.11 interference
  • Inefficient channel useage
  • Issues with roaming and/or dropped packets
  • 802.11b networks
  • Rogue or unauthorized APs

There are two things to keep in mind when giving the presentation:

First, unless you are dealing with a high density installation, RF optimization is not always the magic cure-all for network problems. It’s easy to point the finger at the 1Mbps data rate and the 80MHz channel as being the culprit, but if you only have 10 stationary clients associated on average and they are constantly disconnecting from the AP… it’s unlikely that the RF is the root cause. Optimize the wireless as much as you like, but be prepared to start diving into the wired side of the network as you look for problem resolution. It’s critical to know both the wired and the wireless sides of things to be an effective resource.

Second, don’t make ultimatums. If you are a hired gun, you’ve only spent the last several days battling what the customer’s IT department has been battling for some time now. Don’t speak in absolutes or immediately assume design flaws. Instead, diplomatically make recommendations and try to understand why things are configured the way they are.

That covers the highlights. If you’re interested in getting started and have questions, feel free to send me a message – I’d be happy to help.

Building your own Battery Pack


So, you’ve built your predictive design and now it’s time for the rubber to meet the road – the infamous AP-on-a-Stick survey. To perform this piece of your wireless design you’ll need a lot of “unique” gear… tripods, laptop shelves, tons of wireless adapters, APs, and enough battery power to get you through the day.

When I was building out my survey kit, I noticed one flaw with the “professional” battery packs built for wireless surveys. Beyond being very bulky and expensive, the majority of them only support 802.3af. The newer and larger APs often prefer 802.3at (also called PoE+) these days. In some cases, they can use 802.3af, but they turn off several spatial streams in the 2.4GHz radio to adjust for the lack of power.

That’s less than ideal, isn’t it?

Thanks for the Internet, I was able to cobble together a pretty affordable battery pack that supports both 802.3af and 802.3at and lasts an incredibly long time. Here’s the pieces and parts that have worked for me:

Intocircuit 26000mAh High Capacity Battery Pack

Tycon Systems TP-DCDC-2448GD-HP DC Converter

Power Jack Adapter Plug

The total will run you about ~$140.00 and it lasts for an extremely long time. Just power up the Intocircuit, hook it up to the Tycon converter using the adapter, and connect your AP. I’ve used it for several gigs now and despite looking a little “homemade,” it does the trick.