Ask Your Question
0

Radiotap Header - Wireless

asked 2022-09-19 10:47:39 +0000

AirAO gravatar image

updated 2022-09-19 20:15:11 +0000

Hi,

Working on project to define RSSI values of some devices. Using Cisco AP 2802i 4x4:3 to connect wireless clients to and getting those values:

Radiotap Header

Header revision: 0
Header pad: 0
Header length: 48
Present flags
MAC timestamp: 2446461763
Flags: 0x00
Data Rate: 6,0 Mb/s
Channel frequency: 5320 [A 64]
Channel flags: 0x0140, Orthogonal Frequency-Division Multiplexing (OFDM), 5 GHz spectrum
Antenna signal: -57 dBm
RX flags: 0x0000
Antenna signal: -63 dBm
Antenna: 0
Antenna signal: -59 dBm
Antenna: 1
Antenna signal: -66 dBm
Antenna: 2

As I could understand this AP has four antennas and three spatial streams. In example above I can only see three antennas Antenna 0, 1, 2 (or those are spatial streams?!) plus one antenna value which is -57dBm.

Anyone who can help me to understand what all those antenna values means?

Thanks in advance!

Another update: The client signal strength shown in Wireshark is always the same as value of Antenna 2

802.11 radio information

PHY type: 802.11a (OFDM) (5)
Turbo type: Non-turbo (0)
Data rate: 6,0 Mb/s
Channel: 64
Frequency: 5320MHz
Signal strength (dBm): -66 dBm
TSF timestamp: 1832499485
[Duration: 288µs]
edit retag flag offensive close merge delete

Comments

Where is the 802.11 monitor mode capture from?

Bob Jones gravatar imageBob Jones ( 2022-09-19 18:05:04 +0000 )edit

In particular, was that a capture done on the AP itself, or on another machine?

Guy Harris gravatar imageGuy Harris ( 2022-09-19 19:13:37 +0000 )edit

Hi Bob & Guy and thanks for reply - I'll try to answer to both of you in this comment...

Capture is from Wireshark (Windows version) and it has be done with Ekahau SideKick (which create PCAP file) connected directly to my computer - so this capture is not done on AP.

So, are those antennas really AP antennas or SideKicks or Windows machine antennas?

AirAO gravatar imageAirAO ( 2022-09-19 20:06:42 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-09-20 02:57:42 +0000

Guy Harris gravatar image

updated 2022-09-20 02:59:27 +0000

Capture is from Wireshark (Windows version) and it has be done with Ekahau SideKick (which create PCAP file) connected directly to my computer - so this capture is not done on AP.

OK, this page on the Ekahau Web site says

Ekahau Capture saves packets in the industry standard .pcap format.

but that's a capture done by the Ekahau Capture application, not by Wireshark. Pcap captures can be read by Wireshark, but if the capture was read and dissected by Wireshark, that doesn't mean the capture was done in Wireshark unless you selected a Wi-Fi adapter on the Windows machine in Wireshark and did the capture by telling Wireshark to capture on that interface.

So I'll assume the capture was done by Ekahau Capture, using the Sidekick.

If so, then the antennas are on the Sidekick, not on the AP and not on your Windows machine's Wi-Fi adapter.

A blog post from Ekahau says that "Ekahau Sidekick makes use of 7 internal antennas and is designed to be worn and oriented in one direction to ensure accurate and consistent measurements.", but I don't know how many are used for capturing.

Here's a discussion of how multi-antenna captures should be done in radiotap (the messages are in reverse chronological order, so Johannes Berg's first message on the topic, from 2012-08-20, is number 11, at the bottom of the list).

The scheme proposed by Johannes in that first message isn't what's followed in that capture, as there are two signal values before the antenna number value. I suspect they're doing the same thing that at least one Linux driver does, and providing an "overall" signal value, followed by a set of signal values, one for each antenna chain, as per later discussion on that list. Sadly, the author of message 2 (the next-to-the-last message, chronologically) appears to have dropped the ball and not updated the radiotap documentation, as suggested by Johannes in message 1 (the last message, chronologically). Perhaps I'll poke the recipient of Johannes' suggestion and get him to move forward on that. :-)

Anyway, what that means is probably that:

  • there are 3 antennas for which the Sidekick is reporting signal strengths;
  • the overall signal strength is -57 dBm;
  • antenna 0 has a signal strength of -63 dBm;
  • antenna 1 has a signal strength of -59 dBm;
  • antenna 2 has a signal strength of -66 dBm.

The client signal strength shown in Wireshark is always the same as value of Antenna 2

That's because the Wireshark code doesn't handle multi-antenna information very well. The code that handles the "radio information" (which is independent of whether it's supplied by radiotap or some other mechanism) has no way to be given signal strength etc. information for multiple antennas, and the code that handles the radiotap header can't and doesn't construct multi-antenna information for the "radio information" code.

Instead, it passes the last signal strength it saw to the ... (more)

edit flag offensive delete link more

Comments

Hi,

Thanks for reply - nice to have such kind of experts here on forum, I really appreciate that you took your time to help me out here :-) I'll check this further with Ekahau.

Thanks! :-)

AirAO gravatar imageAirAO ( 2022-09-20 17:52:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-09-19 10:47:39 +0000

Seen: 32 times

Last updated: Sep 20