Who Needs Layer 3?

I'm doing some work this week away from WiFi and on more general networking. Getting away from WiFi always reminds me how different WiFi sniffing is from anything else. With WiFi, you rarely need to worry about anything above Layer 2.


I've found that most folks who work with WiFi are like me -- they started out working on networks and then one way or another they moved into wireless. (Those of you who took the other route -- wireless first, then networking -- can probably ignore most of this.) For me, it's been so long since I've made the move that I sometimes forget how different things can be.

Fundamentally, you're looking for the same things on a WiFi network that you're looking for on a wired network: security, performance, consistency and accessibility. The trick is that you're looking at them in different ways. For wired networks, it's usually Layer 3 (the IP/Network layer) and above that matters. You look for protocols and VPNs and management traffic overhead.

All that stuff above Layer 2 (the MAC/Data Link layer) really doesn't matter much on a WiFi network. You have a VPN? Who cares? TKIP or AES-CCMP encryption protects your data anyway. You have a lot of management traffic? So what? You'll often see huge percentages of management traffic in a WiFi sniffer on a low volume network simply due to the Beacons and Probes that are used to keep associations current. It's not a sign of a problem; just regular operation.

One of the first tips I always give people who are new to WiFi sniffing is to ignore anything above Layer 2 when you're looking at a network. If you're looking at an encrypted network, it's easy -- WEP, TKIP and AES-CCMP all encrypt at the MAC layer, thus hiding anything above Layer 2 from view. If you're looking at an unencrypted network, just ignore it. Ignore all of the IP address, protocols and anything else that resides on upper layers. Don't worry about SIP sessions or HTTP traffic or who's hitting what server. Just concentrate on the wireless channel.

As with just about anything that you leave and come back to, I've found the transition a little bit tough this week. I've been so used to concentrating on Layer 1 (RF/Physical layer) and Layer 2 that I've lost some of my edge in areas like routing protocols, network architecture and the like. I'm sure I'll get my feet under me once I put some time in, but it's a good reminder that I definitely feel more comfortable in the world of WiFi sniffing Layer 2.

Comments

Popular posts from this blog

Spectrum Deception

What's New (and Missing) in the WiFi for iPhone 6

Free Sniffing in Windows! (Kind Of)