Using OmniPeek To Learn About the iPhone X

One of my favorite things to do is teach Wi-Fi, and one of my favorite tools for teaching is Savvius OmniPeek.  The good folks at Savvius were nice enough to provide OmniPeek for the Wi-Fi classes I oversee at Global Knowledge, and so I want to offer a taste of how OmniPeek can be used to learn about Wi-Fi device behavior, specifically with the iPhone X.

Savvius OmniPeek is what I call a hardcore protocol analyzer.  The "hardcore" adjective comes from the fact that OmniPeek encourages the user to view frame (aka "packet") traces.  Non-hardcore protocol analyzers focus on providing statistics and graphs.  I am a big fan of all types of protocol analyzers, but the beauty of OmniPeek is that it offers options for viewing statistics and graphs, while making its frame traces simple to navigate.

One of the things I like using OmniPeek for when teaching is illustrating the different ways that Wi-Fi devices and APs use the 802.11 standard.  An example is what happens when devices and APs send data.

A device or AP that has won the right to transmit on the Wi-Fi channel has three options: 
  • Transmit a single frame (aka "packet").  Basic method, going back to the original 802.11 standard from 1997.
  • Transmit an aggregated frame (called an Aggregated MAC Protocol Data Unit [A-MPDU])This one means that multiple frames are being aggregated together before transmission, and it is tricky to identify in a frame capture.  You can look in the HT Information Element (present in Beacon and Association Request frames, among others) or look for the presence of the Block Acknowledgment (BA) to determine if A-MPDUs are supported.  Unfortunately, lots of devices support A-MPDUs, but never use them in real life.  You'll know conclusively that a device or AP is using A-MPDUs if frames are larger than the maximum single frame size, which will be a little bit larger than 1,500 bytes, including headers and footers. 
  • Reserve a transmission window (called a Transmit Opportunity [TXOP]).  TXOPs are reserved using the RTS/CTS or CTS-to-self protocols.  If you see RTS & CTS frames, or CTS frames alone, preceding data transmissions, then a device or AP is using a TXOP 
The way to identify which of the three options is being used is to capture Wi-Fi frames sent by a device or AP, then look for a pattern.  If the device or AP precedes its data transmissions with RTS/CTS, then the TXOP is being used.  If single data units transmitted by a device or AP are longer than the length of a single frame, then A-MPDU is being used.  (Technically, A-MPDU is also used with short length transmissions, but that's a topic for another time.)  These patterns can be identified in OmniPeek.

Hereis how I use OmniPeek to teach students how to determine which of the three transmission options are used after their devices or APs win Arbitration:

1) First, OmniPeek must recognize a Wi-Fi adapter that can be used for Monitor Mode capture.  This can be configured in the Adapter screen of OmniPeek's Capture Options window.


My OmniPeek capture adapter, labeled "Wi-Fi 2", is a Netgear A6210 USB adapter.  It is a dual-band, 2-stream MIMO, 802.11ac Wave 1 USB adapter.

2) Once a capture adapter is chosen, the channel must be selected.  After starting a capture, the channel can be selected in the lower right corner of OmniPeek.  


The screenshot above is from a popup that comes up after right-clicking on the current Channel that OmniPeek is capturing on.

3) After beginning a capture on the channel that your device and AP are communicating on, I recommend naming your AP and device.  Naming APs and/or devices in OmniPeek can be done in a number of ways.  I like doing it by going to the WLAN screen.


All I had to do was find the iPhone X's Wi-Fi MAC address (Settings -> General -> About on the iPhone or any other iOS device), right-click the MAC address and then select "Insert Into Name Table".

4) Once APs and/or devices are named, the next step is to sift through captured frames to find Wi-Fi transmission sequences.  Sometimes this can be a little tricky, as OmniPeek captures all Wi-Fi frames on the channel, not just yours.  If you are having trouble finding frames transmitted by your device or AP, go to the WLAN screen, right-click your device or AP and choose Select Related Packets -> By Source.  That will take you to the Packets screen, where frames sourced to your device or AP will be highlighted.

In my case, I got lucky.  I saw frames transmitted by my iPhone X right at the top of my capture.  What's more, the data transmission pattern was easily identifiable as using a TXOP to reserve the channel before transmitting data.


The RTS and the CTS keep nearby devices and APs on the channel quiet, then the normal Data/Ack sequence (in this case using a Block Acknowledgment, or BA) follows.

The evidence from OmniPeek shows that the iPhone -- at least when running iOS 11.2.5 -- uses the TXOP for transmitting data.  

There are plenty of ways in which device behavior can vary, but the basic process of using OmniPeek to learn about them remains the same: install a proper capture adapter, capture on the channel of the AP & device, name the device, then look for patterns in how the device transmits.

******

If you like my blog, you can support it by shopping through my Amazon link or becoming a Patron on Patreon.  Thank you.

Twitter: @Ben_SniffWiFi

ben at sniffwifi dot com

Comments

Popular posts from this blog

Why You Should Stop Disabling Low Wi-Fi Rates, Illustrated

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone

Free Sniffing in Windows! (Kind Of)